Data Processing Addendum (DPA) – Strmfy / APPHUBIC LTD

Data Processing Addendum (DPA)

Last Updated: 27 August 2025

This DPA forms part of the agreement between you (“Customer” or “Controller”) and APPHUBIC LTD, trading as Strmfy (“Processor”). It is designed to comply with the UK GDPR and, where applicable, the EU GDPR. This template is provided for information and does not constitute legal advice.

Parties

Processor: APPHUBIC LTD, company number 16438256, registered office at 20 Wenlock Road, London, England, N1 7GU, trading as “Strmfy”.

Controller: The customer identified in the main service agreement, order form, or account registration with Strmfy.

1. Subject Matter & Duration

1.1 This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the Strmfy services.

1.2 Processing shall continue for the term of the main agreement and any renewal, unless otherwise required by law.

2. Definitions

Terms such as Personal Data, Processing, Controller, Processor, Data Subject, and Supervisory Authority have the meanings given in the UK GDPR and, where applicable, the EU GDPR.

3. Nature, Scope & Purpose

3.1 Nature & Purpose: Provision of link shortening, management, and analytics services, including API access, click logging, and related functionality, as further detailed in Annex I.

3.2 Categories of Data & Data Subjects: As set out in Annex I; typically may include IP addresses, user agents, click timestamps, and limited account data.

3.3 The Processor shall process Personal Data only on documented instructions of the Controller.

4. Processor Obligations

Process Personal Data solely on documented instructions from the Controller, including regarding international transfers.
Ensure persons authorized to process Personal Data are bound by confidentiality.
Implement and maintain appropriate technical and organisational measures (see Annex II).
Notify the Controller without undue delay after becoming aware of a Personal Data Breach (Section 9).
Assist the Controller with Data Subject requests (Section 10), security, DPIAs, and consultations with authorities where required.
Maintain records of processing as required by law.
Refrain from appointing sub-processors without the guarantees set out in Section 6.

5. Controller Obligations

Provide lawful, documented instructions and ensure a valid legal basis for processing.
Not transmit special categories of data unless expressly agreed in writing.
Inform the Processor without delay of changes affecting processing instructions or lawful basis.
Be responsible for notices, consents, and transparency towards Data Subjects.

6. Sub-Processors

The Controller authorises the Processor to engage sub-processors for hosting, analytics, email delivery, customer support, billing, and related services.
The Processor shall impose obligations on sub-processors no less protective than this DPA and remains responsible for their performance.
A current list of sub-processors is available upon request or via the Processor’s website. The Processor will provide notice of material changes, allowing the Controller to object on reasonable grounds.

7. International Transfers

Where Personal Data is transferred outside the UK or EEA, the Processor shall implement appropriate safeguards, including the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses (SCCs), and supplementary measures where necessary.

8. Security Measures

The Processor shall implement technical and organisational measures appropriate to the risk, including measures described in Annex II (e.g., encryption in transit, access controls, logging, regular reviews).

9. Personal Data Breach

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach, providing information reasonably available at the time and cooperating to support the Controller’s obligations to notify authorities and Data Subjects where required.

10. Data Subject Rights

Taking into account the nature of processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data Subject rights.

11. Audit & Compliance

Upon reasonable prior notice, the Processor shall make available information necessary to demonstrate compliance and allow for audits by the Controller or an independent auditor mandated by the Controller, subject to confidentiality, security, and business continuity constraints. Remote audits and third-party certificates/reports may be used to satisfy audit requirements where appropriate.

12. Return & Deletion

Upon termination or expiry of the main agreement, the Processor shall delete or return Personal Data to the Controller, unless retention is required by law. Deletion may occur through secure erasure processes and standard backup rotation.

13. Liability & Indemnity

Each party’s liability under this DPA is subject to the exclusions and limitations set forth in the main agreement, except to the extent prohibited by applicable law.

14. Governing Law & Jurisdiction

This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

15. Order of Precedence

In the event of a conflict between this DPA and the main agreement, this DPA shall prevail with respect to the subject matter herein.

Annexes

Annex I – Processing Details

Subject matter: Operation of the Strmfy platform and APIs.
Duration: For the term of the main agreement and as legally required thereafter.
Nature & Purpose: Link shortening, redirection, analytics, and API-based features; logging for security/abuse prevention.
Categories of Data Subjects: Controller’s end-users; visitors clicking shortened links; Controller’s staff/administrators.
Categories of Personal Data: Typically IP address, user agent, language, device type, referrer, timestamp, account identifiers (name/email), billing metadata (tokenised/payment status via payment provider). No special category data is intended.
Special Categories: Not intended. Controller shall not submit such data unless expressly agreed in writing.
Processing Operations: Collection, storage, aggregation, analytics, retrieval, transmission, deletion.

Annex II – Technical & Organisational Measures (TOMs)

Access control: Role-based access, least privilege, MFA for administrative accounts.
Encryption: TLS for data in transit; encrypted secrets management for credentials/keys.
Availability & resilience: Backups, monitoring, alerting, disaster recovery procedures.
Logging & monitoring: Centralised logs, anomaly detection, rate limiting, abuse controls.
Development security: Code reviews, dependency scanning, change management.
Data minimisation & retention: Limited data collection; retention schedules; secure deletion.
Vendor management: Processor DPAs with sub-processors; periodic reviews.
Employee safeguards: Confidentiality undertakings; security training.
Incident response: Documented procedures; breach notification workflows.

Annex III – Authorised Sub-Processors

A current list of sub-processors is available upon request from support@strmfy.com. Typical categories include:

Cloud hosting and CDN providers;
Payment processors;
Email delivery and customer support platforms;
Analytics and monitoring tools;
Security and logging services.

The Processor will provide reasonable advance notice of material changes to sub-processors, allowing the Controller to object on reasonable grounds.

Execution

This DPA is incorporated by reference into the main agreement between the parties and is deemed accepted upon execution of that agreement, account registration, or continued use of the services, as applicable.

Contact

APPHUBIC LTD
20 Wenlock Road, London, England, N1 7GU
Company Number: 16438256
Email: support@strmfy.com