Part I: Data Security & Privacy Policy

2. Data Access & Control

2.1. Role-Based Access

• We implement role-based access control (RBAC) to ensure that only authorized personnel have the minimum privileges needed to perform their tasks.

2.2. Authorization by Client

• We access client accounts or data strictly upon explicit authorization provided by the client. We do not access data without the client’s documented instruction.

2.4. Access Logging & Review

• We maintain logs of access activities (e.g., which accounts or data were accessed, by whom, and when) and periodically review these logs for compliance with security policies and client agreements.

• These logs may contain minimal personal data (e.g., user IDs, timestamps). We retain them for security auditing purposes and delete or anonymize them when no longer necessary or after [X] days (as determined by our internal policy).

3. Data Handling & Storage

3.1. In-Platform Processing

• We do not store, download, or process client data outside the SaaS platform environment, except as expressly authorized in writing by the client.

• If any personal data are temporarily visible to us within the SaaS platform (e.g., while assisting with a configuration or troubleshooting a request), we remain subject to applicable data protection obligations as outlined in Part II of this document.

3.2. Credentials & Secure Access

• We do not retain client credentials beyond the immediate need for access and use secure mechanisms (e.g., temporary tokens, Single Sign-On) to avoid direct handling of long-term passwords.

• Where credentials must be temporarily stored (e.g., for automation scripts), we store them in an encrypted and access-restricted vault or password manager.

3.3. Log Data & Metadata

• While the Company does not routinely copy or store client data, we may generate or retain metadata (such as access logs, error logs, or diagnostic reports) for auditing and security purposes. These logs are protected with the same safeguards as other sensitive data.

4. Confidentiality & Non-Disclosure

4.1. Employee & Contractor NDAs

• All employees, contractors, and authorized representatives handling client data sign binding Non-Disclosure Agreements (NDAs).

• These NDAs prohibit the sharing, selling, or unauthorized disclosure of client data.

4.2. Prohibition on Data Use

• We do not use client data for any purpose other than providing the agreed-upon administrative services within the SaaS platform.

• We do not sell or share client data with unauthorized third parties.

5. Security Incident Management

5.1. Breach Notification

• If we become aware of any unauthorized access, data breach, or security incident that could affect client data under our control, we will notify the client without undue delay, and in any event within twenty-four (24) hours of discovering the incident.

• Notification includes details on the nature of the incident, the scope of data affected, and immediate steps taken or planned to contain and mitigate the incident.

5.2. Incident Response & Mitigation

• Upon detection of a security incident, we take all reasonable measures to contain and remediate the issue, including revoking unauthorized access, conducting a forensic analysis, and implementing corrective actions to prevent recurrence.

6. Compliance & Industry Standards

6.1. ISO 27001-Inspired Controls

• While not formally certified under ISO 27001, we adhere to recognized industry best practices consistent with the ISO 27001 framework for information security management.

• Examples include documented risk assessments, internal security audits, and ongoing staff security training.

6.2. Regulatory Frameworks

• We align our data handling with applicable legal frameworks, such as the GDPR and the CCPA, to the extent they apply to the data or the jurisdiction in which the client operates.

• For clients located in or serving EU/EEA individuals, we may rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms if personal data is accessed from or transferred to non-EEA locations.

6.3. Sub-Processors

• If we engage any sub-processors (beyond the SaaS platform itself) that might handle personal data on our behalf, we will maintain a list of those subprocessors and will update the client in advance of any changes.

• Currently, we do not engage additional third-party subprocessors for personal data processing outside the SaaS platform environment.

Part II: Data Processing Agreement (DPA)

1. Purpose & Scope

1.1. This Data Processing Agreement (“DPA”) is incorporated into and governed by the Master Services Agreement or equivalent contract between Squareloom (“Processor”) and the Client (“Controller”).
1.2. This DPA clarifies the roles, responsibilities, and obligations of each party regarding personal data protection under the GDPR and other applicable data protection laws.

2. Roles & Definitions

2.1. Controller & Processor

• The Client is the Data Controller, determining the purposes and means of processing personal data.

• Squareloom is the Data Processor, acting on the Client’s behalf to perform administrative and support tasks within the SaaS platform upon the Client’s instructions.

2.2. Nature of Processing

• We access and potentially view personal data within the SaaS platform. We do not extract, download, or store personal data outside the platform without written client authorization.

• Any personal data processing is limited to what is strictly necessary to fulfill our contractual obligations.

3. Client Responsibilities

3.1. Lawful Data Collection

• The Client ensures that it has the legal basis (e.g., consent, contractual necessity, legitimate interest) for collecting and processing personal data in the SaaS platform.

3.2. Access Control & Permissions

• The Client controls and maintains user permissions (creating, modifying, revoking access).

• The Client periodically reviews these permissions to comply with internal security policies and data protection laws.

3.3. Data Subject Requests

• The Client is responsible for responding to Data Subject Rights requests (e.g., access, erasure, rectification). Upon Client request, we will provide reasonable assistance to fulfill such requests to the extent we have access to or can otherwise facilitate changes within the SaaS platform.

4. Security Measures

4.1. Technical & Organizational Measures

• We maintain RBAC, MFA, encryption for data in transit, and other industry-standard security practices as described in Part I.

• We conduct internal security audits and risk assessments to verify adherence to best practices.

4.2. Cross-Border Data Transfers

• If personal data is accessed from or transferred outside the EEA, we will use Standard Contractual Clauses (SCCs) or other lawful mechanisms where required by law.

4.3. Security Audits & Documentation

• Upon the Client’s reasonable request, we can provide documented evidence of our security measures, such as relevant security policies, internal audit summaries, or compliance checklists.

5. Data Breach Notification

5.1. Prompt Notification

• In the event of a breach that affects personal data processed on behalf of the Client, we shall notify the Client without undue delay and, in any case, within twenty-four (24) hours of discovery.

• The notification will include the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to address the breach.

5.2. Controller Responsibilities

• The Client (as Controller) is responsible for notifying any relevant supervisory authorities and/or impacted data subjects, if legally required, within the statutory timelines (e.g., GDPR requires notification to regulators within 72 hours of awareness of a breach).

5.3. Liability & Indemnification

• Liability for data breaches may be subject to further terms in the Master Services Agreement regarding limitation of liability and indemnification.

• Each party agrees to cooperate in good faith to mitigate the effects of any breach.

6. Termination & Data Access Revocation

6.1. End of Services

• Upon termination of our services, we will relinquish all access credentials and discontinue any further processing of personal data.

6.2. Post-Termination Data

• We do not retain, store, or archive client personal data after termination, aside from minimal logs retained for security auditing or legal requirements.

• Any such logs that could contain personal data are protected and deleted or anonymized once no longer necessary.

Part III: Security & Compliance Statement

Squareloom is dedicated to maintaining a high standard of data protection and security. We:

• Limit Access to Data: Employ RBAC, MFA, and access logging to ensure minimal privileges and continuous oversight.

• Minimize Data Footprint: Avoid storing or extracting client data outside the SaaS environment, except with explicit authorization.

• Preserve Confidentiality: Require NDAs for all staff who may handle client data.

• Adhere to Industry Best Practices: Align our security measures with ISO 27001-inspired controls and perform ongoing risk assessments.

• Respond Quickly to Incidents: Provide immediate breach notifications and containment actions.

• Facilitate Compliance: Where applicable, assist clients (Controllers) in meeting GDPR, CCPA, and similar data protection obligations.

7. Changes to This Policy & DPA

• We reserve the right to update or modify this document from time to time to reflect changes in our practices or legal requirements.

• We will notify clients of material changes via email or by posting a prominent notice on our website. Unless otherwise stated, amendments become effective upon posting.

8. Contact Information

For any questions regarding this Data Security & Privacy Policy or the Data Processing Agreement, or to request a copy of any applicable Standard Contractual Clauses, please contact us at:

• Email: info@squareloom.com

• Data Protection Officer (If applicable): info@squareloom.com

  
  

Final Note

This combined Data Security & Privacy Policy and Data Processing Agreement aims to provide transparency about how Squareloom handles client data and meets its security and privacy obligations. Both parties should consult their respective legal counsel to ensure all contractual documents are complete, legally enforceable in relevant jurisdictions, and accurately reflect the real-world data flows and responsibilities.

By continuing to engage Squareloom’s services, the Client acknowledges and agrees to the terms set forth in this Policy and DPA.