Data Processing Agreement

GDPR Article 28 compliant DPA for enterprise and B2B clients

Version 2026.3 — Effective March 2026

1. Purpose and Application

This Data Processing Agreement ("DPA") applies where Sterling and Pierce Holding L.L.C-FZ ("Processor") processes personal data on behalf of an enterprise or business subscriber ("Controller") in the context of a B2B enterprise licence or hosted service arrangement for the Ten-Seconds Software.

This DPA is incorporated by reference into the applicable B2B commercial licence agreement. For individual end-user subscriptions, the Privacy Policy governs data processing. This DPA is available in executed form upon request for enterprise clients subject to GDPR.

2. Subject Matter of Processing

Element	Description
Subject matter	Encrypted ephemeral communications relay service
Nature of processing	Hosting, transmission relay, and account management for end-to-end encrypted messaging software
Purpose	Performance of the enterprise licence agreement
Duration	Licence term plus applicable legal retention periods
Data subjects	Enterprise client's users and their communication counterparties
Personal data categories	Pseudonymous usernames, encrypted key blobs, connection metadata, consent records. Message content is technically inaccessible to the Processor.
Special categories	None processed by the Processor

3. Processor Obligations (GDPR Art. 28(3))

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorised to process data are subject to confidentiality obligations
• Implement appropriate technical and organisational measures (Art. 32)
• Respect conditions for engaging sub-processors (Art. 28(2)); current sub-processors are listed in Section 5
• Assist the Controller in fulfilling data subject rights obligations
• Assist with security, breach notification, DPIA, and prior consultation obligations
• Delete or return all personal data at end of the licence term, at the Controller's election
• Make available all information necessary to demonstrate compliance

4. Technical and Organisational Measures (Art. 32)

• Confidentiality: TLS 1.3 in transit; AES encryption for stored credentials; NaCl E2E for all messages
• Integrity: Poly1305 message authentication; bcrypt password hashing
• Availability: Infrastructure monitoring; incident response procedures
• Pseudonymisation: Platform operates on pseudonymous identifiers by design
• Data minimisation: No message database; session metadata purged automatically
• Access control: Role-based administrative access; access logs maintained
• Breach notification: Controller notified within 72 hours of the Processor becoming aware of a personal data breach (GDPR Art. 33)

5. Sub-Processors

Sub-processor	Role	Location	Safeguards
Stripe, Inc.	Card payment processing	USA	EU Standard Contractual Clauses
CoinPayments, Inc.	Cryptocurrency payment processing	Canada	Adequacy / contractual safeguards
Infrastructure host (TBD)	Server hosting	EU / UAE	Data processing agreement

The Processor will notify the Controller of any intended changes to sub-processors, allowing the Controller reasonable opportunity to object.

6. Data Subject Rights Assistance

The Processor will assist the Controller in responding to data subject requests under GDPR Chapter III within 5 business days of notification. Note that message content cannot be provided (technically inaccessible), and password/key recovery is impossible by design.

7. Audits

The Controller may commission audits of the Processor's processing operations upon 30 days' written notice, at the Controller's cost, subject to reasonable confidentiality obligations.

8. Governing Framework

This DPA is governed by the laws of the UAE. For EU-established Controllers, EU GDPR obligations are observed to the extent applicable. Any conflict between this DPA and the main licence agreement shall be resolved in favour of the more protective provision for data subjects.

Version 2026.3 — March 2026 — Sterling and Pierce Holding L.L.C-FZ