Legal

Data Processing Addendum

Effective 2026-05-14 · Incorporated by reference into the Terms of Service.

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Slingshot LLC (“Processor”, “we”) and the Customer (“Controller”, “you”) and applies where we process Personal Data on your behalf in connection with the Services. Capitalized terms not defined here have the meanings in the Terms.

1. Roles and scope

For Personal Data submitted to or generated within your Workspace, you are the controller (PDPL: “data controller”; GDPR: “controller”) and we are the processor (PDPL: “data processor”; GDPR: “processor”). Where you act on behalf of another controller (for example, as a service provider to a third party), you remain responsible for the relationship with that controller.

The subject matter, duration, nature, and purpose of processing, the types of Personal Data, and the categories of data subjects are described in Annex 1.

2. Customer instructions

We will process Personal Data only on your documented instructions, including those given through your configuration of the Services and any reasonable subsequent written instructions consistent with the Terms. We will inform you if, in our opinion, an instruction violates applicable data-protection law (without obligation to monitor for legality).

3. Confidentiality of personnel

Personnel authorized to access Personal Data are bound by appropriate confidentiality obligations, whether by contract or by statutory duty.

4. Security

We implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A current summary of those measures is set out in Annex 2. We may update them from time to time provided they do not materially decrease the level of security.

5. Subprocessors

You give us general authorization to engage subprocessors listed at /subprocessors. We will (a) impose obligations on each subprocessor that are no less protective than this DPA; (b) remain liable to you for the subprocessor’s acts and omissions to the extent that we would be liable under this DPA; and (c) give at least 30 days’ prior written notice of any new subprocessor by updating the list and notifying you by email.

You may object to a new subprocessor on reasonable data-protection grounds within that notice window. If we cannot offer a commercially reasonable alternative, either party may terminate the affected portion of the Services without penalty; the only remedy is termination and a pro-rata refund of pre-paid, unused fees for that portion.

6. International transfers

We may transfer Personal Data outside Kingdom of Saudi Arabia and the European Economic Area in connection with operating the Services. Where required, we will rely on one of the transfer mechanisms permitted by the PDPL or the GDPR (including Standard Contractual Clauses approved by the European Commission and any supplementary measures required by applicable law).

7. Cooperation with data subjects

Taking into account the nature of the processing, we will provide reasonable assistance through appropriate technical and organizational measures to help you respond to requests from data subjects exercising their rights under applicable law. Where a request is made directly to us about a workspace controlled by you, we will refer it to you without responding (except to confirm receipt and inform the data subject of the referral).

8. Security incidents

We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting your Customer Data. The notice will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. You are responsible for notifying authorities and affected data subjects to the extent required by law.

9. Audits

We will make available to you the information necessary to demonstrate compliance with this DPA, including the most recent third-party certification or audit report (where available) and answers to reasonable written security questionnaires. For Customers with material annual contract value, no more than once per year, we will accommodate an on-site audit conducted by you or an independent auditor on mutually agreed terms, subject to confidentiality, reasonable notice, and your payment of our reasonable costs.

10. Return or deletion of data

On termination of the Services or written request, we will, at your option, return or delete Personal Data within 60 days, except where retention is required by law (in which case the retained data remains subject to this DPA). Backups containing Personal Data are deleted in line with our standard retention cycles described in the Privacy Policy.

11. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms. Where the Terms set a cap on aggregate liability, that cap applies to claims under the Terms and this DPA combined.

12. Order of precedence

If there is any conflict between this DPA and the Terms, this DPA prevails as to the processing of Personal Data. If there is any conflict between this DPA and a separately signed data processing agreement between the parties, the separately signed agreement prevails.

13. Governing law

This DPA is governed by the laws of the Kingdom of Saudi Arabia, and the parties submit to the exclusive jurisdiction of the Commercial Courts in Riyadh, Kingdom of Saudi Arabia.

Annex 1 — Processing details

• Subject matter. Provision of the Services to the Customer under the Terms.
• Duration. For the term of the Terms and any post-termination return / deletion window.
• Nature and purpose. Hosting, storing, displaying, transmitting, backing up, supporting, securing, and otherwise processing Customer Data as instructed.
• Types of Personal Data. Account identifiers (name, email, phone), business contact details (company, role), workspace content created or uploaded by Customer’s users (contacts, leads, quotes, invoices, project tasks, files, messages, documents), technical and security data (IP, user-agent, timestamps, audit logs).
• Categories of data subjects. Customer’s employees, agents, contractors, end-customers, and any other natural persons whose data Customer chooses to include in its Workspace.
• Special categories. Customer will not submit special-category data (e.g., health, religion, biometrics, criminal records) unless permitted by law and notified to us in writing; we are not designed for such categories.

Annex 2 — Technical and organizational measures (summary)

• Encryption. TLS 1.2+ in transit; encryption at rest for backups and object storage.
• Access control. Role-based access; least-privilege admin access; multi-factor authentication for production systems; session-bound JWT with short expiry.
• Tenant isolation. Logical tenant separation via tenant-scoped queries; cross-tenant access prevented at the application layer.
• Logging and audit. Append-only audit log of every mutation; actor + impersonator stamped on each entry.
• Network. Private networking between application and database; only the reverse proxy exposed to the public internet; HTTPS-only.
• Backups and disaster recovery. Encrypted off-server backups; documented restore procedure; restore drills run periodically.
• Personnel. Confidentiality obligations; least-privilege role assignment; documented offboarding.
• Vendor management. Subprocessors selected on data-protection and security grounds and contractually bound.
• Incident response. Defined runbook with notification SLAs; post-incident review.

For DPA questions, signature requests, or notice of subprocessor objection: hit@eslingshot.com
Postal: Slingshot LLC, Jordan and the Kingdom of Saudi Arabia

Version 2026-05-14. See the legal index for the full pack.