Data Processing Agreement

Terms used in this DPA have the meanings given to them in the GDPR. In particular: "controller," "processor," "data subject," "personal data," "processing," "personal data breach," and "subprocessor" carry their GDPR Article 4 meanings.

• "Customer" — the natural or legal person who has accepted these Terms and operates an application built on Linabase.
• "Customer Personal Data" — personal data of Customer's end-users that Linabase processes on Customer's behalf under this DPA.
• "End-User" — a natural person who interacts with an application built on Linabase, whose personal data Linabase processes as a processor on Customer's behalf.

The subject matter of the processing is the provision of the Linabase service to Customer: database hosting, authentication, file storage, and related functionality.

The duration of the processing is the term of the Terms of Service, plus any retention period described in the Privacy Policy.

The nature and purpose of the processing is to operate the Linabase service on Customer's behalf so Customer can deliver their application to End-Users.

Customer determines the categories of personal data processed by Linabase, by virtue of the schema and content Customer chooses to store. Typical categories include:

• Identifying data (name, email address, profile image).
• Authentication data (password hashes, OAuth identifiers, session tokens, sign-in IP addresses, sign-in user-agent strings).
• Application data (any other data Customer's schema collects from End-Users).
• Files uploaded by End-Users to Customer's storage buckets.

The categories of data subjects are Customer's End-Users.

Customer represents and warrants that:

• It has a lawful basis to collect and process the personal data it instructs Linabase to process.
• It has provided End-Users with all required notices and obtained all required consents.
• Its instructions to Linabase comply with applicable data protection law.
• It will respond to End-User requests to exercise their rights, as the controller.

Linabase will:

• Process Customer Personal Data only on documented instructions from Customer. Customer's use of the service constitutes documented instructions to process the personal data necessary to provide the service. Linabase will not process Customer Personal Data for any other purpose.
• Ensure confidentiality. Linabase personnel authorized to access Customer Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures as described in Section 9 below.
• Engage subprocessors only on the terms in Section 6 below.
• Assist Customer with responding to End-User requests to exercise their rights (Articles 12–22 GDPR). Where Linabase receives a request directly, it will refer the End-User to Customer.
• Assist Customer with breach notifications (Articles 33–34), data protection impact assessments (Article 35), and prior consultation (Article 36), to the extent reasonably available given Linabase's role as processor.
• Make available to Customer the information necessary to demonstrate compliance with Article 28 GDPR.
• Delete or return Customer Personal Data at the end of the service as described in Section 11 below.
• Notify Customer if any instruction infringes data protection law in Linabase's reasonable opinion.

Customer grants Linabase general authorization to engage subprocessors for the provision of the service. Linabase's current subprocessors are listed at /subprocessors, with their purpose, jurisdiction, and applicable transfer mechanism.

Linabase will:

• Impose written data protection obligations on each subprocessor that are no less protective than those in this DPA.
• Remain responsible to Customer for the performance of each subprocessor.
• Publish changes to the subprocessor list at least 30 days before a new subprocessor begins processing Customer Personal Data, via the RSS feed at /subprocessors.xml and notifications to customers who have requested them.

Customer may object to a new subprocessor within the notice period on reasonable, documented grounds related to data protection. If Linabase cannot accommodate Customer's objection, Customer's sole remedy is to terminate the service in accordance with the Terms of Service.

Linabase's primary infrastructure is located in Germany. To the extent any subprocessor processes Customer Personal Data outside the European Economic Area in a jurisdiction without an adequacy decision, the parties incorporate by reference the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as follows:

• Module Two (Controller to Processor) applies between Customer (controller / data exporter) and Linabase (processor / data importer) for transfers outside the EEA where Linabase is the data importer.
• Module Three (Processor to Processor) applies between Linabase (processor / data exporter) and the relevant subprocessor (data importer).

Optional clauses are incorporated as follows: Clause 7 docking clause — applies. Clause 11(a) independent dispute resolution — not opted in. Clause 17 governing law — the law of Türkiye to the extent compatible; otherwise the law of the data exporter's place of establishment. Clause 18 forum — the courts of the data exporter's place of establishment.

For transfers involving the UK GDPR, the parties incorporate the International Data Transfer Addendum issued by the ICO. For transfers involving Swiss data, the SCCs apply with appropriate modifications. For data subject to the Turkish KVKK, the safeguards described in Article 9 of the KVKK apply.

If Linabase becomes aware of a personal data breach affecting Customer Personal Data, Linabase will:

• Notify Customer without undue delay and, in any event, within 48 hours of awareness.
• Provide such information as is reasonably available to Linabase to assist Customer with its own Article 33 / Article 34 obligations, including (where known) the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.
• Where full information is not available within 48 hours, provide a partial notification on time and complete it as information becomes available.
• Cooperate in good faith with Customer's investigation and remediation.

Notifications to Customer are sent to the email address associated with Customer's account. Customer is responsible for keeping that address current and monitored.

Linabase implements technical and organizational measures appropriate to the risk, including:

• TLS encryption for all data in transit.
• AES-256 server-side encryption for database backups at rest.
• Per-tenant Postgres roles and schemas with row-level security enforcement.
• Salted password hashing (bcrypt) and short-lived JWT access tokens.
• fail2ban protection against credential stuffing on the public Postgres interface.
• Error monitoring configured with input masking, redacted authentication headers, and dropped request bodies.
• Restricted personnel access, audited via platform audit logs.
• Regular security review and patching of dependencies and infrastructure.
• Documented breach response procedure with a 72-hour authority notification path.

Linabase may update these measures over time. Updates will not materially reduce the level of protection.

Customer has the right to audit Linabase's compliance with this DPA, to the extent required by Article 28(3)(h) GDPR. Audits are conducted on reasonable advance written notice, at Customer's cost, no more than once per twelve-month period (except following a confirmed personal data breach), during normal business hours, in a manner that does not unreasonably disrupt Linabase's operations or compromise the confidentiality of other customers' data.

Where available, Linabase may satisfy an audit request by providing third-party attestations (such as SOC 2 reports, when issued) in lieu of an on-site audit.

On termination of the service, Linabase will, at Customer's election:

• Delete all Customer Personal Data from active systems within 30 days; or
• Make Customer Personal Data available for export by Customer for 30 days, after which it is deleted from active systems.

Backup snapshots persist until they naturally expire under the retention schedule (7 days for daily, 12 months for monthly). Encrypted backups are not searched, indexed, or restored absent operational necessity.

Linabase may retain Customer Personal Data to the extent and for the period required by applicable law (including Turkish tax record retention obligations for billing data).

The liability of each party under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA increases the aggregate liability cap. Where a data subject is awarded damages under Article 82 GDPR, the parties' liability between themselves is allocated according to their respective responsibility for the harm, in accordance with Article 82(5) GDPR.

This DPA takes effect when Customer accepts the Terms of Service and remains in force for as long as Linabase processes Customer Personal Data. In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Customer Personal Data.

All notices and requests under this DPA: privacy@linabase.com.