Data Treatment Policy

Last updated on: August, 2025

  1. About this DPA

This Data Processing Agreement (“DPA“) is incorporated by reference into the Master Services Agreement made available at https://www.simetrik.com/legal/master-services-agreement or entered into between Customer and Simetrik via a signed agreement or Order Form (“Agreement”). This DPA forms an integral part of the Agreement and governs Simetrik‘s Processing of Personal Data on behalf of Customer.

  1. Definitions

Capitalized terms not defined herein shall have the meanings set forth in the Agreement.

Applicable Lawsall applicable privacy and data protection laws and regulations including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR“), the Brazilian General Data Protection Law (“LGPD“), the California Consumer Privacy Act (“CCPA“), the Indian Digital Personal Data Protection Act (“DPDPA“), and relevant Colombian data protection laws.
“Cloud Services”means Simetrik’s hosted products and any ancillary services made available to Customer under the Agreement.
“Customer”shall mean the entity entering into this DPA that is a party to the Agreement.
Customer Dataany data submitted to or generated in the Cloud Services by or for Customer; Customer Personal Data is the subset of Customer Data that constitutes Personal Data.
Customer Personal Dataany Personal Data Processed by Simetrik on behalf of Customer pursuant to the Agreement.
Personal Dataany information relating to an identified or identifiable natural person and all information considered “personal data,” “personal information,” or equivalent under Applicable Laws that is Processed by Simetrik on behalf of Customer in connection with the Cloud Services.
Personal Data Breachany actual or reasonably suspected unauthorized access, acquisition, disclosure, loss, alteration, destruction, or other compromise of Customer Personal Data, whether accidental or unlawful, that compromises the security, confidentiality, integrity, or availability of such data.
Processing” and its variationsthe following operations carried out by automated  or non-automated means: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or otherwise making available, alignment or combination, restriction,, deletion, or destruction.
Standard Contractual Clauses” the standard contractual clauses issued by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended, replaced, or supplemented from time to time, and any equivalent clauses approved under Applicable Laws for international data transfers, including any UK addendum where applicable.
Subprocessorany third party engaged by Simetrik to Process Customer Personal Data.
“Supervisory Authority”means (a) an independent public authority which is established by an EU member state pursuant to the GDPR, (b) for the United Kingdom, the Information Commissioner’s Office, or (c) other independent competent public authority established or recognized under Applicable Laws.
  1. Roles of the Parties

3.1. The Parties acknowledge and agree that:

  1. Customer acts as a Data Controller. The Customer is the only responsible for determining which Personal Data, if any, will be input into the Cloud Services, how such data should be processed, and the purposes for which the data is used;
  2. Customer is responsible for obtaining all consents, licences and legal bases required to allow Simetrik to Process Customer Personal Data.
  3. Simetrik acts solely as a Data Processor and will Process Customer Personal Data on behalf of the Customer in accordance with the Customer‘s instructions as specified in the Agreement, unless otherwise required by law, and, where so required, Simetrik will inform Customer before such Processing unless prohibited by law and will inform Customer immediately if (in its opinion) any instructions infringe Applicable Laws
  4. Simetrik will not sell or share Customer Personal Data (as “sell”/“share” are defined under the CCPA) and will not retain, use or disclose Customer Personal Data for any purpose other than providing the Cloud Services, complying with law, and as otherwise permitted by the Agreement and Customer’s documented instructions.

3.2. The Cloud Services are provided by Simetrik under a Software as a Service (SaaS) model, namely, Customer brings its own data and largely controls the upload and handles directly the use of Customer Data that has been uploaded into the Cloud Services. Customer agrees and understands that Simetrik will not monitor Customer Data or Customer’s use of any such Customer Data, but may access Customer Data as necessary to provide the Cloud Services, address support or technical issues, ensure security and integrity, or as required by law. Except where legally prohibited, Simetrik will access Customer Data upon Customer’s explicit request or as necessary for the foregoing purposes. It is therefore the sole responsibility and liability of Customer to ensure that Customer Data is collected and transmitted to Simetrik in compliance with Applicable  Laws and, in particular, to have a legal basis for Processing and to properly inform Data Subjects of the collection and Processing of their Personal Data. Customer will, in its use of the Cloud Services, Process Personal Data in accordance with the requirements of Applicable Laws.

  1. General Personal Data Obligations

4.1. Each Party shall comply with its obligations under Applicable Laws with respect to the Processing of Personal Data

4.2. If Simetrik is legally required to Process Personal Data in a manner other than as instructed by Customer, it shall inform Customer before such Processing occurs, unless the law requiring such Processing prohibits Simetrik from informing Customer on an important ground of public interest, in which case it shall notify Customer as soon as that law permits it to do so.

4.3. Simetrik employees or agents who have access to Personal Data (i) are subject to  confidentiality obligations or are under an appropriate statutory obligation of confidentiality; (ii) shall Process Personal Data only as instructed by Customer, unless otherwise required to do so by Applicable Laws; and (iii) shall be provided training as necessary from time to time with respect to Simetrik’s obligations under this DPA and under Applicable Laws.

4.4. Simetrik will not publish, disclose, divulge or otherwise permit third parties to access any Personal Data, except, in each case, in accordance with the Agreement and this DPA (including as necessary to maintain and provide the Cloud Services and to Subprocessors in accordance with this DPA), with Customer’s consent or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order).

4.5. Upon Customer’s request, Simetrik shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Applicable Laws to carry out a data protection impact assessment related to Customer’s use of the Cloud Services or with any prior consultation that Customer is legally required to make under Applicable Laws in respect to Personal Data, taking into account the nature of the Processing and to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Simetrik.

4.6. Upon Customer‘s written request, Simetrik will provide reasonable assistance to Customer in the event of an investigation by or request from any regulator, including a Supervisory Authority, or similar authority, if and to the extent that such investigation or request relates to Personal Data. Customer will reimburse reasonable, documented costs for assistance beyond the standard operation of the Cloud Services. Simetrik will take steps reasonably requested by Customer to assist Customer in complying with any obligations in connection with such an investigation or request.

  1. Subprocessing

5.1. Due to the cloud-based nature of the Services, Simetrik engages Subprocessors to support its performance. These Subprocessors are required to ensure, at a minimum, protections and safeguards consistent with this DPA

5.2. A current list of Subprocessors is maintained at: https://trust.simetrik.com/.

5.3. Simetrik may appoint new Subprocessors provided that it notifies Customer of such appointment (including the name and location of the relevant Subprocessor and the activities it will perform) at least thirty (30) days prior to the Subprocessor’s engagement, by updating the Subprocessor site or by other written notice. 

5.4. Customer agrees that Simetrik may use Subprocessors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf, such as providing support services.

5.5.  Customer may terminate the applicable Order Forms with respect only to the Cloud Services which cannot be provided by Simetrik without the use of the objected new Subprocessor by providing written notice to Simetrik, with any such termination to be effective upon the conclusion of the then current billing cycle as set forth in the Agreement.

5.6. Where Simetrik engages a Subprocessor to carry out specific Processing activities (on behalf of Customer), it shall do so by way of a written contract that provides for substantially similar data protection obligations as those binding Simetrik under this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the Cloud Services provided by such Subprocessor. Simetrik takes privacy seriously and conducts appropriate due diligence on all its Subprocessors, in accordance with the privacy standards of its international certifications.

  1. International Data Transfers

6.1. Simetrik may transfer Customer Personal Data to countries outside the country of origin, provided such transfers comply with Applicable Laws.

6.2. Where required, such transfers shall be governed by appropriate safeguards, including Standard Contractual Clauses (and, where applicable, the UK addendum or other approved mechanism).

6.3. Simetrik’s current processing locations are described at its Trust Center (https://trust.simetrik.com/) and may be updated from time to time. 

  1. Security Measures

7.1. Simetrik shall implement and maintain appropriate technical and organizational measures (“TOMs“) to protect Customer Personal Data, including:

  1. Encryption in transit and at rest;
  2. Role-based access control;
  3. Monitoring and logging of data access;
  4. Regular penetration testing and risk assessments.

7.2. Simetrik shall maintain the following certifications for the duration of the Agreement: ISO 27001, ISO 27701, ISO 27018, SOC 1, SOC 2, SOC 3, PCI DSS (or successor/equivalent standards).

7.3. Simetrik may implement additional measures that will be available at Simetrik’s Trust Center (https://trust.simetrik.com/).

  1. Data Subject Rights

8.1. Simetrik shall assist Customer in responding to requests from Data Subjects, including access, correction, deletion, and data portability, as required by Applicable Laws

8.2. If Simetrik receives a Data Subject request directly, it will promptly forward the request to Customer at the contact details provided in the Agreement, unless legally prohibited from doing so. Requests may be submitted via dataprivacy@simetrik.com. Simetrik will support Customer, to the extent legally permitted and technically feasible, in fulfilling such requests within the timeframes required by Applicable Laws. This may include retrieving, deleting, or correcting data, or confirming whether certain data is being processed. If the Data Subject is a user of the Customer‘s  services, Customer remains responsible for verifying the requester’s identity and determining the appropriate response.

8.3. Customer is responsible for responding to a data protection communication received directly by Customer by using its own access to the relevant Personal Data. If Customer is unable to access the relevant Personal Data after reasonable efforts, Simetrik will, at Customer’s request, provide reasonable assistance to Customer in responding to any such communication directly received by Customer to the extent the response to such communication is required under Applicable Laws. To the extent legally permitted, Customer shall be responsible for reasonable, documented costs arising from Simetrik´s provision of such assistance beyond the standard operation of the Cloud Services.

  1. Data Breach Notification

9.1. Simetrik shall notify Customer without undue delay after becoming aware of a Personal Data Breach.

9.2. The notification to Customer shall be made within seventy-two (72) hours of becoming aware of the Personal Data Breach and will include, to the extent known at the time of notification:

  1.  a summary of the nature of the Personal Data Breach;
  2. the date and time of the incident or its detection;
  3. the categories of affected Personal Data and Data Subjects;
  4. the likely consequences of the breach;
  5. the measures taken or proposed to mitigate such breach and prevent recurrence;
  6. a contact point for further information.

9.2.1. If not all information is available at the time of the initial notice, Simetrik shall provide updates without undue delay as new details become available.

9.3. Simetrik shall cooperate in good faith with Customer to support any required investigation, remediation, or regulatory notification related to a  Personal Data Breach.

  1. Data Deletion and Return

10.1. Return and Deletion of Personal Data. Upon termination or expiration of the Agreement, Simetrik will, at the written request of the Customer and subject to any legal or regulatory retention obligations, delete or return the Personal Data processed on behalf of the Customer.

10.2. Simetrik follows a structured data deletion process to ensure secure and traceable removal of Customer Data, including:

a) Formal Request and Validation. Simetrik requires a written request from the Customer to initiate the data deletion process. The request is validated by Simetrik’s team to confirm all contractual obligations are met and whether any data must be returned to the Customer before deletion.

b) Deletion of Accounts and Workspaces. All Cloud Services accounts and associated workspaces created for the Customer are deleted, including all Personal Data stored therein. If the Customer chooses not to participate in the deletion process, Simetrik may proceed with deletion after a defined grace period, in which case the Customer is deemed to have accepted the outcome of the deletion process.

c) Termination of Integrations. Simetrik will disable and delete any automated data flows (integrations) established for the Customer.

d) Deletion of stored data.

  • Databases. Database objects (including users and roles) will be permanently deleted within 15 calendar days after closure. The process is logged and documented.
  • Object storage. The Customer’s workspace folder is deleted, and a deletion snapshot is taken and archived as evidence.

e)  Evidence and Reporting.

  • Simetrik maintains internal records of the deletion process, including closure reports, deletion evidence, and audit logs to demonstrate compliance.
  • Workspaces are logically segregated by client and never reused, ensuring strict separation of data across clients.

10.3. If any Applicable Law prohibits the return or deletion of Personal Data, Simetrik will continue to ensure compliance with this DPA and will only Process Personal Data to the extent and for as long as required under Applicable Law.

10.4. Data deletion will occur promptly following the effective date of termination or upon Customer’s written request at any time after termination, subject to Sections 10.1–10.3. For clarity, deletion does not waive or affect any fees or payment obligations accrued under the Agreement.

  1. Audits

11.1. Simetrik uses external auditors to validate the adequacy of its security standards and controls. Audit activities: (i) will be performed at least annually; (ii) will be performed by independent third-party security professionals at Simetrik´s selection and expense; and (iii) will result in the generation of an audit report, which will be deemed Simetrik’s Confidential Information.

11.1.1. At Customer’s written request, Simetrik  will provide Customer with a confidential report summarizing the records set forth in Section 11.1. above so that Customer can reasonably verify Simetrik’s compliance with its obligations under this DPA.

11.2. Customer may reasonably audit, limited to once per twelve (12) months, unless required by Applicable Laws or a Supervisory  Authority, or following a material Personal Data Breach, Simetrik’s compliance with this DPA (each, a “Customer Audit”), subject to the following conditions:

  1. Scope and Assistance. To the extent required by Applicable Laws, including where mandated by Customer’s Supervisory Authority, Customer or Customer’s Supervisory Authority may perform more frequent audits of the procedures relevant to the protection of Customer’s Personal Data. Simetrik will contribute to such Customer Audits by providing Customer or Customer’s Supervisory Authority with the information and assistance reasonably necessary to conduct the Customer Audit, including any relevant records of Processing activities applicable to the Cloud Services.
  2. Third-party auditors. If a third party is to conduct the Customer Audit, the third party must be mutually agreed to by Customer and Simetrik (except if such third party is a competent Supervisory Authority). Simetrik will not unreasonably withhold its consent to a third-party auditor requested by Customer. The third party must execute a written confidentiality agreement acceptable to Simetrik before conducting the Customer Audit.
  3. Plan and notice. To request a Customer Audit, Customer must submit a detailed proposed audit plan to Simetrik at least four (4) weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Simetrik will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Simetrik’s security, privacy, employment or other relevant policies). Simetrik will work cooperatively with Customer to agree on a final audit plan. Before the commencement of any Customer Audit, Customer and Simetrik shall mutually agree upon the scope, timing, and duration of the Customer Audit.
  4. Satisfaction by documentation. Simetrik may satisfy audit requests by providing relevant documentation that demonstrates compliance with its information security and privacy obligations. This documentation may include, among others, certifications such as ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 27018, PCI DSS, as well as SOC 1 Type II and SOC 2 Type II audit reports, which may be shared only with Costumer under a confidentiality agreement, and the SOC 3 report, which is publicly available. In the event that Customer deems an additional review or audit necessary, Simetrik shall be willing to review, evaluate, and jointly coordinate such request with Customer. Simetrik may also fulfill reasonable security-questionnaire requests of commercially reasonable scope.
  5. Manner and constraints. Any Customer Audit must be conducted during regular business hours (or, if an on-site review is mutually agreed, at the applicable facility), subject to the agreed final audit plan and Simetrik’s health, safety, security or other relevant policies, and may not unreasonably interfere with Simetrik’s business activities or operations. Nothing in this Section shall require Simetrik to breach its obligations under Applicable Law or breach its confidentiality, security or privacy obligations to any customers, employees or third parties. Simetrik may restrict access to sensitive information and require a confidentiality agreement specific to the audit.
  6. Reports and confidentiality. Customer will provide Simetrik any audit reports generated in connection with any Customer Audit, unless prohibited by Applicable Law or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. The audit reports are Confidential Information of the Parties under the terms of the Agreement.
  7. Costs. Any Customer Audits are at Customer’s expense. The Parties will negotiate in good faith with respect to any charges or fees that may be incurred by Simetrik to provide assistance with a Customer Audit that requires the use of resources different from or in addition to those required for the provision of the Cloud Services. Before the commencement of a Customer Audit, Customer and Simetrik shall mutually agree upon the reimbursement rate for which Customer shall be responsible for any time expended for any such Customer Audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Simetrik.
  8. Remote by default. Any and all Customer Audits shall be conducted remotely. The Parties acknowledge that Simetrik operates in a fully remote environment and, accordingly, all audits shall be performed through secure digital means, such as virtual meetings, document sharing platforms, and remote access to relevant systems, as reasonably necessary. No on-site audit shall be required or imposed, unless mutually agreed in writing by the Parties in advance.
  1.  Liability

12.1. The Parties agree that liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement.

  1.  Miscellaneous

13.1. In the event of a conflict between the DPA and the Agreement, the DPA shall prevail with respect to data protection matters.

13.2. This DPA will remain in effect until, and will automatically expire upon, return or deletion of all Personal Data by Simetrik and any applicable Subprocessors.

13.3.  Any amendments to this DPA must be agreed in writing.

13.4. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

Annex I: Details of Data Processing

  • Subject Matter: Provision of SaaS services as defined in the Agreement.
  • Duration: Term of the Agreement.
  • Nature and Purpose: Hosting, storage, processing and transfer of data for performance of services.
  • Categories of Data Subjects: Customer’s employees, end users, clients or partners.
  • Categories of Personal Data: Name, contact details, user credentials, usage data, transactional data, and other data uploaded by Customer.

Annex II: Technical and Organizational Measures (TOMs)

https://trust.simetrik.com

Annex III: List of Subprocessors

https://trust.simetrik.com/subprocessors

Annex IV: Standard Contractual Clauses (EU and UK Transfers)

Section A – EU Standard Contractual Clauses (2021/914/EU)

These Clauses apply where Customer is located in the European Economic Area (EEA) or otherwise subject to the GDPR, and transfers Personal Data to Simetrik, located outside the EEA, pursuant to Article 46(2)(c) of the GDPR.

The parties hereby agree to enter into the following modules of the Standard Contractual Clauses adopted by the European Commission on 4 June 2021:

  • Module 2: Controller to Processor

The following options and details apply:

  • Clause 7 (Docking clause): ✓ Included
  • Clause 9 (Subprocessor): Option 2 — General Authorization with 30 days notice
  • Clause 11 (Redress): ❌ Not included (not applicable for Processors)
  • Clause 17 (Governing Law): Laws of the Netherlands
  • Clause 18 (Jurisdiction): Courts of Amsterdam, the Netherlands

Annex I, II and III to these Clauses are incorporated by reference from the DPA:

  • Annex I: Details of the transfer – see DPA Annex I
  • Annex II: Technical and Organizational Measures – see DPA Annex II
  • Annex III: Subprocessors – see DPA Annex III

Section B – UK Addendum (International Data Transfer Addendum to the EU SCCs, Version B1.0)

This section applies if the Customer is subject to UK data protection law and transfers Personal Data to Simetrik located outside the UK.

The parties agree to apply the UK Addendum to the EU SCCs, as issued by the UK Information Commissioner’s Office, with the following specifics:

  • Part 1 – Tables 1 to 4:
    • Table 1 (Parties): As set forth in the Agreement and DPA.
    • Table 2 (SCCs): The SCCs incorporated above, Module 2.
    • Table 3 (Appendices): As per DPA Annexes I–III.
    • Table 4 (Optional Clauses): “Importer may end the Addendum as set out in Section 19” is not selected.
  • Part 2 – Mandatory Clauses: The mandatory clauses of the UK Addendum apply in full.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.