Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between Saha Sales Inc., d/b/a Saha Lighting Solutions (Processor), and [CUSTOMER NAME] (Controller), and forms part of the Master Service Agreement or Terms of Service governing the Controller's use of the Lighting Studio platform.

Template version: June 2026 · Agreement Date:

Parties

Processor (Service Provider)

Saha Sales Inc.
d/b/a Saha Lighting Solutions
1823 N Solano Ave
Ontario, CA 91764
Email: edmond@sahalighting.com

Controller (Client)

Company Name: [CUSTOMER NAME]

Address: [CUSTOMER ADDRESS]

City, State / Country, ZIP:

Data Protection Contact: [CUSTOMER DPO / CONTACT NAME]

Contact Email: [CUSTOMER CONTACT EMAIL]

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below:

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including without limitation the EU General Data Protection Regulation (GDPR) 2016/679, the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and any successor legislation.
"Controller" means the Client identified above ([CUSTOMER NAME]), who determines the purposes and means of the processing of Personal Data.
"Processor" means Saha Sales Inc., d/b/a Saha Lighting Solutions, which processes Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by the Processor under or in connection with the Master Subscription Agreement.
"Processing" means any operation or set of operations performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
"Data Subject" means the natural person to whom Personal Data relates.
"Sub-Processor" means any third party engaged by the Processor to process Personal Data on the Controller's behalf.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Decision 2021/914/EU.
"Services" means the Lighting Studio SaaS platform provided under the Master Subscription Agreement between the parties.

2. Scope and Purpose of Processing

2.1 Role of the Parties. The Controller is the data controller in respect of Personal Data processed through the Services. The Processor processes Personal Data only on behalf of and under the documented instructions of the Controller, as set out in this DPA and the Master Subscription Agreement.

2.2 Purpose. The Processor shall process Personal Data only for the purposes of providing the Services, including: hosting and operating the lighting layout platform; authenticating administrative users; delivering transactional emails; processing subscription payments; and providing usage analytics to the Controller. Any processing beyond these purposes requires the prior written consent of the Controller or a separate legal basis under Applicable Data Protection Law.

2.3 Instructions. The Controller's instructions are set out in this DPA and the Master Subscription Agreement. The Controller may issue additional written instructions at any time. If the Processor believes an instruction violates Applicable Data Protection Law, it shall promptly notify the Controller.

3. Categories of Personal Data and Data Subjects

The Processor processes the following categories of Personal Data on behalf of the Controller:

Category	Data Elements	Data Subjects
Account Data	Email address, hashed password, role, account creation date	Client's designated administrator users
Usage Analytics Data	Fixture selections, tool type used, session ID (random, non-persistent), page URL, referrer URL, job name (if entered by end user), timestamp	End users of the Client's public-facing lighting tools (only if tracking is enabled by the Controller)
Billing Contact Data	Billing email address, Stripe customer identifier, subscription status	Client's billing contact or administrator
Technical / Log Data	IP addresses, browser type, request timestamps, error logs	All visitors and admin users

The Processor does not knowingly process special categories of Personal Data (as defined under GDPR Article 9) on behalf of the Controller. The Controller warrants that it will not upload or cause to be processed through the Services any special category data without prior written agreement from the Processor.

4. Data Subject Rights

4.1 Assistance. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligations to respond to Data Subject rights requests, including requests for access, rectification, erasure, restriction, portability, and objection, as required under Applicable Data Protection Law.

4.2 Forwarding Requests. If the Processor receives a Data Subject rights request directly, it shall promptly forward it to the Controller (and in any case within three (3) business days of receipt) and shall not respond to the Data Subject except to acknowledge receipt and confirm the Controller is the appropriate party to address the request, unless otherwise instructed by the Controller.

4.3 Data Export. The Services include an account data export feature that allows the Controller to download its data in a portable format (ZIP archive). This export functionality satisfies the Processor's technical assistance obligation for portability requests relating to Controller account data.

5. Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include, at a minimum:

Encryption in transit: All data transmitted between users and the platform is encrypted using TLS (HTTPS). Unencrypted HTTP access is rejected.
Password security: Passwords are stored as bcrypt hashes with an appropriate work factor; plaintext passwords are never stored or logged.
Authentication controls: JWT authentication tokens are used with short expiration windows. Brute-force and credential-stuffing attacks are mitigated by rate limiting on all authentication endpoints.
CSRF protection: All state-mutating API requests require a CSRF token bound to the authenticated session.
Access controls: Role-based access control limits each user to only the data and functions required for their role (superadmin, tenant admin).
Audit logging: All significant administrative actions are logged with timestamp and actor identity to support security monitoring and incident investigation.
Error monitoring: Application errors are captured by Sentry to enable rapid detection and remediation of security-relevant exceptions.
Infrastructure security: The platform is hosted on Railway, which provides managed infrastructure security including network isolation, DDoS mitigation, and automatic security patching.
Backup controls: Backups are stored in access-controlled object storage. Retention is limited per the configured backup retention policy.

The Processor will review and update these measures periodically to account for evolving threats and changes in the Services.

6. Sub-Processors

6.1 Authorization. The Controller provides general authorisation for the Processor to engage the Sub-Processors listed below. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller a reasonable opportunity to object.

6.2 Sub-Processor Obligations. The Processor shall ensure that each Sub-Processor is bound by data protection obligations no less protective than those set out in this DPA, by way of a written contract.

6.3 Approved Sub-Processors:

Sub-Processor	Location	Purpose	Privacy Policy
Stripe, Inc.	United States	Payment processing, subscription billing, and billing portal	stripe.com/privacy
Resend, Inc.	United States	Transactional email delivery	resend.com/privacy
Railway Corp.	United States	Cloud application hosting and managed infrastructure	railway.app/legal/privacy
Cloudflare, Inc. / Amazon Web Services, Inc.	United States (global CDN/storage)	Object storage for uploaded files and backup archives	cloudflare.com/privacypolicy / aws.amazon.com/privacy
Functional Software, Inc. (Sentry)	United States	Application error monitoring and diagnostics	sentry.io/privacy

7. International Data Transfers

7.1 Transfers Outside the EEA/UK. Where Personal Data originating in the European Economic Area (EEA) or the United Kingdom is transferred to Sub-Processors or infrastructure located outside the EEA or UK (including the United States), the Processor shall ensure that an appropriate safeguard is in place as required by GDPR Chapter V or the UK GDPR, as applicable.

7.2 Standard Contractual Clauses. For transfers from the EEA to third countries that have not received an adequacy decision, the parties hereby incorporate the Standard Contractual Clauses adopted by the European Commission under Decision 2021/914/EU (Module Two: Controller to Processor), which are incorporated by reference into this DPA and available at eur-lex.europa.eu. In the event of any conflict between the SCCs and this DPA, the SCCs shall prevail in respect of the transfer.

7.3 UK Addendum. For transfers of Personal Data subject to the UK GDPR, the parties shall execute the UK International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner's Office, as applicable.

7.4 Transfer Impact Assessment. The Processor shall cooperate in good faith with the Controller to conduct any transfer impact assessment required by Applicable Data Protection Law before initiating a restricted transfer.

8. Security Incident (Breach) Notification

8.1 Notification Obligation. In the event the Processor becomes aware of a Security Incident affecting Personal Data processed under this DPA, the Processor shall notify the Controller without undue delay and, in any event, within 72 hours of becoming aware of the Security Incident, to the extent practicable.

8.2 Content of Notification. The notification shall include, to the extent then known: (a) a description of the nature of the Security Incident; (b) the categories and approximate number of Data Subjects affected; (c) the categories and approximate volume of Personal Data records affected; (d) the likely consequences of the Security Incident; and (e) the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.

8.3 Controller Responsibility. The Controller is solely responsible for determining whether and when to notify supervisory authorities and affected Data Subjects, as required by Applicable Data Protection Law. The Processor's notification to the Controller does not constitute an admission of fault or liability.

8.4 Cooperation. The Processor shall reasonably cooperate with the Controller and provide further information about the Security Incident as it becomes available, to assist the Controller in meeting its own notification obligations.

9. Confidentiality of Processing

The Processor shall ensure that all personnel authorised to process Personal Data under this DPA are subject to appropriate confidentiality obligations (whether under contract or statutory duty) and are informed of the confidential nature of the Personal Data they process.

10. Data Protection Impact Assessments and Prior Consultation

Taking into account the nature of the processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller in relation to any data protection impact assessments (DPIAs) and any prior consultation with supervisory authorities that the Controller is required to conduct under Applicable Data Protection Law.

11. Audit Rights

Upon the Controller's reasonable written request (no more than once per calendar year absent a Security Incident), the Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall permit and cooperate with audits or inspections by the Controller or its designated auditor. The Controller shall give the Processor at least thirty (30) days prior written notice of any audit, conduct audits during normal business hours, and bear all costs of such audits. Any audit is subject to the Processor's reasonable confidentiality requirements and may not unreasonably disrupt the Processor's business operations.

12. Data Deletion on Termination

12.1 Deletion Obligation. Upon termination or expiry of the Master Subscription Agreement (or upon the Controller's written request), the Processor shall, at the Controller's election, delete or return all Personal Data processed under this DPA, together with all existing copies, unless Applicable Data Protection Law requires continued storage.

12.2 Retention Period. Following termination of the subscription, the Processor will retain Client account data and uploaded content for a period of thirty (30) days to allow the Controller to request a data export. After this period, all Personal Data will be permanently and irreversibly deleted from active systems. Billing metadata may be retained for longer periods as required by applicable tax and financial regulation.

12.3 Certification. Upon request, the Processor shall provide written certification to the Controller confirming deletion of Personal Data following termination.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of the State of California, United States, without regard to conflict-of-law principles, except that the Standard Contractual Clauses (where incorporated) are governed by the laws of the EU Member State specified therein. Disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of San Bernardino County, California, subject to any mandatory jurisdiction provisions in the SCCs.

14. Order of Precedence

In the event of any conflict or inconsistency between this DPA and the Master Subscription Agreement, the terms of this DPA shall prevail with respect to the subject matter of data protection. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

Exhibit A — Processing Details

Subject matter of processing: Provision of the Lighting Studio SaaS platform, including authentication, fixture library management, usage analytics, and subscription billing.

Duration of processing: For the term of the Master Subscription Agreement, plus any post-termination retention period specified in Section 12.

Nature and purpose of processing: Storage, retrieval, and display of Client account data; delivery of transactional emails; processing of subscription payments; aggregation of usage analytics; error monitoring; and backup/recovery operations.

Types of Personal Data: See Section 3 of this DPA.

Categories of Data Subjects: The Client's designated administrator users and (if analytics is enabled by the Controller) end users of the Client's public-facing lighting tools.

Special category data: None intended. Controller must not upload special category data without prior written agreement.

Signatures

By signing below, each party agrees to be bound by the terms of this Data Processing Agreement.

Saha Sales Inc., d/b/a Saha Lighting Solutions (Processor)

Signature

Printed Name

Title

Date

[CUSTOMER NAME] (Controller)

Signature

Printed Name

Title

Date

Template last updated: June 2026. This is a template provided for reference — replace all [BRACKETED] fields before execution. Saha Sales Inc. recommends having a licensed attorney review this agreement before execution. For questions or to execute this DPA, contact edmond@sahalighting.com.