Data Processing Addendum
Last updated: 2026-05-27
This Data Processing Addendum ("DPA") forms part of the Terms of Service between SGEN ("Processor") and the customer identified in the SGEN order or account record ("Controller", "you").
It applies where you, as the Controller, use the SGEN Services to process personal data of your end users, employees, or other individuals.
Contract effective date.
This DPA takes effect on the date you accept it by email at legal@sgen.com, or, when available, in your account settings — or the date of your most recent SGEN order, whichever is later.
Jurisdiction scope.
This DPA covers GDPR and UK GDPR.
Customers requiring coverage under other jurisdictions should contact legal@sgen.com.
1. Definitions
The terms Controller, Processor, Personal Data, Data Subject, Processing, and Supervisory Authority have the meanings given in the EU General Data Protection Regulation 2016/679 ("GDPR").
Standard Contractual Clauses or SCCs means the EU Commission SCCs per EU Commission Implementing Decision 2021/914, dated 4 June 2021.
UK Addendum means the International Data Transfer Addendum issued by the UK Information Commissioner.
Customer Personal Data means Personal Data that we process on your behalf in the course of providing the Services, as described in Annex 1.
2. Roles and subject matter
You are the Controller of Customer Personal Data.
SGEN is the Processor.
We process Customer Personal Data only on your documented instructions, including the instructions embedded in your configuration of the Services and in this DPA.
If we believe an instruction violates the GDPR or other applicable law, we will notify you and may suspend the relevant Processing until the instruction is corrected.
3. Confidentiality
Our personnel who access Customer Personal Data are bound by written confidentiality obligations.
Access is limited to personnel who need access to perform the Services.
4. Security
We implement and maintain the technical and organisational measures described in Annex 2 to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
5. Sub-processors
You consent to our use of the sub-processors listed at sgen.com/sub-processors and authorise us to engage further sub-processors subject to the change-notice and objection rights set out in that page and in Section 6 below.
We require each sub-processor to enter a written contract that imposes data-protection obligations no less protective than those in this DPA.
6. Sub-processor change notice and objection
We notify you of new sub-processors at least 30 days before they begin processing Customer Personal Data, by updating the sub-processor page and sending notice to subscribers of our sub-processor-change mailing list, except where a change is required for security, legal, or service-continuity reasons.
You may object in writing to a new sub-processor on reasonable data-protection grounds within 15 days of our notice.
If we cannot resolve your objection through commercially reasonable alternatives, you may terminate the affected portion of the Services without penalty.
7. Data subject rights
We assist you, taking into account the nature of the Processing and the information available to us, in responding to requests from Data Subjects to exercise their rights under applicable data-protection law.
Where a Data Subject contacts us directly with a request relating to Customer Personal Data, we forward the request to you without undue delay.
8. Personal-data breach notice
We notify you of any Personal-Data Breach affecting Customer Personal Data without undue delay after becoming aware, and in any event within 72 hours.
The notice includes the information then available, including the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
9. Data-protection impact assessment
We assist you, at your reasonable request, in carrying out data-protection impact assessments and in consultations with Supervisory Authorities, taking into account the nature of the Processing and the information available to us.
10. Deletion and return
On termination of the Services, we delete or return Customer Personal Data within the periods described in Annex 1, except to the extent retention is required by applicable law.
After the retention period ends, we delete or de-identify the data.
11. International transfers
Where we transfer Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that does not benefit from an adequacy decision, the transfer is governed by Standard Contractual Clauses per EU Commission Implementing Decision 2021/914 and, where applicable, the UK Addendum, which are incorporated into this DPA by reference.
The Module 2 (Controller-to-Processor) SCCs apply between you and SGEN.
The Module 3 (Processor-to-Processor) SCCs apply between SGEN and our sub-processors where SGEN is itself acting as your Processor.
Standard Contractual Clauses are the default transfer mechanism for all sub-processor relationships.
A copy of the applicable SCCs is available on request at legal@sgen.com.
12. Audits
You may audit our compliance with this DPA once per calendar year, at your expense, on at least 30 days written notice, during business hours, and subject to confidentiality undertakings.
We may instead provide a recent third-party audit report (where available) covering the same controls, in which case the report satisfies your audit right for that year.
13. Order of precedence
If there is a conflict between this DPA, the Standard Contractual Clauses, and the Terms of Service, the order of precedence is: SCCs, then this DPA, then the Terms of Service.
14. Governing law
This DPA is governed by the same law as the Terms of Service, except where mandatory data-protection law requires otherwise.
15. Amendments
We may update this DPA from time to time.
Material changes are notified to you at least 30 days before they take effect, by email to the address associated with your SGEN account, or through your customer dashboard.
Non-material changes — typographical corrections, clarifications that do not reduce your rights, or changes required by law — take effect on posting.
If you object to a material change on reasonable data-protection grounds, write to legal@sgen.com within 15 days of our notice.
If we cannot resolve your objection through commercially reasonable alternatives, you may terminate the affected portion of the Services without penalty before the change takes effect.
Continued use of the Services after the change takes effect constitutes acceptance of the updated DPA.
Annex 1 — Processing details
| Item | Detail |
|---|---|
| Subject matter | Provision of the SGEN Services to you |
| Duration | The term of your SGEN subscription |
| Nature and purpose | Hosting and operation of websites, content, forms, and ecommerce features you build using SGEN |
| Categories of data subjects | Your employees, contractors, end users of your SGEN-hosted sites, customers, and other individuals whose data you process in the Services |
| Categories of personal data | Identifiers (name, email, account ID), contact information, form submission contents, ecommerce order data, log and usage data tied to a Data Subject |
| Sensitive data | We do not require sensitive categories to deliver the Services and recommend you avoid processing sensitive data in the Services. If you choose to do so, you remain responsible for the lawful basis. |
| Retention | Active data is retained for the term of the subscription. After termination, data is retained for up to 30 days following service termination to support reactivation, then deleted or de-identified, unless a longer period is required by law. |
Annex 2 — Technical and organisational measures
We maintain measures appropriate to the risk, including:
- Access control — role-based access at the application layer; least-privilege provisioning for production systems.
- Encryption in transit — TLS for all customer-facing endpoints. HTTP requests redirect to HTTPS.
- Encryption at rest — primary data stores use the encryption-at-rest capabilities provided by the underlying hosting platform.
- Authentication for production access — multi-factor authentication is available to account administrators.
- Network controls — rate-limiting and abuse-protection at the hosting-provider edge.
- Vulnerability management — dependency monitoring; patches applied as warranted.
- Change review — changes to production code follow a peer-review process before deployment.
- Backup and recovery — customer data is backed up on a regular cadence consistent with platform recovery objectives.
- Operational logging — security-relevant events are logged and retained for a period sufficient for incident investigation and consistent with applicable law.
- Personnel — confidentiality obligations through employment or contractor agreements.
- Sub-processor controls — contractual data-protection obligations no less protective than this DPA.
How to accept this DPA
To execute this DPA, write to legal@sgen.com from the email address associated with your SGEN account.
Include your company name, billing-contact name, and any customer-specific information your data-protection team requires.
We countersign and return an executed copy by email.