Data Processing Addendum

Last Updated: March 13, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between SSFeatures, LLC ("SSFeatures," "Processor," "We," "Us," or "Our") and the customer ("Customer," "Controller," "You," or "Your") governing Your use of the SSFeatures Service (the "Agreement").

This DPA applies where and only to the extent that SSFeatures processes Personal Data on behalf of Customer in the course of providing the Service, and such Personal Data is subject to Data Protection Laws.

1. Definitions

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including (where applicable) the GDPR, UK GDPR, Swiss DPA, CCPA/CPRA, and any other applicable data protection legislation.

"GDPR" means the General Data Protection Regulation (EU) 2016/679.

"Personal Data" means any information relating to an identified or identifiable natural person that SSFeatures processes on behalf of Customer in connection with the Service.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Security Incident" means any unauthorized access to, or acquisition, alteration, use, disclosure, or destruction of, Personal Data.

"Sub-Processor" means any third party engaged by SSFeatures to process Personal Data on behalf of Customer.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission.

2. Scope and Roles

2.1 Roles of the Parties

For the purposes of this DPA:

• Customer is the Controller of Personal Data.
• SSFeatures is the Processor of Personal Data, processing Personal Data only on behalf of and in accordance with Customer's instructions.

2.2 Customer's Processing Instructions

Customer instructs SSFeatures to process Personal Data to the extent necessary to provide the Service in accordance with the Agreement. SSFeatures will not process Personal Data for any other purpose unless required by applicable law, in which case SSFeatures will inform Customer of that legal requirement before processing (unless prohibited by law).

2.3 Details of Processing

The subject matter, duration, nature, purpose, types of Personal Data, and categories of data subjects are described in Annex A of this DPA.

2.4 Customer Obligations

Customer represents and warrants that:

• Customer has a lawful basis under applicable Data Protection Laws for the processing of Personal Data as contemplated by this DPA;
• Customer has provided all necessary notices and obtained all necessary consents or other legal bases required for the lawful transfer of Personal Data to SSFeatures;
• Customer's instructions to SSFeatures will comply with applicable Data Protection Laws; and
• Customer will not submit to the Service any special categories of Personal Data (as defined in Article 9 of the GDPR) or any data that would require security measures beyond those described in Annex B.

3. Data Protection Obligations

3.1 Compliance with Laws

Each party will comply with its obligations under applicable Data Protection Laws.

3.2 Confidentiality

SSFeatures will ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

SSFeatures will implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents. These measures are described in Annex B of this DPA and at Our Trust Center (https://trust.ssfeatures.com).

3.4 Assistance with Data Subject Rights

SSFeatures will assist Customer, by appropriate technical and organizational measures, in fulfilling Customer's obligation to respond to requests from data subjects exercising their rights under Data Protection Laws (e.g., access, rectification, erasure, portability). SSFeatures will respond to Customer's requests for assistance within ten (10) business days.

3.5 Data Protection Impact Assessments

Upon Customer's written request, SSFeatures will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Data Protection Laws and relating to the processing of Personal Data under this DPA.

4. Sub-Processors

4.1 Authorized Sub-Processors

Customer provides general authorization for SSFeatures to engage Sub-Processors to process Personal Data, subject to the requirements of this Section 4.

4.2 Current Sub-Processors

The current list of Sub-Processors is maintained at: https://trust.ssfeatures.com/sub-processors

This list includes the name, location, and processing activities of each Sub-Processor.

4.3 Sub-Processor Agreements

SSFeatures will enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those set out in this DPA. SSFeatures remains fully liable for the acts and omissions of its Sub-Processors.

4.4 Notification of New Sub-Processors

SSFeatures will notify Customer at least thirty (30) days before engaging any new Sub-Processor. Notification will be provided by:

• Email to the address associated with Customer's account; and/or
• Posting an update to the Sub-Processor list at https://trust.ssfeatures.com/sub-processors

4.5 Objection to New Sub-Processors

Customer may object to SSFeatures' use of a new Sub-Processor by notifying SSFeatures in writing within fifteen (15) days of receiving notice of the new Sub-Processor. Customer's objection must be based on reasonable data protection concerns.

If Customer objects, SSFeatures will use reasonable efforts to:

1. Make available a change to the Service that avoids the use of the objected-to Sub-Processor; or
2. Recommend a commercially reasonable change to Customer's use of the Service to avoid processing by the objected-to Sub-Processor.

If SSFeatures is unable to accommodate Customer's objection within thirty (30) days, either party may terminate the affected portion of the Service by providing written notice.

4.6 Emergency Sub-Processor Changes

In cases where SSFeatures must engage a new Sub-Processor on an emergency basis to maintain the security or availability of the Service, SSFeatures will notify Customer as soon as reasonably practicable and in any event within seven (7) days. Customer retains its objection rights under Section 4.5.

5. Security Incidents

5.1 Notification

SSFeatures will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Customer's Personal Data.

5.2 Notification Contents

The notification will include, to the extent known:

• A description of the nature of the Security Incident;
• The categories and approximate number of data subjects affected;
• The categories and approximate number of Personal Data records affected;
• The likely consequences of the Security Incident; and
• Measures taken or proposed to address the Security Incident.

5.3 Cooperation

SSFeatures will cooperate with Customer and provide reasonable assistance in investigating the Security Incident and meeting Customer's notification obligations under Data Protection Laws.

6. Government Access Requests

6.1 Notification of Requests

If SSFeatures receives a request from a government authority for access to Customer's Personal Data, SSFeatures will:

• Notify Customer of the request before disclosing any Personal Data, unless legally prohibited from doing so;
• Inform the government authority that SSFeatures is a processor acting on behalf of Customer and direct the authority to request the data from Customer directly; and
• Challenge the request if there are reasonable grounds to consider it unlawful.

6.2 Legal Prohibition on Notification

If SSFeatures is legally prohibited from notifying Customer, SSFeatures will use reasonable efforts to obtain a waiver of the prohibition. If disclosure is required, SSFeatures will disclose only the minimum amount of Personal Data necessary to comply with the legal requirement and will notify Customer as soon as the prohibition is lifted.

6.3 No Voluntary Disclosure

SSFeatures will not voluntarily disclose Personal Data to any government authority except as required by applicable law or as expressly authorized by Customer.

7. International Data Transfers

7.1 Data Location

Personal Data is processed and stored on servers located in the United States, operated by DigitalOcean.

7.2 Transfer Mechanisms

Where Personal Data is transferred outside the European Economic Area, United Kingdom, or Switzerland to a country not deemed adequate by the relevant authority, SSFeatures will ensure such transfers are made in compliance with Data Protection Laws using one of the following mechanisms:

• Standard Contractual Clauses approved by the European Commission;
• UK International Data Transfer Addendum (where applicable);
• Other valid transfer mechanisms recognized under Data Protection Laws.

7.3 Incorporation of SCCs

Where required, the Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated into this DPA by reference. For the purposes of the SCCs:

• Customer is the "data exporter";
• SSFeatures is the "data importer";
• The details of processing are set out in Annex A;
• The security measures are set out in Annex B;
• The governing law is that of the EU Member State where the data exporter is established (or, for non-EU exporters, the law of Ireland).

8. Audits

8.1 Audit Rights

Upon Customer's written request and subject to reasonable confidentiality obligations, SSFeatures will make available information necessary to demonstrate compliance with this DPA.

8.2 Third-Party Audits

SSFeatures undergoes regular third-party audits of its security practices. Customer may request copies of relevant audit reports or certifications (e.g., SOC 2) under appropriate confidentiality obligations.

8.3 On-Site Audits

Customer may request an on-site audit with at least thirty (30) days' prior written notice. Such audits will be conducted during normal business hours, no more than once per year, and at Customer's expense. SSFeatures may require Customer to execute a confidentiality agreement before any on-site audit.

9. Data Retention and Deletion

9.1 Retention

SSFeatures will retain Personal Data only for as long as necessary to provide the Service and fulfill the purposes described in this DPA, unless a longer retention period is required by law.

9.2 Deletion Upon Termination

Upon termination of the Agreement, SSFeatures will, at Customer's election:

• Delete all Personal Data in its possession within thirty (30) days; or
• Return all Personal Data to Customer in a commonly used format.

SSFeatures may retain Personal Data to the extent required by applicable law, provided that SSFeatures maintains the confidentiality of such Personal Data and processes it only as required by law.

10. Liability

10.1 Liability Cap

Each party's total aggregate liability arising out of or relating to this DPA (including the Standard Contractual Clauses) is subject to the limitations of liability set forth in the Agreement.

10.2 Liability for Sub-Processors

SSFeatures is liable for the acts and omissions of its Sub-Processors to the same extent SSFeatures would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.

10.3 No Limitation for Certain Claims

Nothing in this DPA limits either party's liability for:

• Fraud or fraudulent misrepresentation;
• Death or personal injury caused by negligence;
• Any liability that cannot be limited or excluded by applicable law; or
• SSFeatures' obligations to indemnify Customer for third-party claims arising from SSFeatures' breach of this DPA.

11. General Provisions

11.1 Precedence

In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data.

11.2 Amendments

SSFeatures may update this DPA from time to time to reflect changes in Data Protection Laws or Our processing practices. We will notify Customer of material changes at least thirty (30) days before they take effect.

11.3 Governing Law

This DPA is governed by the laws specified in the Agreement, except that the Standard Contractual Clauses are governed by the laws specified therein.

11.4 Entire DPA

This DPA, together with the Agreement and the Standard Contractual Clauses (where applicable), constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements relating to data processing.

Annex A: Details of Processing

A.1 Subject Matter and Duration

SSFeatures processes Personal Data for the duration of the Agreement to provide the SSFeatures browser extension and related services that enhance Smartsheet functionality.

A.2 Nature and Purpose of Processing

• Verifying Customer's subscription status and license validity
• Enabling access to SSFeatures features
• Processing transactions and managing billing
• Providing customer support
• Analyzing usage patterns to improve the Service (anonymized)

A.3 Types of Personal Data

• Email addresses
• First and last names
• Billing addresses (for paid subscriptions)
• IP addresses
• Device and browser information
• Usage data and analytics

A.4 Categories of Data Subjects

• Customer's employees and authorized users
• Customer's account administrators

A.5 Special Categories of Data

SSFeatures does not intentionally process special categories of Personal Data (e.g., health data, biometric data, religious beliefs) and Customer agrees not to submit such data to the Service.

Annex B: Security Measures

SSFeatures implements the following technical and organizational security measures:

B.1 Encryption

• In Transit: All data transmitted between Customer's browser and SSFeatures servers is encrypted using TLS 1.2 or greater.
• At Rest: Data stored in SSFeatures databases is encrypted using AES-256 encryption.

B.2 Access Controls

• Logical access controls for all servers, systems, and databases
• Role-based access with least privilege principles
• Two-factor authentication required for all internal systems
• Periodic access reviews with revocation within two weeks when no longer needed

B.3 Infrastructure Security

• DDoS protection via Cloudflare
• Regular security monitoring and alerting
• Regular backups with tested restore procedures
• Full-disk encryption (AES-256) on all employee devices

B.4 Personnel Security

• Background checks for employees with access to Personal Data
• Confidentiality agreements for all personnel
• Regular security awareness training

B.5 Incident Response

• Documented incident response procedures
• Security incident notification within 72 hours
• Post-incident review and remediation

B.6 Certifications

SSFeatures has achieved SOC 2 Type 1 certification for the period of January 15, 2025 to January 15, 2026. Current certifications are listed at https://trust.ssfeatures.com.

Annex C: Sub-Processor List

The current list of authorized Sub-Processors is maintained at: https://trust.ssfeatures.com/sub-processors

As of the date of this DPA, SSFeatures uses the following Sub-Processors:

Contact Information

For questions about this DPA or to exercise Your rights, please contact:

SSFeatures, LLC

• Email: [email protected]
• Website: https://ssfeatures.com/contact
• Trust Center: https://trust.ssfeatures.com

This Data Processing Addendum is effective as of the date Customer agrees to the SSFeatures Terms of Service or executes an Order Form referencing this DPA.