SOSCO
U

Data Processing Agreement

Last updated: March 11, 2026

Version 1.0 — applies to all enterprise customer contracts entered on or after this date.

Important notice

This Data Processing Agreement ("DPA") is incorporated by reference into the SOSCO Terms of Service. If you represent an organisation that requires a signed DPA — for example because you process personal data of your employees or customers through SOSCO — please contact us at legal@sosco.io to request a countersigned copy.

1. Introduction

This Data Processing Agreement ("DPA") is entered into between the customer entity that has agreed to the SOSCO Terms of Service ("Customer" or "Controller") and Sosco Lda, registered in Portugal ("SOSCO" or "Processor").

This DPA forms part of the agreement between the parties and governs the processing of personal data by SOSCO on behalf of the Customer in connection with the SOSCO services. It is intended to comply with Article 28 of the GDPR (Regulation (EU) 2016/679).

2. Definitions

  • "Personal Data" — any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1).
  • "Processing" — any operation performed on personal data, as defined in GDPR Art. 4(2).
  • "Controller" — the Customer, who determines the purposes and means of processing.
  • "Processor" — SOSCO, who processes personal data on behalf of the Controller.
  • "Sub-processor" — a third party engaged by SOSCO to assist in processing personal data.
  • "Data Subject" — the individual to whom the personal data relates.
  • "Supervisory Authority" — the CNPD (Portugal) or any competent EU data protection authority.

3. Scope & Roles

SOSCO processes personal data solely to provide the services described in the Terms of Service and only on documented instructions from the Customer. The categories of personal data processed may include:

  • User identity data (name, email address, job title)
  • Company and organisation data provided by the Customer
  • Supplier contact information uploaded or collected through SOSCO
  • Usage data and activity logs generated through use of the platform

The Customer is the Controller and retains full responsibility for ensuring a lawful basis for processing exists under GDPR Art. 6 before uploading personal data to SOSCO.

4. Processor Obligations

SOSCO agrees to:

  • Process personal data only on the documented instructions of the Customer.
  • Ensure that persons authorised to process the data are committed to confidentiality.
  • Implement appropriate technical and organisational security measures (see Section 6).
  • Assist the Customer in responding to data subject rights requests (see Section 7).
  • Delete or return all personal data at the end of the service relationship (see Section 9).
  • Make available all information necessary to demonstrate compliance with this DPA.
  • Not engage sub-processors without the Customer's prior written authorisation (general authorisation is granted by accepting this DPA — see Section 5).

5. Sub-processors

By accepting this DPA, the Customer grants general written authorisation to SOSCO to engage the sub-processors listed at sosco.io/subprocessors. SOSCO will notify the Customer of intended changes to this list at least 14 days in advance. The Customer may object to new sub-processors by written notice to legal@sosco.io.

SOSCO ensures that all sub-processors are bound by equivalent data protection obligations to those set out in this DPA under GDPR Art. 28(4).

6. Security Measures

SOSCO implements and maintains the following technical and organisational measures:

  • Data encrypted in transit via TLS 1.2+ on all endpoints
  • Data encrypted at rest in Supabase (PostgreSQL with AES-256)
  • Access control: role-based access, least privilege principle
  • Authentication: multi-factor authentication available, session expiry enforced
  • Audit logging: security-relevant events are logged and retained
  • Security headers: CSP, HSTS, X-Frame-Options, and related headers on all responses
  • Rate limiting on authentication and API endpoints
  • Vulnerability monitoring: dependencies scanned for known CVEs

SOSCO reviews and updates these measures periodically to reflect industry best practices.

7. Data Subject Rights

SOSCO will assist the Customer in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection) under GDPR Chapter III. Where technically feasible, the Customer can fulfil these requests directly via the SOSCO platform settings. For requests that require SOSCO's direct assistance, contact legal@sosco.io. SOSCO will respond within 5 business days.

8. International Transfers

SOSCO stores and processes all Customer data within the European Union (Supabase EU West — AWS eu-west-1, Ireland). Where sub-processors are based outside the EEA, SOSCO ensures appropriate safeguards are in place under GDPR Chapter V, including Standard Contractual Clauses (SCCs) adopted by the European Commission.

9. Retention & Deletion

SOSCO retains personal data for as long as necessary to provide the services and as required by applicable law. Upon termination of the service agreement, SOSCO will, at the Customer's choice, delete or return all personal data within 30 days, unless EU or Member State law requires retention. Anonymised or aggregated data not attributable to individuals may be retained.

10. Breach Notification

In the event of a personal data breach under GDPR Art. 4(12), SOSCO will notify the Customer without undue delay and within 72 hours of becoming aware. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed. SOSCO will cooperate with the Customer in meeting the Customer's notification obligations to the supervisory authority and affected data subjects.

11. Audits & Compliance

SOSCO will make available all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable notice (minimum 30 days) and at the Customer's expense, SOSCO agrees to allow audits conducted by the Customer or an auditor mandated by the Customer. Audits may not disrupt SOSCO's operations or compromise the confidentiality of other customers' data. SOSCO may instead provide third-party audit reports or security questionnaire responses in lieu of direct audits.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the SOSCO Terms of Service. SOSCO's total liability for breaches of this DPA shall not exceed the amounts paid by the Customer in the 12 months preceding the claim.

FOUNDER DECISION REQUIRED: Final liability caps and indemnification wording must be reviewed by legal counsel before enterprise contracts are executed.

13. How to Execute a DPA

For self-serve customers, this DPA is incorporated by reference into the Terms of Service and becomes effective when you accept the Terms.

For enterprise customers requiring a countersigned DPA (e.g. for procurement compliance), please contact us at legal@sosco.io with the subject line "DPA Request — [Company Name]". We will provide a signed copy within 5 business days.