SForest

Data Processing Agreement

Data Processing Agreement

Effective Date: April 10, 2026
Jurisdiction: State of Washington, United States
Last Updated: April 10, 2026

1. Introduction and Purpose

This Data Processing Agreement ("DPA") governs the processing of personal data by Slumbering Forest LLC ("SForest," "Processor") on behalf of merchants, developers, game publishers, and other organizations ("Merchant" or "Controller") who use the SForest platform.

This DPA applies when a Merchant processes personal data of Users (end users, customers, players) through the Platform and SForest processes such data as a "service provider," "processor," or similar capacity as defined by applicable privacy laws (CCPA/CPRA, state privacy laws, and GDPR for EU/UK residents).

By using the SForest Platform to process personal data, you are entering into this DPA with SForest. This DPA is incorporated by reference into the Terms of Service (https://sforest.io/legal/terms-of-service).

2. Definitions

"Personal Data" means any information relating to an identified or identifiable individual. Includes: names, email addresses, phone numbers, usernames, transaction history, payment information, IP addresses, cookies, device identifiers, and behavioral data.

"Data Subject" means the individual to whom Personal Data relates (end users, customers, players).

"Controller" means the Merchant or organization that determines the purposes and means of processing Personal Data. Controllers decide why and how data is collected and used.

"Processor" means SForest, which processes Personal Data on behalf of the Controller pursuant to documented instructions.

"Processing" means any operation performed on Personal Data, including collection, use, storage, transmission, deletion, anonymization, or analysis.

"Sub-Processor" means a third-party service provider (payment processors, cloud providers, analytics platforms) that processes Personal Data on behalf of SForest as Processor.

"Data Protection Laws" means all applicable data protection and privacy regulations including:

  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • State privacy laws (Colorado CPA, Connecticut CTDPA, Virginia VCDPA, etc.)
  • General Data Protection Regulation (GDPR) - for EU/UK subjects
  • UK Data Protection Act 2018
  • Canadian privacy laws (PIPEDA and provincial laws)
  • Other applicable state and international privacy laws

"Processing Instructions" means documented directions from Merchant to SForest specifying what Personal Data to collect, use, store, and how to handle data subject requests.

3. Roles and Responsibilities

3.1 Merchant as Controller

The Merchant (you) are the Controller and are responsible for:

  • Determining the purposes and means of processing Personal Data
  • Ensuring legal basis exists for processing (consent, contract performance, legitimate interest, etc.)
  • Compliance with all Data Protection Laws in all jurisdictions where Data Subjects reside
  • Age verification (ensuring no processing of minors' data)
  • Obtaining valid consent where required (GDPR, CCPA, state laws)
  • Providing required disclosures and privacy notices to Data Subjects
  • Responding to Data Subject access, deletion, correction, and opt-out requests
  • Notifying SForest of any data breach or security incident
  • Implementing data protection by design and default principles
  • Conducting Data Protection Impact Assessments (DPIA) for high-risk processing
  • Providing instructions to SForest regarding how to process Personal Data

3.2 SForest as Processor

SForest is the Processor and is responsible for:

  • Processing Personal Data only in accordance with documented Merchant instructions
  • Implementing appropriate technical and organizational security measures
  • Restricting employee access to Personal Data on a need-to-know basis
  • Maintaining Sub-Processor agreements compliant with this DPA
  • Notifying Merchant of data breaches without unreasonable delay
  • Assisting Merchant with Data Subject rights requests
  • Assisting Merchant with compliance obligations
  • Deleting or returning Personal Data upon Merchant request or contract termination
  • Documenting and auditing processing activities
  • Complying with all applicable Data Protection Laws as a Processor

3.3 Limitations on SForest's Responsibilities

SForest is NOT responsible for:

  • Merchant's compliance with Data Protection Laws
  • Merchant's accuracy, quality, or legality of Personal Data provided
  • Merchant's disclosure obligations to Data Subjects
  • Merchant's failure to obtain valid consent
  • Merchant's violation of Data Subject rights
  • Data Security at Merchant end (Merchant's obligations)
  • Compliance with regulations Merchant must follow (Merchant's sole responsibility)

4. Scope and Purpose of Processing

4.1 Authorized Processing Activities

SForest processes Personal Data for the following purposes on behalf of Merchant:

Core Platform Services:

  • Facilitating transactions and payments
  • Account management and authentication
  • User identity verification and age verification
  • Delivering digital content and virtual items
  • Processing refunds and chargebacks
  • Fraud detection and prevention
  • Customer support and communication

Analytics and Reporting:

  • Generating transaction reports for Merchants
  • Analyzing usage patterns and trends
  • Creating anonymized/de-identified analytics
  • Providing Merchant dashboards and insights
  • Tracking conversion and engagement metrics

Compliance and Security:

  • AML/KYC verification (for Merchants)
  • Fraud detection and prevention
  • Security monitoring and threat detection
  • Legal compliance and regulatory reporting
  • Dispute resolution and investigation

4.2 Permitted Data Uses

Processing is limited to purposes necessary to:

  • Provide the Platform services
  • Fulfill Merchant instructions documented in writing
  • Comply with applicable laws
  • Protect security and prevent fraud
  • Enforce SForest Terms and Merchant agreements

4.3 Prohibited Uses

SForest shall NOT:

  • Process Personal Data outside documented Merchant instructions
  • Use Personal Data for SForest's own marketing or profiling
  • Sell or lease Personal Data to third parties
  • Share Personal Data with competitors of Merchant
  • Conduct automated decision-making or profiling without Merchant authorization
  • Combine Personal Data from multiple Merchants
  • Retain Personal Data longer than necessary
  • Process Special Categories of Data (health, biometric, race, etc.) without explicit authorization

5. Categories of Personal Data

The following categories of Personal Data may be processed:

5.1 User Account Information

  • Name and username
  • Email address
  • Phone number
  • Physical address
  • Age and date of birth (for 18+ verification)
  • Account creation date
  • Last login information
  • Account status (active, suspended, deleted)
  • Language and regional preferences

5.2 Transaction Data

  • Purchase history and order details
  • Digital content and games purchased
  • Virtual items acquired
  • Transaction timestamps and amounts
  • Payment method category (not full payment credentials)
  • Currency and conversion rates
  • Refund and dispute history
  • Chargeback records

5.3 Financial Information

  • Billing address
  • Payment method type (card brand, not card number)
  • Transaction receipts
  • Refund/payout records
  • Tax identification (for Merchants)

5.4 Technical Data

  • IP address and location
  • Device type and operating system
  • Browser type and version
  • Cookies and session identifiers
  • API calls and SDK integration data
  • Timestamp and duration of sessions
  • Error logs and performance metrics

5.5 Behavioral Data

  • Features used on Platform
  • Pages visited and time spent
  • Search queries
  • Download and playback history
  • Interaction patterns and engagement metrics

5.6 Communication Data

  • Customer support tickets and chats
  • Emails with Merchant or SForest support
  • Feedback and survey responses
  • Public forum posts and reviews

5.7 Compliance Data

  • Government-issued ID (for Merchant KYC/AML)
  • Tax information
  • Gaming licenses (for iGaming Merchants)
  • Sanctions screening results
  • AML/KYC verification records

6. Sub-Processors and Third-Party Service Providers

6.1 Authorized Sub-Processors

SForest uses the following Sub-Processors to process Personal Data:

Payment Processors:

  • Square, Inc.
  • Stripe, Inc.
  • Citcon Corp.
  • 寻汇 (Xunhui)
  • Future Fintech Group
  • Payssion

Cloud Infrastructure:

  • Amazon Web Services (AWS)
  • Google Cloud Platform (GCP)
  • Cloudflare

Analytics Providers:

  • Google Analytics
  • Mixpanel
  • Hotjar

Security and Fraud Prevention:

  • Fraud Detection Services (third-party providers)
  • DDoS Protection Services

Compliance and AML/KYC:

  • Third-party KYC/AML verification providers
  • Sanctions screening service providers

Communications:

  • Email service providers
  • Customer support platforms

6.2 Sub-Processor Agreements

All Sub-Processors execute data processing agreements containing:

  • Confidentiality obligations
  • Data security requirements
  • Restrictions on data use
  • Data Subject rights assistance
  • Audit and inspection rights
  • Data deletion or return upon termination
  • Liability and indemnification
  • Compliance with Data Protection Laws

SForest remains liable to Merchant for Sub-Processor performance.

6.3 Changes to Sub-Processors

SForest may add, remove, or change Sub-Processors:

  • SForest will provide 30 days' advance written notice of material Sub-Processor changes
  • Notice will be sent to the email address associated with Merchant account
  • Merchant may object to new Sub-Processors within 30 days
  • If Merchant objects, Merchant may terminate services without penalty
  • Continued use of Platform after notice constitutes acceptance

6.4 Sub-Processor Contact Information

Merchant may request current Sub-Processor contact information by email: [email protected]. SForest will provide within 5 business days.

7. International Data Transfers

7.1 Data Transfers to the United States

Personal Data collected outside the United States is transferred to, processed, and stored in the United States. By using the Platform, Merchant and Data Subjects authorize such transfers.

7.2 US vs. International Privacy Laws

Merchant acknowledges that:

  • US data protection laws provide less protection than GDPR, CCPA, and other international laws
  • US government agencies may access Personal Data with legal process
  • The US does not offer an "adequacy decision" under GDPR
  • Data transfers to the US may violate international privacy laws in some cases

7.3 GDPR and UK DPA Compliance

For Data Subjects in the EU, EEA, or UK:

  • SForest is a Processor under GDPR/UK DPA
  • Standard Contractual Clauses (SCCs) apply to all transfers
  • Data transfers are made in accordance with GDPR Chapter 5
  • Merchant warrants it has obtained necessary legal basis and obtained valid consent
  • Data Subject rights under GDPR apply (access, rectification, erasure, restriction, portability, objection)

7.4 Standard Contractual Clauses

The Merchant and SForest both agree to be bound by the Standard Contractual Clauses (Module Two: Controller to Processor) as approved by the European Commission, as updated by GDPR guidance and EU court decisions.

Copies of SCCs are available upon request: [email protected]

7.5 GDPR-Specific Obligations

For GDPR-covered processing:

  • SForest acts as a Processor and performs only GDPR-compliant processing
  • SForest implements GDPR Article 32 technical and organizational security measures
  • SForest assists Merchant with Data Subject rights requests (Articles 12-22)
  • SForest maintains Records of Processing Activities (Article 30)
  • SForest notifies Merchant of data breaches within 72 hours (Article 33)
  • SForest may not transfer data outside authorized channels without consent
  • Data Retention follows GDPR principles (storage limitation)

8. Data Subject Rights and Assistance

8.1 Data Subject Rights Overview

Merchant acknowledges that Data Subjects have rights under applicable Data Protection Laws:

CCPA/CPRA (California) and State Privacy Laws:

  • Right to access/know what data is collected
  • Right to delete personal information
  • Right to correct inaccurate data
  • Right to data portability
  • Right to opt-out of targeted advertising and profiling
  • Right to limit use of sensitive data
  • Right to non-discrimination for exercising rights

GDPR/UK DPA (EU/UK/EEA Residents):

  • Right of access (Article 15)
  • Right of rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restrict processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Rights related to automated decision-making (Article 22)

8.2 SForest Obligations to Assist

SForest will assist Merchant in fulfilling Data Subject rights:

Access Requests:

  • SForest will provide Personal Data in Merchant's possession within 30 days
  • Data will be provided in portable, machine-readable format (where feasible)

Deletion Requests:

  • SForest will delete Personal Data as instructed by Merchant
  • Exceptions: Legal holds, pending disputes, tax/compliance retention
  • Deletion confirmation provided within 30 days

Correction Requests:

  • SForest will correct inaccurate Personal Data upon Merchant instruction
  • Merchant is primarily responsible for accuracy of Personal Data provided

Opt-Out Requests:

  • SForest will honor Data Subject opt-outs from marketing and profiling
  • Opt-outs are tracked in User account settings

Restriction Requests:

  • SForest will restrict processing of flagged Personal Data per GDPR Article 18
  • Data will be marked as restricted in systems

8.3 Merchant Responsibility for Data Subject Rights

Merchant is responsible for:

  • Receiving and responding to Data Subject rights requests
  • Verifying Data Subject identity before fulfilling requests
  • Determining legal basis for denying requests (legal holds, business necessity)
  • Notifying SForest of Data Subject requests requiring SForest assistance
  • Managing Data Subject rights records and response documentation

8.4 SForest Assistance Timeline

For requests requiring SForest action:

  • SForest will respond to Merchant within 5 business days upon notification
  • SForest will take requested action within 10 business days (where feasible)
  • Merchant should allow 30 days total for data processing and compilation
  • Emergency requests may receive expedited handling upon request

9. Data Security Measures

9.1 Technical Security Measures

SForest implements the following technical controls:

Data Encryption:

  • Encryption in transit (TLS 1.2+, HTTPS for all connections)
  • Encryption at rest (AES-256 or equivalent for sensitive data)
  • Encrypted backups with secure key management

Access Controls:

  • Role-based access control (RBAC) limiting employee access
  • Least privilege principle: employees access only necessary data
  • Multi-factor authentication (MFA) for administrative access
  • Activity logging and access monitoring
  • Automated revocation of access upon termination

Network Security:

  • Firewalls and intrusion detection systems (IDS)
  • Web application firewalls (WAF)
  • DDoS protection and mitigation
  • Secure network segmentation
  • Regular vulnerability scanning and patching

Data Protection:

  • Database activity monitoring
  • Automated backup and recovery systems
  • Disaster recovery and business continuity plans
  • Data retention and secure deletion procedures

API and SDK Security:

  • API authentication and rate limiting
  • Input validation and sanitization
  • Secure coding practices
  • Regular security updates

9.2 Organizational Security Measures

SForest implements organizational controls:

Personnel Security:

  • Employee background checks
  • Confidentiality and data protection training
  • Non-disclosure agreements (NDAs)
  • Regular security awareness training
  • Access revocation upon termination

Process Security:

  • Data Protection Impact Assessments (DPIAs)
  • Incident response and breach notification procedures
  • Change management and deployment controls
  • Vendor security assessments
  • Regular audit and compliance reviews

Physical Security:

  • Restricted access to facilities
  • Video surveillance where applicable
  • Environmental controls (fire suppression, power backup)
  • Visitor logs and access tracking

9.3 Merchant Responsibility for Security

Merchant is responsible for:

  • Securing Merchant's own systems and endpoints
  • Ensuring Data Subjects' devices are secure
  • Proper credential management and password security
  • Backup and recovery of Merchant's own data
  • Ensuring Sub-Processors (Merchant side) meet security standards
  • Notifying SForest immediately of security incidents

9.4 Limitations on SForest's Liability for Security

While SForest implements industry-standard security, SForest is NOT liable for:

  • Security breaches at third-party Sub-Processors
  • Data Subjects' device security or malware
  • Merchant's failure to secure access credentials
  • Merchant's introduction of malware through Merchant-supplied data or code
  • Attacks using zero-day vulnerabilities unknown to security community
  • Successful attacks despite SForest's reasonable security measures

10. CCPA/CPRA Service Provider Designation

10.1 Service Provider Status (US Only)

For purposes of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • SForest is designated as a "Service Provider" or "Contractor" to Merchant
  • This designation applies when Merchant is a covered business under CCPA/CPRA
  • Service Provider status means SForest processes Personal Data only as instructed by Merchant

10.2 Service Provider Restrictions

As a Service Provider under CCPA/CPRA, SForest:

  • Shall not sell or share Personal Data
  • Shall not retain, use, or disclose Personal Data except as necessary to provide services
  • Shall not combine Personal Data from multiple customers
  • Shall not use Personal Data for targeted advertising, profiling, or other purposes
  • Shall comply with CCPA/CPRA restrictions on Service Provider conduct

10.3 Service Provider Audit

SForest permits Merchant (and Merchant's authorized auditors) to:

  • Request certifications of compliance with CCPA/CPRA Service Provider obligations
  • Conduct audits and inspections (with reasonable notice)
  • Request corrective action if non-compliance is discovered

10.4 California Consumer Rights Compliance

Merchant is responsible for:

  • Responding to California consumer requests to know, delete, correct, and opt-out
  • Providing SForest with Data Subject requests affecting SForest-processed data
  • Ensuring SForest assistance timelines are met

SForest will assist Merchant with:

  • Identifying Personal Data related to specific Data Subjects
  • Deleting Personal Data upon verified Data Subject request
  • Correcting inaccurate Personal Data
  • Recording and honoring opt-out elections

11. Data Retention and Deletion

11.1 Retention Periods

Personal Data is retained for the following periods:

Account and Transaction Data:

  • Retained while account is active
  • Retained 3 years after account closure (for dispute resolution)
  • Retained longer if dispute, chargeback, or investigation is pending

Financial and Tax Data:

  • Retained 7 years (per IRS and state tax requirements)
  • Retained 10 years if chargeback or dispute exists
  • Longer if required by law

Compliance Data (AML/KYC, Sanctions):

  • Retained minimum 5 years per regulatory requirement
  • Retained 10 years if regulatory investigation is pending
  • Retained longer if required by law or pending litigation

Analytics and Behavioral Data:

  • Retained 13 months (per analytics privacy standards)
  • Deleted automatically upon retention expiration
  • Anonymized/de-identified analytics retained indefinitely

Support and Communication Data:

  • Retained 2 years for reference and dispute resolution
  • Deleted upon Merchant request (if no pending dispute)

11.2 Retention Limitations

SForest will not retain Personal Data longer than:

  • Necessary to provide Platform services
  • Required by applicable law
  • Required for compliance investigations or litigation
  • Merchant-specified retention periods (not to exceed legal/regulatory limits)

11.3 Deletion Upon Request

Upon Merchant request or service termination, SForest will:

  • Delete all Personal Data processed for Merchant
  • Delete data from backup systems (within 90 days)
  • Retain only data required by law or pending disputes
  • Provide deletion certification within 30 days

11.4 Data Portability Upon Termination

Upon service termination, Merchant may request:

  • Extraction of all Personal Data in machine-readable format
  • Data provided within 30 days of request
  • Common formats: CSV, JSON, XML
  • Formatting at SForest's discretion (reasonable effort)

12. Processor Audits and Inspections

12.1 Merchant Audit Rights

Merchant may:

  • Request documentation of SForest's processing activities
  • Request certifications of security and compliance (SOC 2, ISO 27001)
  • Conduct on-site audits with 30 days' written notice
  • Request subprocessor audits and certifications
  • Conduct security assessments (with restrictions on testing)

12.2 Audit Procedures

Audits will be:

  • Conducted during business hours (with advance notice)
  • Limited to systems and data relevant to Merchant services
  • Subject to reasonable confidentiality protections
  • Conducted by Merchant or authorized third-party auditors
  • At Merchant's expense (if frequency exceeds 1 audit/year)

12.3 Audit Frequency Limitations

  • Annual audits: no charge
  • Additional audits (beyond annual): reasonable fees apply
  • Excessive audits (>2 per year): may be restricted
  • Audits may not interfere with Platform operations

12.4 Audit Cooperation

SForest will:

  • Provide requested documentation within 15 business days
  • Facilitate auditor access to relevant systems (secure access)
  • Respond to audit findings within 30 days
  • Implement reasonable corrective actions
  • Provide status updates on remediation

13. Data Breach Notification

13.1 Breach Definition

A "Data Breach" means unauthorized access, disclosure, loss, or destruction of Personal Data that compromises the security or privacy of that data.

Breaches include:

  • Unauthorized access to Personal Data
  • Disclosure of data to unintended recipients
  • Loss of data confidentiality or integrity
  • Ransomware, malware, or hacking incidents
  • Accidental deletion or data loss
  • Insider threats or employee misconduct

13.2 Notification Obligation

SForest will notify Merchant of any Data Breach without unreasonable delay and in no case later than:

  • 72 hours of discovery (GDPR standard)
  • 30 days of discovery (CCPA/state law standard)
  • Earliest possible for security-critical incidents

13.3 Notification Content

Breach notification will include:

  • Description of the breach and nature of compromise
  • Personal Data categories affected
  • Data Subject categories (e.g., merchants, users)
  • Estimated number of individuals affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • SForest contact for additional information
  • Recommendations for Data Subjects (password changes, credit monitoring)

13.4 Merchant Notification Responsibilities

SForest will notify Merchant; Merchant is responsible for:

  • Determining whether notification to Data Subjects is required
  • Notifying Data Subjects and regulatory authorities as required
  • Complying with breach notification laws in affected jurisdictions
  • Managing public communication and press inquiries

13.5 Cooperation on Breach Investigation

SForest will:

  • Cooperate fully with Merchant and authorities
  • Provide forensic investigation findings
  • Preserve evidence for regulatory/legal proceedings
  • Implement remediation and prevent future incidents
  • Document lessons learned

14. Limitation of Liability

14.1 Liability Cap

TO THE MAXIMUM EXTENT PERMITTED BY LAW, SFOREST'S LIABILITY FOR BREACH OF THIS DPA SHALL NOT EXCEED:

  • The greater of: (a) total Merchant payments to SForest in the 12 months preceding the claim, or (b) $100 USD
  • This cap applies to all claims under this DPA, regardless of legal theory

14.2 Excluded Damages

IN NO EVENT SHALL SFOREST BE LIABLE FOR:

  • Indirect, incidental, special, consequential, or punitive damages
  • Lost profits, revenue, or business opportunity
  • Lost data or business interruption
  • Reputational harm
  • Even if advised of the possibility of such damages

14.3 Exceptions to Liability Limitations

Liability limitations do NOT apply to:

  • Gross negligence or willful misconduct by SForest
  • SForest's violation of applicable Data Protection Laws
  • SForest's unauthorized disclosure of Personal Data
  • SForest's breach of confidentiality obligations
  • Claims arising from data breaches caused by SForest's negligence

15. Indemnification

15.1 SForest Indemnification Obligation

SForest indemnifies Merchant against claims arising from:

  • SForest's violation of this DPA
  • SForest's violation of applicable Data Protection Laws
  • SForest's unauthorized processing of Personal Data
  • SForest's breach of security obligations
  • Data breaches caused by SForest's negligence

15.2 Merchant Indemnification Obligation

Merchant indemnifies SForest against claims arising from:

  • Merchant's violation of Data Protection Laws
  • Merchant's lack of legal basis for processing
  • Merchant's failure to obtain valid consent from Data Subjects
  • Merchant's instructions to SForest violating privacy laws
  • Merchant's disclosure of Personal Data to SForest

15.3 Indemnification Procedure

Party seeking indemnification will:

  • Provide prompt written notice of the claim
  • Allow indemnifying party to control defense and settlement
  • Cooperate reasonably in defense
  • Not admit liability without indemnifying party consent

16. Governing Law and Dispute Resolution

16.1 Governing Law

This DPA is governed by and construed in accordance with the laws of the State of Washington, United States, without regard to conflict of law principles.

16.2 Dispute Resolution

Disputes arising from this DPA will be resolved as follows:

Negotiation:

  • Parties will attempt to resolve disputes through good-faith negotiation
  • Senior representatives from each party will meet to discuss resolution

Escalation:

  • If negotiation fails, parties may pursue mediation or arbitration

Arbitration:

  • Disputes may be submitted to binding arbitration under AAA Commercial Arbitration Rules
  • Arbitration will be conducted in Seattle, Washington
  • Governed by the dispute resolution provisions in the Terms of Service

Regulatory Authority:

  • Either party may file complaints with applicable data protection authorities (DPA, state AG, etc.)
  • Regulatory proceedings are separate from this dispute resolution

16.3 Data Protection Authority Precedence

If dispute resolution conflicts with guidance from data protection authorities (DPA, state AG, etc.), the authority's guidance prevails.

17. Order of Precedence and Conflict Resolution

17.1 Document Hierarchy

In case of conflict between documents, the following order applies:

  1. Data Protection Laws - Applicable privacy statutes and regulations
  2. Data Processing Agreement - This document
  3. Terms of Service - https://sforest.io/legal/terms-of-service
  4. Data Processing Instructions - Documented Merchant-to-SForest instructions
  5. Service-Level Agreements - Platform uptime and performance SLAs
  6. General Platform Policies - Other Platform terms and conditions

17.2 Conflicting Requirements

If this DPA conflicts with other SForest documents, Data Protection Laws prevail, and this DPA takes precedence.

17.3 Mandatory Law Supremacy

If any provision of this DPA conflicts with mandatory Data Protection Laws, the law prevails and the conflicting provision is modified to the minimum extent necessary or severed.

18. Amendment and Termination

18.1 Amendment

SForest may amend this DPA:

  • With 30 days' written notice to Merchant
  • Notice via email to registered account address
  • Material changes requiring Merchant consent (for GDPR compliance)

18.2 Merchant Objection

Merchant may object to amendments within 30 days:

  • Email objection to: [email protected]
  • If objection sustained, Merchant may terminate services without penalty
  • Continued Platform use after notice period = acceptance of amendment

18.3 Termination

Merchant may terminate this DPA by:

  • Providing 30 days' written notice
  • Requesting deletion of all Personal Data upon termination
  • Paying outstanding fees through notice period

SForest may terminate for:

  • Merchant breach of DPA (with 30-day cure period)
  • Merchant non-payment of fees
  • Merchant violation of Data Protection Laws
  • Business necessity (60 days' notice)

18.4 Survival Upon Termination

Upon termination:

  • All Personal Data is deleted (except legally required retention)
  • Confidentiality obligations survive indefinitely
  • Indemnification obligations survive for 3 years
  • Merchant has 90 days to retrieve data in portable format

19. Entire Agreement

This DPA, together with the Terms of Service, Privacy Notice, and EULA, constitutes the entire agreement regarding personal data processing and supersedes all prior agreements and understandings.

20. Severability

If any provision is invalid or unenforceable, it will be:

  • Modified to minimum extent necessary for enforceability, or
  • Severed without affecting remaining provisions
  • Mandatory Data Protection Laws govern any severance

21. Contact Information

For DPA-related inquiries, questions, or requests:

Slumbering Forest LLC
Privacy Officer
Email: [email protected]
Website: https://sforest.io

Mailing Address:
1420 5TH AVE STE 2200
SEATTLE, WA 98101-1346

Data Subject Requests:

  • Contact Merchant directly (Merchant is Controller)
  • Merchant will forward to SForest if assistance needed

Regulatory Inquiries:

Appendix A: Standard Contractual Clauses (SCCs)

For processing of Personal Data of EU/EEA/UK residents, the EU Commission's Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference.

The SCCs are available at: https://sforest.io/legal/scc-module-two

Appendix B: Sub-Processor List

Current Sub-Processors authorized under this DPA:

[See Section 6.1 for complete Sub-Processor list]

List updated: April 10, 2026

Updated Sub-Processor list available at: https://sforest.io/legal/subprocessors

Acknowledgment

By using the SForest Platform to process Personal Data, you acknowledge that:

  • You have read and understood this DPA
  • You accept the terms and conditions herein
  • You have authority to bind your organization
  • You will comply with your obligations as Controller
  • You authorize SForest as Processor for specified purposes

Last Updated: April 10, 2026
Slumbering Forest LLC © 2026. All Rights Reserved.