1. Parties and Definitions

This Data Processing Agreement (“DPA”) forms part of the contract between:

  • Controller: the Customer
  • Processor: ASTON H-S Ltd (Company No. 15866638), trading as Saont™

“Customer Data” means any personal data processed by Saont™ on behalf of the Customer.

2. Scope and Purpose

Processing is strictly limited to the provision of Saont™ services, including SaontDocs™, domain verification, document delivery, audit trails, and platform security.

3. Processor Role

Saont™ acts solely as a processor and does not determine the purposes or means of processing Customer Data.

Saont™ does not validate legal compliance, lawful basis, or regulatory sufficiency of Customer Data.

4. Instructions

Processing is carried out only on documented instructions from the Customer. Saont™ may refuse unlawful or non-compliant instructions.

5. Confidentiality

All personnel authorised to process Customer Data are bound by confidentiality obligations.

6. Security Measures (Annex II)

  • Encryption in transit (TLS)
  • Role-based access control
  • Least privilege enforcement
  • Audit logging and traceability
  • Fail-closed integrity model
  • Domain-bound delivery enforcement
  • Cloudflare infrastructure protection
  • Clerk authentication systems
  • MongoDB secure storage (EU region)
  • Rate limiting and abuse detection

7. Subprocessors

Customer authorises subprocessors listed at legal.saont.com/subprocessors.

Saont™ ensures equivalent obligations are imposed on subprocessors.

8. Subprocessor Objections

Customer may object on reasonable grounds. If unresolved, Customer may terminate affected services.

9. International Transfers

Transfers rely on UK-approved mechanisms including IDTA or SCCs with UK Addendum.

<

10. Assistance

Saont™ provides infrastructure to support the Customer in meeting its obligations under applicable data protection laws, including UK GDPR, strictly in its capacity as a processor acting on documented instructions.

Such assistance may include:

  • providing structured intake, verification, and routing mechanisms for data subject rights requests;
  • recording, timestamping, and maintaining audit trails of request activity and related actions;
  • enabling controlled administrative workflows for the Customer to review, manage, and respond to requests;
  • applying limited automated actions to specific request types where predefined technical conditions and safeguards are met;
  • supporting the Customer in responding to regulatory enquiries, DPIAs, and security incidents.

Saont™ does not independently assess, validate, or determine the legal validity, scope, or outcome of any data subject rights request. Responsibility for reviewing, deciding upon, and fulfilling such requests remains solely with the Customer acting as data controller.

11. Breach Notification

Saont™ will notify the Customer without undue delay after becoming aware of a breach.

12. Deletion and Retention

Upon termination, Customer Data will be deleted or returned, except where retention is required for legal or security reasons.

13. Audit Rights

Audits must be proportionate, non-disruptive, and may be satisfied through documentation.

14. Liability

Saont™ is not liable for Customer misuse, unlawful instructions, or incorrect data inputs.

Annex I – Processing Details

  • Subject matter: Saont™ platform
  • Duration: Service term
  • Nature: Storage, access, processing
  • Purpose: Compliance infrastructure
  • Data subjects: Business users
  • Categories: Account data, authentication data, technical logs (including IP address and request metadata), domain verification data, and data submitted in connection with data subject rights requests
  • Special categories: Not required