Data Processing Agreement

Last updated: April 17, 2026 · Pursuant to GDPR Article 28 & Mauritius DPA 2017

This Data Processing Agreement ("DPA") forms part of the agreement between your organization ("the Controller") and Tri-Pro Administrators Ltd ("the Processor") for the use of SecureSharings. This DPA applies automatically to all organizations using the Platform.

1. Definitions

• "Controller" — Your organization, which determines the purposes and means of processing personal data via the Platform
• "Processor" — Tri-Pro Administrators Ltd, which processes personal data on behalf of the Controller
• "Data Subject" — An identified or identifiable natural person whose personal data is processed
• "Personal Data" — Any information relating to a Data Subject
• "Processing" — Any operation performed on personal data (collection, storage, retrieval, encryption, erasure, etc.)
• "Sub-processor" — A third party engaged by the Processor to process personal data
• "Platform" — SecureSharings (https://securesharings.com)

2. Scope & Nature of Processing

2.1 Subject Matter

The Processor provides a secure file sharing platform that enables the Controller to upload, encrypt, share, and manage confidential documents with authorized recipients.

2.2 Categories of Data Subjects

• Employees and staff of the Controller organization
• External recipients who receive shared files
• External parties who upload files via file request links

2.3 Types of Personal Data Processed

2.4 Duration of Processing

Processing continues for the duration of the Controller's use of the Platform. Upon termination, all Controller data will be deleted within 30 days unless retention is required by applicable law.

3. Obligations of the Processor

3.1 Lawful Processing

The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by applicable law. The Processor shall immediately inform the Controller if it believes an instruction infringes data protection legislation.

3.2 Confidentiality

The Processor ensures that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

The Processor implements the following technical and organizational measures (GDPR Article 32):

3.4 Assistance to Controller

The Processor shall assist the Controller in ensuring compliance with GDPR Articles 32–36, including:

• Security of processing
• Notification of personal data breaches
• Data protection impact assessments
• Prior consultation with supervisory authorities

3.5 Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) by providing necessary platform tools and data exports.

4. Sub-processors

4.1 Authorized Sub-processors

The Controller hereby authorizes the use of the following sub-processors:

4.2 Changes to Sub-processors

The Processor shall notify the Controller of any intended addition or replacement of sub-processors, giving the Controller the opportunity to object within 30 days. If the Controller objects, the parties shall work together to find a reasonable solution.

4.3 Sub-processor Obligations

The Processor ensures that sub-processors are bound by equivalent data protection obligations through written agreements compliant with GDPR Article 28(4).

5. Data Breach Notification

In the event of a personal data breach, the Processor shall:

• Notify the Controller without undue delay and in any case within 48 hours of becoming aware of the breach
• Provide the following information:
  • Nature of the breach, including categories and approximate number of Data Subjects affected
  • Contact details of the Processor's data protection contact
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
• Cooperate with the Controller in investigating and remediating the breach
• Document the breach and make records available to the Controller

6. Data Transfers

Uploaded files are stored exclusively in Google Cloud Storage, europe-west1 (Belgium, EU). File content does not leave the EU.

For metadata and email delivery, data may be processed by sub-processors located outside the EU. In such cases, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

7. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall:

• Make available all information necessary to demonstrate compliance with GDPR Article 28
• Allow and contribute to audits and inspections conducted by the Controller or an authorized auditor
• Provide audit reports upon reasonable request

Audits shall be conducted with reasonable prior notice (minimum 30 days) and shall not unreasonably disrupt the Processor's operations.

8. Data Deletion & Return

Upon termination of the processing agreement, the Processor shall, at the Controller's choice:

• Return all personal data in a structured, commonly used format (data export), or
• Delete all personal data and confirm deletion in writing

Deletion will be completed within 30 days and includes removal from Google Cloud Storage, database records, and backup systems. Audit logs may be retained as required by law.

9. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. The Processor shall be liable for damages caused by processing that does not comply with GDPR or with the Controller's lawful instructions.

10. Governing Law

This DPA shall be governed by the laws of the Republic of Mauritius. For matters relating to GDPR, the applicable provisions of EU law shall apply.

11. Contact

This DPA applies automatically to all organizations using SecureSharings.

By creating an organization account or uploading data, the Controller accepts the terms of this DPA. For custom DPA requirements, contact dpa@securesharings.com.