Data Processing Agreement

1. Processor and controller

Controller: you, the customer. You determine the purposes and means of processing your data.

Processor: Smoov. We process Customer Data only on documented instructions from the controller, as set out in our Terms of Service and this DPA.

2. Subject matter and duration

Subject matter: provision of the Smoov platform.

Duration: for as long as your account is active, plus the retention periods documented in our privacy policy.

3. Nature and purpose of processing

Storage, retrieval, analysis, and transmission of Customer Data for the purpose of providing sourcing intelligence, marketplace features, and account services.

4. Types of personal data

• Identifiers: email address, account ID, IP address.
• Commercial information: listing content, deals, message content.
• Operational metadata: tool usage events, page views, error logs.

5. Categories of data subjects

Your authorized users; counterparties on The Exchange marketplace with whom you transact.

6. International transfers

Cross-border data transfers rely on the EU SCCs (Commission Implementing Decision 2021/914) and the UK Addendum, incorporated here by reference. The SCC module is controller-to-processor.

7. Subprocessors

The current list of subprocessors is published at /security/subprocessors. We review this list annually and notify in advance of material additions per the subscription link on that page.

8. Signing

This DPA takes effect on use of the Smoov platform; no separate signing flow is required. A formal counter-signed copy will become available later.