Digital Serpents
Choose your plan
Legal

Data processing agreement.

Last updated: 19 April 2026

For customers who act as data controllers — site visitors, store buyers, newsletter subscribers. This DPA governs our role as processor acting on your instructions.

Parties

Processor: Infinity Curve LLC, 76 Vazha-Pshavela Ave, Tbilisi 0186, Georgia. Georgian VAT ID 435437975. Trading as Digital Serpents.

Controller: the Customer identified by your account details in the Main Agreement.

1. Subject matter, duration, nature and purpose

Processing of Personal Data as necessary to provide the Service to the Controller. Duration: the term of the Main Agreement, plus a 90-day post-termination grace for data export/handover.

2. Categories of data and data subjects

Data subjects: visitors to the Controller's website, store buyers, newsletter subscribers, form-submitters.

Personal data categories: identity, contact, technical/behavioural, order/transaction, communications, marketing consent.

We don't intentionally process special categories of data. Regulated industries: separate written agreement required.

3. Roles

The Controller determines purposes and means; the Processor acts on documented instructions (the Main Agreement, DPA, and Controller's configuration).

4. Processor obligations

  • Process only on the Controller's documented instructions.
  • Confidentiality obligations bind all personnel with access.
  • Technical and organisational measures per Annex B (Security Measures).
  • Reasonable assistance with data-subject requests (no additional charge for standard volumes).
  • Assistance with DPIAs, breach notifications, supervisory consultations.
  • Breach notification within 48 hours of becoming aware of a Personal Data Breach.
  • Return or delete all Personal Data at end of service (see §12).

5. Sub-processors

General authorisation granted. Current list: see the Sub-processor page. Each sub-processor bound by flow-down DPA. We notify 30 days before adding/replacing any sub-processor; you may object on reasonable data-protection grounds within the window.

6. International transfers

Personal Data at rest is stored in the European Union (Frankfurt). Where data is transferred outside the EU/UK to a country without adequacy — notably the US, for payment processing and LLM-assisted features — we incorporate the EU Standard Contractual Clauses (2021/914) and the UK Addendum via Annex C.

7. Security measures (Annex B)

TLS 1.2+ in transit; AES-256 at rest; RBAC with mandatory MFA; individual named accounts; quarterly access reviews; 24-hour access removal on staff departure. Private networking where supported. Web Application Firewall and DDoS protection at the edge. 24/7 monitoring, centralised logging, automated alerting. Daily backups with point-in-time recovery, restoration drills at least quarterly. Confidentiality agreements with all staff/contractors; security training on onboarding and annually. Incident-response plan rehearsed annually. Secure SDLC; peer review on auth/payment/PII-touching changes; dependency scanning.

8. Audits

On reasonable request (no more than once per 12 months, unless after a breach), we provide third-party security assessment summaries and documented answers to your questions. On-site audits possible by you or an independent mutually-acceptable auditor at 30 days' notice, at your cost, subject to agreed confidentiality terms.

9. Liability

Subject to the Main Agreement's liability cap, except where Applicable Data Protection Laws impose direct statutory liability.

10. Controller responsibilities

The Controller warrants a valid legal basis for the data provided, compliance with notice obligations, and lawful instructions. The Controller indemnifies the Processor for losses arising from breach of these warranties.

11. Term and termination

Runs for the term of the Main Agreement. Obligations regarding Personal Data survive until all Personal Data has been deleted or returned per §12.

12. Deletion and return

At termination, you elect (within 30 days) either return in a commonly-used format or permanent deletion. Default if no election: deletion. Backups rotate out within 90 days. Legally-required retention is minimised and protected under this DPA.

Annex A — Sub-processors

Maintained current at our public Sub-processor list.

Annex C — International transfer mechanisms

EU SCCs (2021/914) incorporated — Module 2 between Controller and Processor; Module 3 between Processor and sub-processors (flow-down per §5). UK Addendum incorporated for UK-origin transfers. Governing law for the SCCs: Ireland, with courts of Dublin, unless you elect another EU member state with third-party beneficiary rights.

Contact

DPA & privacy: privacy@digitalserpents.com
Legal entity: Infinity Curve LLC, 76 Vazha-Pshavela Ave, Tbilisi 0186, Georgia