Last updated: 15 July 2026

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between the business customer ("Customer") and Smart DRS Limited (company no. 790140), 70 Sir John Rogerson's Quay, Dublin 2, Ireland ("Processor", "Smart DRS") for use of the DPP.GS platform (the "Service"). It governs the processing of personal data carried out by Smart DRS on behalf of the Customer and applies in accordance with Article 28 GDPR. Where this DPA conflicts with the Terms of Service on data-protection matters, this DPA prevails.

1. Roles of the parties

The Customer is the controller and Smart DRS is the processor in respect of any personal data contained in the Customer Content (including product/passport data). Smart DRS processes such personal data only on the Customer's documented instructions, which include the Terms of Service, this DPA, and the Customer's configuration and use of the Service. In respect of Smart DRS's own account, billing and security data, Smart DRS acts as an independent controller under its Privacy Policy.

2. Subject-matter, duration, nature and purpose

3. Categories of data and data subjects

The Customer must not upload special categories of personal data (Art. 9 GDPR) unless expressly agreed in writing.

4. Processor obligations (Art. 28)

Smart DRS will:

5. Confidentiality

Smart DRS ensures that all personnel and contractors with access to personal data are subject to appropriate confidentiality obligations and receive suitable data-protection training.

6. Security (Art. 32)

Smart DRS maintains appropriate technical and organisational measures, including encryption of data in transit (TLS), password hashing, role-based access controls, network and edge protection, isolated production and staging environments, encrypted backups, logging and monitoring, and regular review of measures. Smart DRS benefits from the security posture of the Sensoneo group infrastructure.

7. Sub-processing

The Customer grants a general authorisation for Smart DRS to engage the sub-processors listed below. Smart DRS imposes data-protection obligations on each sub-processor equivalent to those in this DPA and remains responsible for their performance. Smart DRS will give the Customer reasonable notice of any intended addition or replacement of a sub-processor, and the Customer may object on reasonable data-protection grounds.

Sub-processorPurposeLocation
Hetzner Online GmbHHosting and S3 object storage; US edge nodeEU (Germany, Finland); USA (Ashburn, Virginia)
StripePayment processing (EUR)EU / USA
Twilio SendGridTransactional email deliveryUSA
CloudflareCDN, DNS, DDoS protection, TLSEU / USA (global edge)
Google (Tag Manager / Analytics)Web analytics — only with end-user consentEU / USA
Plausible AnalyticsCookieless, aggregate web analytics (no personal data)EU

8. Assistance with data-subject requests

Taking into account the nature of the processing, Smart DRS will assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests to exercise data-subject rights under Chapter III GDPR. If Smart DRS receives such a request directly, it will forward it to the Customer without undue delay and will not respond except on the Customer's instructions.

9. Personal data breach notification

Smart DRS will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's personal data, and will provide the information reasonably necessary to enable the Customer to meet its obligations under Articles 33 and 34.

10. Deletion or return on termination

On termination of the Service, Smart DRS will, at the Customer's choice, delete or return all personal data processed on the Customer's behalf and delete existing copies, unless retention is required by law. Residual copies in backups will be deleted in accordance with the rolling backup cycle. The Customer acknowledges that public passports may need to remain accessible for the regulatory lifetime of the relevant product.

11. Audits

Smart DRS will make available to the Customer information necessary to demonstrate compliance with Article 28 and will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer, subject to reasonable notice, confidentiality, and no more than once per year unless required by a supervisory authority. Smart DRS may satisfy audit requests by providing relevant certifications or third-party audit reports held by the Sensoneo group.

12. International transfers

The Service uses a US edge node (Ashburn, Virginia) and sub-processors that may process personal data outside the EEA. Where personal data is transferred to a third country, the parties rely on the European Commission's Standard Contractual Clauses (SCCs) together with supplementary measures, and, where applicable, the EU-US Data Privacy Framework. The SCCs are incorporated into this DPA by reference and, where the Customer is the data exporter and Smart DRS the data importer, apply between the parties.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under applicable data-protection law.

14. Contact

Data-protection contact for this DPA: [email protected].