Beta
DPA

Data Processing Agreement

Last Updated: 14 June 2026 | v1

Appendix 1 to the Business Terms of Service.

Between: The Business Customer (as defined in the Business Terms) acting as data controller (“Controller”)

And: Dendrite Systems, Inc. (d/b/a Strawberry), 28 Geary St. STE 650 #1826, San Francisco, CA 94108, USA, acting as data processor (“Processor”)

The Processor's EU establishment is Strawberry Browser AB (former Dendrite Systems AB) (Org. number: 559563-5359), Kungsgatan 54, 111 35 Stockholm, Sweden.

(Collectively, the “Parties”)

This Data Processing Agreement (“DPA”) forms an integral part of the Business Terms of Service (“Business Terms”) between the Controller and the Processor for the provision of Strawberry Browser (the “Service”), and is accepted by the Controller upon acceptance of the Business Terms. This DPA applies where and only to the extent that the Processor processes Personal Data on behalf of the Controller in the course of providing the Service.

Feature availability. Certain Service features described in this DPA may not be available in all versions of the Service or in all regions, and may be added, modified, restricted, or removed by the Processor from time to time. Where a feature is not currently available, the corresponding provisions take effect only with respect to the Controller and its Users where and when the feature is enabled.

1. Definitions

“Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including: (a) the EU GDPR (Regulation (EU) 2016/679); (b) the UK GDPR as defined by the UK Data Protection Act 2018; (c) the Swiss Federal Act on Data Protection (“nFADP”); (d) the CCPA as amended by the CPRA and other US state privacy laws as applicable; and (e) any other applicable data protection legislation.

“Connected Apps” means third-party services and applications that the Service may interact with on the Controller's behalf, including those the Controller authorizes through OAuth, API keys, or similar authentication.

“Controller”, “Processor”, “Sub-Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “Processing” have the meanings given in Applicable Data Protection Law or the GDPR.

“Standard Contractual Clauses” or “SCCs” means the clauses approved by the European Commission in Implementing Decision (EU) 2021/914.

“User Content” has the meaning given in the Business Terms.

Subprocessor List means the Processor's current list of Sub-Processors, including their identities, locations, and processing purposes, and updated from time to time in accordance with Section 4.

2. Scope and Roles

This DPA applies to Personal Data contained in User Content that the Processor processes on behalf of the Controller in connection with the Service.

The Controller is the data controller and the Processor is the data processor with respect to Personal Data processed under this DPA. The Processor may also process certain Personal Data as an independent data controller for its own limited purposes, namely (i) account administration and authentication, (ii) billing, invoicing, and tax compliance, (iii) fraud detection, abuse prevention, and security of the Service (including cross-Customer abuse signals), (iv) service operation, error monitoring, and reliability telemetry, (v) transactional and service-related communications, (vi) compliance with the Processor's own legal obligations, (vii) defending the Processor's legal claims, and (viii) the creation and use of de-identified, aggregated, or anonymized data in accordance with Section 3.5. Such controller-role processing is governed by the Processor's Privacy Policy and shall not include the use of Personal Data contained in User Content for any other purpose without the Controller's prior written instruction.

The Controller's documented instructions to the Processor include the configuration of the Service through the administrative tools made available to the Controller by the Processor from time to time, including the assignment of differentiated permission levels (“Roles”) to the Controller's Users as set out in the Business Terms. The Processor may add, modify, rename, consolidate, or remove Roles, and change the capabilities associated with any Role, from time to time, and shall provide reasonable notice of changes that would materially restrict the Controller's existing administrative functionality.

3. Processing of Personal Data

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller unless prohibited by law. The Processor shall inform the Controller if, in the Processor's opinion, an instruction infringes Applicable Data Protection Law.

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality. The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Appendix B.

The Processor shall not engage in any processing that would constitute a “sale” or “sharing” of Personal Data for cross-context behavioral advertising under the CCPA/CPRA or under any other Applicable Data Protection Law.

3.1 Agentic Processing

The Parties acknowledge that the Service performs agentic operations — the Service reads content from websites, Connected Apps, and files (including files synced to the Controller's local device and files accessed through Connected Apps such as cloud storage providers), and may take Actions on the Controller's behalf based on such content. Actions include, without limitation, navigating and interacting with websites; sending messages; creating or modifying calendar events and records in Connected Apps; and reading, creating, modifying, or deleting files within the scope authorized by the Controller. To the extent the Service processes Personal Data contained in such content on the Controller's behalf, such processing is carried out on the Controller's documented instructions as evidenced by the Controller's and its Users' configuration and use of the Service. The Controller is responsible for ensuring that such instructions and use have a valid lawful basis under Applicable Data Protection Law and that the Controller has provided any notices required under Articles 13–14 GDPR (or has documented an applicable exemption) in respect of third parties whose Personal Data is encountered by the Service. Where the Service processes content locally on the Controller's device without transmission to the Processor's cloud infrastructure, such processing remains subject to this DPA only to the extent the Processor has access to or determines the means of such processing. The Service may also capture operational data — including data about network requests and responses exchanged with websites and Connected Apps on the Controller's direction — in the course of providing agentic capabilities; such operational data is processed under the technical and organizational measures set out in Appendix B and is subject to the no-training commitment in Section 3.6.

Instructions or directives that the Service encounters within third-party content (including web pages, emails, documents, and Connected Apps content) are not Controller instructions for the purposes of this DPA, even if the Service acts upon them. The Processor implements technical and organizational measures, described in Appendix B, to detect and mitigate such adversarial-content events; a successful adversarial-content event leading to unauthorized access to, modification of, or disclosure of Personal Data shall be handled in accordance with Section 6.

3.2 Activity Memory (where enabled)

Availability. Activity Memory is an optional feature that may not be available in all versions of the Service. This Section 3.2 takes effect only with respect to the Controller and Users where and when the feature is enabled by the Processor and opted in to by the relevant User.

Where a User of the Controller opts in to the Activity Memory feature, the Processor may, on the Controller's behalf, capture screenshots and analyze on-screen content, and may store and process the resulting data as Personal Data under this DPA. The Activity Memory feature does not record keystrokes and does not capture biometric identifiers. The Controller, as Controller, is responsible for: (a) determining the lawful basis for such processing, including as required under Article 6 GDPR and, where applicable, Article 9 GDPR; (b) complying with applicable employee-monitoring, consultation, and works-council requirements; (c) providing Users with required transparency notices; (d) completing any Data Protection Impact Assessment required under Article 35 GDPR; and (e) instructing whether Activity Memory is enabled at all for the Controller's organization. The Processor provides administrative controls to enable or disable Activity Memory and to manage Users' ability to enable the feature, where the feature is available.

3.3 Data Segregation

The Processor shall maintain appropriate measures to ensure that Personal Data processed on behalf of the Controller under this DPA is logically separated from Personal Data that the Processor processes as independent data controller for its own purposes.

3.4 Local and Cloud Processing

Personal Data contained in User Content may be processed both locally on the User's device and in the Processor's cloud infrastructure operated by its Sub-Processors. The Processor is in the course of transitioning additional categories of data into primary cloud storage; the balance between local and cloud processing may shift during the term of this DPA. Sub-Processors involved in cloud processing are identified in the Subprocessor List.

3.5 Anonymization

The Processor may create de-identified, aggregated, or anonymized data derived from Personal Data, provided such data cannot reasonably be used to identify any Data Subject, the anonymization meets applicable regulatory standards (including EDPB and UK ICO guidance), and is irreversible. Once irreversibly anonymized, such data is no longer Personal Data and falls outside this DPA. The Processor may use such anonymized data for Service improvement, security, analytics, and product development, and shall not attempt to re-identify it.

3.6 No Training

The Processor shall not use Personal Data processed under this DPA to train the Processor's or any third party's generative AI models unless the Controller expressly opts in in writing. The Processor configures its AI Sub-Processors to disable retention and training where the provider supports such settings. De-identified, aggregated, or anonymized data derived from such Personal Data may be used as described in Section 3.5.

4. Sub-Processors

The Controller provides general written authorization for the Processor to engage Sub-Processors. The Processor maintains the Subprocessor List at the URL identified in Section 1, and updates it as Sub-Processors are added or replaced.

The Processor shall notify the Controller of any intended addition or replacement of a Sub-Processor at least thirty (30) days before the change takes effect. If the Controller objects on reasonable data-protection grounds, the Processor shall use commercially reasonable efforts to make available a change in the Service or recommend a change in the Controller's use to avoid processing by the objected-to Sub-Processor; if no such change is available, either party may terminate the affected portion of the Service on written notice.

The Processor shall enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those in this DPA, including specifically: (i) the obligation to delete or return Personal Data on termination of the Sub-Processor's engagement or on the Processor's instruction within a period that allows the Processor to meet its obligations under Section 10; (ii) cooperation with audit and assistance requests; and (iii) breach notification within timelines that allow the Processor to meet its obligations under Section 6. The Processor shall remain fully liable for each Sub-Processor's performance.

5. Data Subject Rights

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate measures to fulfil the Controller's obligation to respond to Data Subject requests. The Processor shall promptly notify the Controller if it receives a request from a Data Subject and shall not respond except on the Controller's documented instructions or as required by applicable law.

6. Personal Data Breach

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. Such notification shall include (to the extent known at the time): (a) nature of the breach, including categories and approximate number of Data Subjects and Personal Data records; (b) contact details of the Processor's contact point; (c) likely consequences; and (d) measures taken or proposed. Information may be provided in phases as it becomes available.

A successful prompt-injection event or adversarial-content manipulation that leads to unauthorized disclosure, modification, or access to Personal Data will be treated as a Personal Data Breach for purposes of this Section 6.

The Processor shall cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

7. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with any DPIAs and prior consultations with supervisory authorities that the Controller is required to carry out under Applicable Data Protection Law, taking into account the nature of processing and the information available to the Processor. The Processor makes a DPIA Assistance Pack available to assist Controllers with assessments relating to the Service.

8. International Data Transfers

The Processor shall not transfer Personal Data outside the EEA, the UK, or Switzerland unless appropriate safeguards are in place under Applicable Data Protection Law. The Processor shall enter into Standard Contractual Clauses (or equivalent transfer mechanisms) with Sub-Processors identified in the Subprocessor List as processing Personal Data outside the EEA/UK/Switzerland, to the extent required by Applicable Data Protection Law.

As between the Parties, where Personal Data of EEA data subjects is transferred from the Controller to the Processor outside a country subject to an EU adequacy decision, the SCCs (Module 2: Controller-to-Processor) apply as set out in Appendix C. For transfers from the UK, the UK International Data Transfer Addendum (Version B1.0) applies. For transfers from Switzerland, the SCCs apply with the modifications required under the Swiss nFADP, with FDPIC as competent authority. Where the recipient is certified under the EU-US Data Privacy Framework and the transfer falls within the scope of that certification, the Parties may rely on that mechanism in lieu of the SCCs for the duration of such certification.

9. Audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits shall be conducted with not less than 30 days' prior written notice, during regular business hours, and shall not unreasonably interfere with the Processor's business. The Controller shall bear its own costs. Where an audit reveals material non-compliance, the Processor shall promptly remediate at its expense.

The Processor may satisfy its audit obligations by making available up-to-date third-party certifications (including the Processor's SOC 2 Type 1 report as of 13 May 2026 issued by Prescient Assurance LLC, and any subsequent SOC 2 or ISO 27001 reports) or other independent audit reports, at the Processor's election, provided such reports address the material aspects of this DPA. On-site audits are reserved for cases where such reports are not sufficient or where a Personal Data Breach has occurred.

10. Deletion and Return of Personal Data

Upon termination or expiration of the Business Terms, the Processor shall, at the Controller's election, delete or return all Personal Data processed under this DPA within ninety (90) days. The Processor shall procure the deletion or return of such Personal Data by Sub-Processors within the same period and shall use the rights it has under its agreements with Sub-Processors to enforce this obligation. The Processor shall certify deletion in writing upon request. Notwithstanding the foregoing: (a) Personal Data may persist in routine encrypted backups and disaster-recovery snapshots until those backups are rotated out of the relevant retention cycle, which shall not exceed an additional ninety (90) days; (b) the Processor may retain Personal Data to the extent required by applicable law, provided the Processor ensures continued confidentiality and uses the data only as legally required; and (c) the Processor shall remain bound by all applicable confidentiality, security, and use-restriction obligations under this DPA in respect of any retained Personal Data for so long as such Personal Data is retained.

11. Term and Termination

This DPA shall remain in effect for the duration of the Business Terms and shall terminate upon their termination, subject to the Processor's obligations regarding deletion or return. Sections 6, 9, and 10 shall survive termination.

12. Liability

The Parties are liable as set out in Article 82 of the GDPR with respect to claims by Data Subjects. The liability of each Party under this DPA shall be subject to the limitations and exclusions in the Business Terms, except that no limitation shall apply to liability arising from a party's willful misconduct or gross negligence. Each Party's liability under this DPA, taken together with its liability under the Business Terms, shall not exceed the aggregate caps in the Business Terms. Where an Order Form or Enterprise Agreement is in effect, the liability provisions therein shall apply to this DPA to the extent they differ from those in the Business Terms.

13. Governing Law

This DPA shall be governed by the laws specified in the Business Terms. However, where the GDPR applies, this DPA shall be governed by the law of the EU Member State in which the Controller is established, or, where the Controller is not established in the EU, by Swedish law. For UK Data Subjects, the UK GDPR and the Data Protection Act 2018 apply where relevant. For Swiss Data Subjects, the nFADP applies where relevant.

APPENDIX A — Details of Processing

Subject matter. Processing of Personal Data contained in User Content in connection with the provision of Strawberry Browser (the Service).

Duration. For the duration of the Business Terms between the Controller and the Processor.

Nature and purpose. The Processor processes Personal Data to provide the Service, including AI-powered browsing assistance, website interaction, task automation, CRM integration, meeting-note summarization, lead research, and, where the feature is enabled, Activity Memory. The Processor processes this data using local on-device processing and cloud infrastructure services and AI providers identified in the Subprocessor List.

Categories of data subjects. Controller's employees and Users; contacts, leads, customers, prospects, and other individuals whose personal data is contained in User Content processed through the Service.

Categories of Personal Data. Names, email addresses, phone numbers, job titles, company information, addresses, and other personal data contained in web pages, CRM records, documents, meeting notes, and other content processed through the Service. Where Activity Memory is enabled, additional categories may include on-screen content captured via screenshots. Special categories may be processed if contained in User Content, but only as instructed by the Controller.

APPENDIX B — Technical and Organizational Measures

  • Encryption: The Processor utilizes TLS 1.2 or higher for data in transit. User Content within cloud environments is encrypted at rest using industry-standard protocols via cloud infrastructure providers. Authentication tokens for Connected Apps are further secured with application-layer authenticated encryption; keys are managed via a dedicated secrets system and are restricted from AI Sub-Processors. For local data, including agentic operational logs, the Processor relies on OS-level security and the Controller's obligations under Appendix D §D.2.3 rather than application-specific encryption.
  • Access controls: Implementation of role-based permissions according to least-privilege principles. The Processor mandates multi-factor authentication for administrative functions and performs regular access audits.
  • Credential storage: For on-device credential storage, the Service employs native operating-system stores such as macOS Keychain or Windows Credential Manager. The Processor does not maintain a proprietary client-side secret store and cannot access User passwords in plaintext.
  • Network security: Deployment of firewalls, network segmentation, and intrusion detection systems to safeguard the environment.
  • Data minimization: Limiting Personal Data processing strictly to what is required for the delivery of the Service.
  • System resilience: Routine backup procedures designed to meet established recovery time and recovery point targets.
  • Security monitoring: Continuous logging of access to Personal Data systems. Observability telemetry is pseudonymized using HMAC-SHA256 prior to being sent to monitoring Sub-Processors.
  • Incident response: Established response protocols featuring clear escalation paths and notification windows, with dedicated workflows for adversarial-content and prompt-injection scenarios.
  • Staff security: Personnel with data access undergo background checks and are bound by confidentiality. Staff participate in regular security-awareness training programs.
  • Vendor management: Sub-Processors are vetted and contractually required to uphold equivalent security standards, including breach notification and data deletion obligations.
  • Data deletion: Adoption of secure deletion protocols upon contract termination or at the Controller's request.
  • Agentic AI safeguards: Implementation of measures to mitigate adversarial content, such as XML tagging of untrusted data, model system prompts, output monitoring, and permission gates for high-impact Actions.
  • Activity Memory safeguards (where enabled): Includes an opt-in flow with clear disclosures, pause controls, and management tools for entry deletion. The feature is disabled by default in private browsing. For local operational data, the Processor relies on OS-level protections and the Controller's responsibilities under Appendix D §D.2.3. The Processor uses commercially reasonable efforts to filter sensitive data from logs and Sub-Processor transmissions.
  • Independent assurance: The Processor maintains a SOC 2 Type 1 certification (issued by Prescient Assurance LLC on 13 May 2026). The report is available to Controllers upon request and under confidentiality.

APPENDIX C — Standard Contractual Clauses

  • Clause 7 (Docking clause): Included.
  • Clause 9 (Use of sub-processors): Option 2 (General written authorization) with 30-day prior notice.
  • Clause 11 (Redress): Optional clause not included.
  • Clause 13 (Supervision): Supervisory authority of the EU Member State in which the Controller is established, or, where not established in the EU, the Swedish Authority for Privacy Protection (IMY).
  • Clause 17 (Governing law): Option 1, laws of the EU Member State in which the Controller is established, or Sweden.
  • Clause 18 (Choice of forum): Courts of the EU Member State in which the Controller is established, or Sweden.

For UK transfers, the UK International Data Transfer Addendum (Version B1.0) is incorporated by reference. For Swiss transfers, the SCCs apply with the modifications required under the nFADP, and FDPIC is the competent authority.

APPENDIX D — Customer Security Responsibilities (CUEC)

D.1 Purpose and Scope

The Processor has designed and implemented a system of internal controls in connection with the Service that are assessed under the AICPA Trust Services Criteria for Security (SOC 2). The Processor's security controls are designed to operate in conjunction with controls implemented by the Controller. This Appendix sets out the security responsibilities that the Controller must implement and maintain in order for the combined control environment to operate effectively and for the Service's security commitments to be fully achieved.

Failure by the Controller to implement and maintain these controls may impair the effectiveness of the Processor's security measures and may affect the Controller's ability to rely on any security assurances or certifications provided by the Processor, including the Processor's SOC 2 report.

D.2 Customer Security Obligations

The Controller agrees to implement, maintain, and enforce the following controls throughout the term of this DPA.

D.2.1 Notification of material changes

The Controller shall promptly notify the Processor in writing of any material changes to its use of the Service that may affect the security, availability, or integrity of the Service or the data processed through it. Such changes include, but are not limited to:

  • integration of the Service with third-party systems or applications not previously disclosed to the Processor;
  • changes in the volume, sensitivity, or classification of data processed through the Service;
  • changes in the Controller's regulatory or compliance obligations that may affect data handling requirements;
  • changes in the Controller's organisational structure that alter the scope or nature of Service usage.

Notification shall be provided no later than ten (10) business days prior to the implementation of such change, or as soon as reasonably practicable where advance notice is not possible.

D.2.2 User access management

The Controller is solely responsible for managing access to the Service on its behalf. Specifically, the Controller shall:

  • maintain an accurate and current list of all individuals authorised to access the Service on the Controller's behalf (“Authorised Users”);
  • promptly revoke access for any individual who is no longer authorised, including upon termination of employment, change of role, or any other relevant change in status, and in any case within twenty-four (24) hours of such change;
  • implement and enforce a formal process for granting, reviewing, and revoking Authorised User access;
  • conduct periodic reviews of Authorised User access, no less frequently than quarterly, to confirm that all access rights remain appropriate and necessary;
  • ensure that access to the Service is granted on a principle of least privilege, limiting access to the minimum required for each Authorised User's role and function;
  • ensure that each Authorised User has a unique account and that credentials are not shared between individuals.

D.2.3 Physical and environmental security of local devices

The Controller is responsible for the physical security of all devices used to access the Service, including laptops, desktop computers, mobile devices, and any other endpoints. The Controller shall:

  • implement reasonable physical access controls to prevent unauthorised individuals from accessing devices used to connect to the Service;
  • ensure that all devices used to access the Service are protected by screen lock controls with automatic locking after a period of inactivity;
  • establish and enforce a policy requiring that devices not be left unattended in unsecured environments when logged into or with active sessions to the Service;
  • ensure that all devices used to access the Service run a supported operating system with current security patches and updates applied;
  • implement endpoint security controls appropriate to the sensitivity of the data processed, including, where applicable, device encryption, endpoint protection software, and mobile device management (MDM) controls.

D.2.4 Credential and authentication management

The Controller shall implement and enforce appropriate controls over passwords, API keys, tokens, and any other authentication credentials used to access the Service. These controls shall include:

  • a password policy requiring passwords of a minimum length and complexity appropriate to the sensitivity of the Service, and prohibiting the reuse of recent passwords;
  • prohibition on sharing, writing down, or otherwise disclosing credentials to unauthorised parties;
  • enabling and requiring multi-factor authentication (MFA) for all Authorised User accounts where supported by the Service;
  • immediate reporting to the Processor of any actual or suspected compromise of access credentials, including unauthorised access to or use of an Authorised User account;
  • secure storage of any API keys or tokens, including restricting their embedding in publicly accessible code repositories or shared documents;
  • prompt rotation of credentials upon suspected or confirmed compromise, or upon the departure of any Authorised User with knowledge of credentials.

D.3 Incident Reporting

The Controller shall promptly notify the Processor of any actual or reasonably suspected security incidents that may affect the Service or any data processed through the Service. Notification shall be made to security@strawberrybrowser.com within forty-eight (48) hours of discovery of the incident. The Controller shall cooperate with the Processor in the investigation and remediation of any such incident.

D.4 Compliance with Applicable Law

The Controller is solely responsible for ensuring that its use of the Service, including the types of data it inputs into the Service and its data handling practices, complies with all applicable laws and regulations, including but not limited to the General Data Protection Regulation (EU 2016/679) (“GDPR”), applicable national data protection laws, and any sector-specific regulations applicable to the Controller's industry.

The Controller acknowledges that the Processor's SOC 2 certification is based on the AICPA Trust Services Criteria and does not constitute certification of GDPR compliance or compliance with any other specific regulatory framework.

D.5 Acknowledgements

(a) The Processor's SOC 2 report is confidential and subject to the restricted use provisions stated therein. It may not be disclosed to any third party without the Processor's prior written consent, except to the Controller's professional advisors under obligations of confidentiality.

(b) The Processor's security assurances are contingent upon the Controller fulfilling the obligations set out in this Appendix. The Processor shall not be liable for any security incident, data breach, or other harm arising from the Controller's failure to implement or maintain the controls set out herein.

(c) A SOC 2 Type 1 report assesses the design of controls at a point in time only and does not provide assurance regarding the operating effectiveness of controls over any period. The Controller should not rely solely on the Processor's SOC 2 Type 1 report as evidence of ongoing security compliance.

APPENDIX E — Sub-Processors

The current list of Sub-Processors engaged by the Processor, including their identities, locations, and processing purposes, is set out in the Subprocessor List. The Subprocessor List is incorporated into this DPA by reference and forms part of this Appendix E. The Processor updates the Subprocessor List in accordance with Section 4 of this DPA.