Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between Smoothly and the Customer governing the Customer's use of the Smoothly platform (the “Principal Agreement”). It applies to the extent that Smoothly processes Personal Data on behalf of the Customer in connection with the Principal Agreement and is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation 2016/679 (“GDPR”).

1. Parties

• Processor: Smoothly, operated by Fredrik Ankarskold, sole proprietor, registered in Sweden (“Smoothly”).
• Controller: The Customer entering into the Principal Agreement (the “Customer”).

Where the Customer is itself acting as a Processor for one of its own customers, Smoothly acts as a sub-processor and the Customer warrants that it has obtained the necessary authorizations from its own controllers.

2. Scope, Subject Matter, and Duration

• Subject matter: Smoothly's processing of Personal Data is necessary for the provision of the Smoothly platform — an AI-assisted code generation, hosting, and publishing service.
• Nature and purpose: Hosting, transmission, storage, retrieval, AI-assisted generation, and display of Customer-controlled content.
• Categories of data subjects: The Customer's authorized users, end users of the Customer's applications and websites built with Smoothly, and any individuals whose Personal Data is included in Customer-uploaded content.
• Categories of Personal Data: Account identifiers (email, name), authentication credentials, usage logs, billing information, and any Personal Data the Customer chooses to upload, generate, or process via the platform.
• Duration: For as long as the Principal Agreement is in effect, plus any post-termination period required for data export and lawful retention obligations.

3. Customer Instructions

Smoothly will process Personal Data only on documented instructions from the Customer, including the Principal Agreement, this DPA, and the configuration choices made by the Customer through the platform interface. Smoothly will not process Personal Data for any other purpose, except where required by EU or Member State law, in which case Smoothly will inform the Customer of the legal requirement before processing unless prohibited by law.

4. Subprocessors

The Customer provides general written authorization for Smoothly to engage subprocessors. The current list of subprocessors is published at smoothly.dev/subprocessors.

Smoothly will:

• Impose obligations on each subprocessor that are no less protective than those in this DPA
• Remain fully liable to the Customer for the acts and omissions of its subprocessors
• Provide at least 30 days' advance notice of new subprocessors via the subprocessors page or email
• Allow the Customer to object to the addition of a new subprocessor on reasonable grounds; if the Customer objects and the parties cannot agree on a resolution, the Customer may terminate the Principal Agreement for the affected service

5. Security Measures

Smoothly implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest
• Logical isolation between customers, including row-level security on shared databases
• Access controls, authentication, and audit logging
• Regular backups and tested restoration procedures
• Secure software development life-cycle: code review, automated CI gates, dependency scanning, secret scanning
• Sandboxed isolation of customer-generated code execution
• Confidentiality undertakings for all personnel

A current description of these measures is available at smoothly.dev/security.

6. Data Subject Rights

Taking into account the nature of the processing, Smoothly will assist the Customer by appropriate technical and organizational measures, insofar as possible, to fulfil the Customer's obligations to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection). Where Smoothly receives a data subject request directly, it will refer the data subject to the Customer without undue delay.

7. Personal Data Breach Notification

Smoothly will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data breach affecting Customer data. The notification will include the information specified in Article 33(3) of the GDPR to the extent available, and Smoothly will provide reasonable assistance to the Customer in fulfilling its obligations under Articles 33 and 34 of the GDPR.

Notifications will be sent to incident@smoothly.dev and to the technical contact on the Customer's account.

8. Data Retention and Deletion

• Personal Data is retained for the duration of the Principal Agreement
• On termination, the Customer has 30 days to export Customer data via the platform export tools
• After the export window, Smoothly will delete or anonymize Customer Personal Data within 30 days, save to the extent required by EU or Member State law
• Backups containing deleted data are overwritten in line with normal backup rotation

9. International Data Transfers

Primary processing takes place in the European Union. Where subprocessors are located outside the EEA, Smoothly relies on transfer mechanisms recognized under Chapter V of the GDPR, including the European Commission's Standard Contractual Clauses (Module 2 or 3 as applicable), supplemented by additional safeguards where necessary. The current location of each subprocessor is disclosed at smoothly.dev/subprocessors.

10. Audits and Information Rights

Smoothly will make available to the Customer, on request and subject to reasonable confidentiality terms, the information necessary to demonstrate compliance with this DPA, including current third-party certifications and audit reports of its subprocessors. The Customer may, at its own expense and no more than once per year, request an audit conducted by a mutually agreed independent auditor under reasonable confidentiality obligations and during normal business hours.

11. Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the Principal Agreement and the Smoothly Terms of Service. Nothing in this DPA limits or excludes either party's liability where it cannot be limited or excluded by law.

12. Governing Law and Jurisdiction

This DPA is governed by the laws of Sweden, without regard to conflict-of-law rules. The courts of Sweden have exclusive jurisdiction over disputes arising out of or in connection with this DPA, subject to any mandatory rights of data subjects under applicable law.

13. Versioning

This DPA is published at smoothly.dev/dpa and may be updated from time to time. Material changes will be communicated to active Customers at least 30 days in advance via email to the technical contact on the Customer's account.

• Version 1.0 — 25 April 2026 — initial publication

14. Contact