Legal

Data Processing Addendum

Last updated: March 30, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Customer and Sleek when Sleek processes Personal Data on behalf of Customer in delivering the Services. If you have not executed a separate DPA, these terms apply when GDPR or equivalent law applies to that processing.

Definitions & roles

“Personal Data”, “Controller”, “Processor”, “Processing”, and “Data Subject” have the meanings under applicable Data Protection Laws. Customer is the Controller of Personal Data it uploads or instructs us to process; Sleek is the Processor unless Sleek determines purposes and means independently (for example account relationship data), in which case roles are as described in the Privacy Policy.

Instructions

We process Personal Data only on documented instructions from Customer—including this DPA, the Terms, product functionality, and support tickets explicitly requesting processing. If we believe an instruction infringes law, we will notify Customer.

Subprocessors

Customer authorizes use of subprocessors who meet equivalent obligations. We maintain a current list available upon request or in Trust materials and will notify material changes. Customer may object on reasonable data-protection grounds; if no alternative exists, either party may terminate affected Services.

Security measures

We implement technical and organizational measures appropriate to risk, summarized at a high level on our Security page. Personnel access is limited, logged, and subject to confidentiality duties.

Personal data incidents

We will notify Customer without undue delay after confirming a breach affecting Customer Personal Data, providing information required for Customer to meet regulatory timelines where known.

International transfers

Where transfers require safeguards, we rely on Standard Contractual Clauses or another lawful mechanism and will complete assessments required by authorities.

Deletion & return

On request at termination, we delete or return Personal Data unless law requires retention. Backup destruction follows published technical timelines.

Assistance & audit

Data subject requests

We assist Customer with Data Subject requests through product controls and, when necessary, manual support.

Audits

Customer may exercise audit rights under Data Protection Law by requesting our most recent security attestations and answering written questionnaires. Onsite audits require 30 days’ notice, occur at most annually, and avoid disruption disproportionate to risk.