Data Processing Agreement

Definitions

• "You" or "customer" refers to the company or organization that signs up to use the SimpleLocalize.io

• In this Data Processing Agreement ("DPA"), "Data Protection Legislation" means the General Data Protection Regulation (Regulation (EU) 2016/679), and all other applicable laws relating to processing of data and privacy that may exist in any relevant jurisdiction.

• "data controller", "data processor", "data subject", "personal data" and "processing" shall be interpreted in accordance with applicable Data Protection Legislation.

• The parties agree that the customer is the data controller and that SimpleLocalize.io is its data processor in relation to data that is processed in the course of providing the service.

Purpose and Scope of Processing

SimpleLocalize.io shall process personal data solely for the purpose of providing the translation management and localization services as described in the main service agreement, including account management, customer support, security monitoring, and platform functionality. The processing shall be limited to what is necessary to perform these services.

Privacy of your data

1. You own all right, title, and interest to your translation data. We obtain no rights from you to your translation data.

2. We do not use your translation data for any purpose other than to provide you with the service.

3. We do not collect and analyze personal information from web users and use these behavioral insights to sell advertisements.

4. When using SimpleLocalize.io, you 100% own and control all of your translation data.

5. We don’t sell or rent your site data to any third-parties.

The legal basis for processing personal data under this DPA is the performance of a contract (Article 6(1)(b) of the GDPR) between the Customer and SimpleLocalize.io for the provision of services.

Security of your data

We implement and maintain appropriate technical and organizational measures to protect personal data. These measures include but are not limited to:

• Encryption of data at rest and in transit.
• Regularly updated firewalls and intrusion detection systems.
• Access controls and authentication mechanisms to restrict access to authorized personnel only.
• Regular security audits and vulnerability assessments.
• Procedures for regular testing, assessment, and evaluation of the effectiveness of security measures.

Types of Personal Data and Categories of Data Subjects

The personal data that may be processed by SimpleLocalize.io in the course of providing the services includes, but is not limited to:

• Email addresses
• IP addresses
• social sign-up identifiers (GitHub, Google, Microsoft)
• Project metadata and activity logs

The categories of data subjects may include:

• Customer employees or collaborators using the SimpleLocalize.io service
• End users or clients of the Customer, where such data is inputted by the Customer into the SimpleLocalize.io

Processor’s obligations with respect to the controller

1. We as humans can access your data to help you with support requests you make and to maintain and safeguard SimpleLocalize.io to ensure the security of your data and the service as a whole. SimpleLocalize.io shall ensure that all SimpleLocalize personnel required to access the data are trained in GDPR and data privacy, informed of the confidential nature of the data and comply with the obligations sets out in this agreement.

2. SimpleLocalize.io shall implement and maintain appropriate technical and organizational security measures designed to protect the data against unauthorized or unlawful processing and against accidental loss, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the data and having regard to the nature of the data which is to be protected.

3. We do work with sub-processors. Any such sub-processors will be permitted to process data only to deliver the services SimpleLocalize.io has retained them to provide, and they shall be prohibited from using data for any other purpose. SimpleLocalize.io shall notify the controller when modifying the list of sub-processors using our in-app notifications, email and/or blog. The controller is able to legitimately object and may terminate the agreement.

4. All of your site data is stored in the EU, and it never leaves the EU. You can find the list of other cloud services and third party services that we use in our privacy policy.

5. If SimpleLocalize.io becomes aware of any accidental, unauthorised or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data that is processed by SimpleLocalize.io in the course of providing the service, it shall without undue delay (not later than 48 hours after having become aware of it), notify customer by email and provide customer with a description of the incident as well as periodic updates to information about the incident, including its impact on customer content. SimpleLocalize.io shall additionally take action to investigate the incident and reasonably prevent or mitigate the effects of the incident.

6. SimpleLocalize.io shall not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the controller (unless this is required by law or the Processor Terms of Service), but shall only do so on documented instructions from the controller and in accordance to the data retention rules associated to the controller subscription plan.

7. SimpleLocalize.io shall notify customer without an undue delay if, in SimpleLocalize.io’s opinion, an instruction for the processing of data given by customer infringes applicable Data Protection Legislation.

8. SimpleLocalize.io shall assist the controller in responding to data subjects’ requests to exercise their rights, including but not limited to access, rectification, erasure, and data portability. SimpleLocalize.io will forward such requests to the controller without undue delay.

9. SimpleLocalize.io shall ensure that any sub-processor engaged to process data on behalf of the controller adheres to the same data security and confidentiality obligations as set forth in this agreement.

10. SimpleLocalize.io remains fully liable to the controller for the performance of its obligations under this agreement, even in cases where sub-processors carry out those obligations.

11. SimpleLocalize.io shall provide the controller with all information necessary to demonstrate compliance with the obligations set forth in this agreement and applicable Data Protection Legislation. This includes making available relevant documentation and records upon request.

12. SimpleLocalize.io shall make available to the controller all information necessary to demonstrate compliance with the obligations set forth in this agreement and GDPR. This includes, upon request, documentation of technical and organizational measures, records of processing activities, and details of sub-processors engaged.

13. SimpleLocalize.io shall obtain prior consent from the controller before engaging any new sub-processors. This consent may be general or specific, as agreed between the parties. SimpleLocalize.io shall notify the controller of any intended changes to the list of sub-processors by publishing a notice on its publicly available Changelog or Blog at least 14 days prior to the changes taking effect. The controller may object to the engagement of a new sub-processor within this notice period by providing written notification. If the controller does not object within the specified timeframe, consent shall be deemed granted.

14. SimpleLocalize.io shall, taking into account the nature of processing and the information available to it, assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, including obligations related to data protection impact assessments (DPIA) and prior consultations with supervisory authorities.

15. SimpleLocalize.io shall allow and contribute to audits or inspections conducted by the controller or a designated third-party auditor to verify compliance with this agreement and GDPR. Such audits shall be subject to:

    • Prior written notice of at least 30 days.
    • A mutually agreed scope and methodology that ensures minimal disruption to SimpleLocalize.io’s operations.
    • Adequate confidentiality agreements to protect SimpleLocalize.io’s systems and the data of other customers.
    • Where direct system access is not feasible or necessary, SimpleLocalize.io may provide requested documentation, records, and other evidence demonstrating compliance.

How we handle delete instructions

You can choose to delete your account and delete your projects at any time by e-mailing us at contact@simplelocalize.io. In the event that it is our duty to keep a record of some of your personal information, for example, for accounting purposes, this information is retained. We will irrevocably remove all other information within 30 days of your request.

Once all your data will be permanently deleted, we cannot recover them.

Are customers required to sign the DPA?

To use our products and services, you need to accept our DPA. By using our product, you are agreeing to our terms of service, and you are automatically accepting our DPA and do not need to sign a separate document. We provide the same privacy rights and protection to all customers.

Can a customer share the DPA with its customers?

Yes. The DPA is a publicly available document, and customers who wish to share it with their customers to confirm our security measures and other terms may feel free to do so.

Do customers need to notify anyone upon accepting our DPA?

No. You are not required to notify us or any third party upon accepting our DPA, though, as mentioned above, you are free to do so.

Contact

If you have any questions or concerns regarding your information and personal data, please contact us at: contact@simplelocalize.io.

Annex 1: Technical and Organizational Measures

1. Pseudonymization and Encryption (Art. 32(1)(a) GDPR)

• Data in transit is protected with industry-standard TLS encryption.
• Logs and analytics use pseudonymized identifiers where possible.

2. Confidentiality (Art. 32(1)(b) GDPR)

Access Control

• Access to systems and data is granted only to authorized personnel based on job roles.
• Multifactor authentication (MFA) is enforced for administrative and support accounts.
• User access rights are reviewed regularly and revoked immediately upon role change or termination.
• Remote access to systems is secured through encrypted VPN connections.

Physical Security

• Data is hosted exclusively in secure EU-based data centers operated by certified cloud providers (AWS EU regions).
• Data centers are ISO 27001, SOC 1, and SOC 2 certified.
• Physical access to servers is restricted to authorized personnel of the data center operators and is monitored 24/7.

Data Confidentiality

• All personnel with access to customer data are bound by confidentiality agreements.
• Employees receive GDPR and information security training annually.
• Policies prohibit the use of personal data for any purpose other than service provision.

Personnel Security

• All employees with system or data access undergo background verification in accordance with local laws.
• Information security policies are part of onboarding and reviewed annually.

3. Integrity (Art. 32(1)(b) GDPR)

Data Transmission Control

• All data in transit between customers and SimpleLocalize.io services is encrypted using TLS 1.2 or higher.
• Internal communications between servers and services are also encrypted.

Data Integrity Control

• Input validation, checksums, and logging are used to detect unauthorized data modification.
• Versioning and audit trails are maintained for key data operations.

4. Availability and Resilience (Art. 32(1)(b/c) GDPR)

Data Backup and Recovery

• Encrypted backups are created daily and stored in geographically redundant EU locations.
• Backups are tested regularly for integrity and recoverability.

System Availability

• The platform is designed for high availability, using load balancing and failover systems.
• Regular monitoring ensures uptime and early detection of incidents.

Disaster Recovery

• Documented disaster recovery plans define procedures to restore operations within acceptable timeframes.
• Recovery Point Objective (RPO): ≤72 hours; Recovery Time Objective (RTO): ≤48 hours.

5. Procedures for Regular Testing, Assessment, and Evaluation (Art. 32(1)(d) GDPR)

• Automated vulnerability scans are performed at least quarterly.
• Security incidents are documented, reviewed, and analyzed to improve controls.

6. Data Protection by Design and by Default (Art. 25 GDPR)

• Privacy impact assessments are conducted when implementing new features.
• Default settings minimize personal data collection and exposure.
• Role-based access ensures only necessary data is visible to users.

7. Incident Response and Breach Notification

• A documented incident response plan defines detection, reporting, and escalation processes.
• In case of a personal data breach, SimpleLocalize.io will notify affected controllers without undue delay and within 48 hours of becoming aware of the breach.
• Root cause analysis is performed after each incident to prevent recurrence.

8. Sub-Processor Management

• Sub-processor security certifications (e.g., ISO 27001, SOC 2) are reviewed periodically.
• A current list of sub-processors is maintained and communicated in accordance with the DPA via changelog (https://simplelocalize.io/changelog/) and/or blog posts (https://simplelocalize.io/blog/).

9. Data Deletion and Return Procedures

• Upon termination of services or upon controller request, all personal data is securely deleted from active systems within 30 days and from backups within 180 days.
• Secure deletion follows NIST SP 800-88 standards.
• Written confirmation of deletion is available upon request.

10. Compliance and Documentation

• Records of processing activities (Art. 30 GDPR) are maintained.
• Documentation of TOMs and updates are available to controllers upon request.
• Security and privacy documentation are reviewed annually and updated as needed.

11. Certifications and Standards

• Hosting infrastructure complies with ISO 27001, ISO 27017, and SOC 2 Type II.
• Internal practices align with OWASP security principles and CIS Benchmarks.
• SimpleLocalize.io conducts continuous improvement of its security posture.

Changes to these documents

We may update this DPA and annexes from time to time. We encourage you to periodically review this page for the latest information on our privacy practices.

Changelog

Detailed changelog of the document can be found on our GitHub repository.