Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the controller (you) and Smile Rain (the processor). It governs the processing of personal data carried out by Smile Rain on the controller’s behalf in connection with the workspace at app.smile-rain.top. It is drafted in accordance with GDPR Article 28.
1. When this DPA applies
If you use Smile Rain solely as an individual to manage your own tasks and notes, your data handling is governed by the Privacy Policy and this DPA does not apply to you. This DPA applies only if you are an organization acting as a data controller whose use of Smile Rain involves processing personal data of your employees, contractors, customers, or other end users. In that case, GDPR Article 28 requires a written agreement formalizing how the processor (Smile Rain) handles that data.
2. Subject matter, nature, and duration
The processing covered by this DPA is the operation of the Smile Rain workspace — storage, retrieval, and display of the content the controller uploads — for the term of the controller’s subscription and any legally required retention period thereafter. The nature of the processing is automated processing of workspace content via cloud infrastructure. The purpose is to provide the productivity workspace described in the Terms of Service.
3. Categories of data and data subjects
Personal data processed under this DPA may include names, email addresses, profile photos, kanban-task content, note content, encrypted vault entries, and tag names. Data subjects are the controller’s employees, contractors, and end users who access the workspace. The controller is responsible for ensuring it has a lawful basis for uploading and processing this data.
4. Processor obligations (GDPR Art. 28(3))
Smile Rain, acting as processor, undertakes to:
- Process personal data only on documented instructions from the controller, including those set out in this DPA and the Terms of Service, and notify the controller immediately if an instruction would violate applicable law.
- Ensure that personnel authorized to process personal data are bound by confidentiality obligations and have access only to data necessary for their role.
- Implement the technical and organizational security measures described in §6, and assist the controller in meeting its own security obligations.
- Respect the conditions in §5 for engaging sub-processors and remain liable to the controller for any sub-processor that fails to meet equivalent obligations.
- Assist the controller in responding to data-subject requests (§8) and in fulfilling its obligations under GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation).
- Return or delete all personal data at the controller’s choice upon termination, as set out in §11.
- Make available to the controller all information necessary to demonstrate compliance with this DPA and GDPR Article 28, and contribute to audits as set out in §10.
5. Sub-processors
The controller grants general authorization to engage sub-processors for hosting, authentication, analytics, and email delivery. The current list is published in the Privacy Policy §3. We will notify the controller at least 30 days before adding or replacing a sub-processor. If the controller objects, it may terminate the affected services on written notice within that 30-day period. We impose on each sub-processor obligations no less protective than those in this DPA.
6. Security measures
Taking into account the state of the art, implementation costs, and the nature and risks of the processing, Smile Rain maintains technical and organizational measures including: TLS encryption in transit; encryption at rest at the storage layer; role-based access controls limiting data access to authorized personnel; client-side encryption for vault entries (the controller holds the key); and an annual review of security posture.
7. International transfers
Where the transfer of personal data to a sub-processor located outside the EU/EEA is required, such transfers are carried out under the European Commission’s Standard Contractual Clauses — specifically Module 2 (Controller to Processor) as published in Commission Decision (EU) 2021/914 — supplemented by additional safeguards where a transfer impact assessment indicates they are needed. Copies of applicable SCCs are available on request.
8. Data subject requests
If a data subject contacts Smile Rain directly with a request to exercise their rights, we will promptly redirect them to the controller. We will provide reasonable technical and organizational assistance to help the controller respond to requests for access, rectification, erasure, restriction, portability, and objection within the timescales imposed by applicable law.
9. Personal data breaches
In the event of a personal-data breach affecting data processed under this DPA, Smile Rain will notify the controller without undue delay and in any event within 72 hours of becoming aware. The notification will include, to the extent available: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
10. Audits and inspections
The controller has the right to audit Smile Rain’s compliance with this DPA and GDPR Article 28. We will respond to reasonable written audit requests within 30 days with a summary of our security program and relevant certifications or third-party assessments. On-site audits require at least 30 days’ advance written notice, are subject to a signed confidentiality agreement, and may be conducted no more than once per year unless a verified breach has occurred.
11. Return or deletion of data
Within 90 days of termination of the controller’s subscription, Smile Rain will, at the controller’s written election, either return all personal data processed under this DPA in a commonly used machine-readable format or securely delete it, except where retention is required by EU or Member State law. We will confirm completion in writing.
12. Executing this DPA
To execute this DPA for your organization, email [email protected] with your legal entity name and the authorized signatory’s contact details. We will return a counter-signed copy within 10 business days. Until a signed copy is exchanged, your use of the workspace as a controller constitutes acceptance of the terms of this DPA as published.