Data Processing Agreement

• "Controller" means the entity that determines the purposes and means of processing personal data (the Customer).
• "Processor" means the entity that processes personal data on behalf of the Controller (Ficzd).
• "Personal Data" has the meaning given in applicable data protection law, including the GDPR.
• "Processing" has the meaning given in applicable data protection law.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation) and any successor legislation.
• "Sub-processor" means a third party engaged by Ficzd to process personal data in connection with the Services.

The parties acknowledge that, in connection with the Services, the Customer acts as Controller and Ficzd acts as Processor of personal data. Each party agrees to comply with its respective obligations under applicable data protection law.

In some circumstances, Ficzd may act as an independent Controller (e.g., when processing data about the Customer's employees for account management and billing purposes). Such processing is governed by our Privacy Policy.

Ficzd processes personal data on the Customer's behalf as follows:

Ficzd agrees to:

• Process personal data only on documented instructions from the Customer, unless required by law
• Ensure that personnel authorised to process personal data are bound by confidentiality obligations
• Implement and maintain appropriate technical and organisational security measures (see Section 7)
• Assist the Customer in responding to Data Subject requests and in meeting its obligations regarding security, breach notification, data protection impact assessments, and prior consultation
• Delete or return all personal data upon the Customer's request or upon termination of the Services
• Provide all information necessary to demonstrate compliance with this DPA and permit audits

The Customer agrees to:

• Ensure that it has a lawful basis for processing the personal data it submits to the Services
• Provide clear and accurate instructions to Ficzd regarding the processing of personal data
• Ensure that Data Subjects have been provided with appropriate privacy notices regarding the processing
• Comply with all applicable data protection laws in connection with the use of the Services
• Not instruct Ficzd to process personal data in a way that would violate applicable law

The Customer provides general authorisation to Ficzd to engage sub-processors in connection with the Services. Ficzd will maintain an up-to-date list of sub-processors and will notify the Customer of any intended changes at least 14 days in advance, giving the Customer the opportunity to object.

Current sub-processors include (but are not limited to):

• Supabase (database hosting) — United States
• Amazon Web Services (cloud infrastructure) — EU / US
• Anthropic / OpenAI (AI model providers) — United States
• Stripe (payment processing) — United States
• Postmark / SendGrid (transactional email) — United States

Ficzd imposes data protection obligations on all sub-processors equivalent to those in this DPA via sub-processing agreements. Ficzd remains liable to the Customer for any failure by sub-processors.

Ficzd maintains the following technical and organisational security measures:

• Encryption at rest: AES-256 encryption for all stored data
• Encryption in transit: TLS 1.2+ for all data transmissions
• Access controls: Role-based access, principle of least privilege, multi-factor authentication
• Audit logging: Comprehensive logs of access and actions
• Vulnerability management: Regular penetration testing and security reviews
• Incident response: Documented procedures for detecting, containing, and notifying of security incidents
• Physical security: Data hosted in SOC 2 certified facilities

In the event of a personal data breach affecting Customer data, Ficzd will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the breach. Notification will include:

• Description of the nature of the breach, including where possible categories and approximate number of data subjects and records affected
• Name and contact details of the Data Protection Officer or other relevant contact
• Description of the likely consequences of the breach
• Description of measures taken or proposed to address the breach

The Customer remains responsible for notifying relevant supervisory authorities and Data Subjects as required by applicable law.

Where personal data is transferred outside the European Economic Area (EEA) or United Kingdom (UK) to countries that do not provide an equivalent level of data protection, Ficzd will ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The UK International Data Transfer Agreement (IDTA) for UK data transfers
• Reliance on adequacy decisions where applicable

Copies of applicable transfer mechanisms are available on request via legal@ficzd.com.

Ficzd will assist the Customer in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, portability, restriction, objection) by providing appropriate technical and organisational measures. Ficzd will promptly notify the Customer if it receives a Data Subject request relating to Customer data.

Upon expiry or termination of the Services, or at the Customer's written request, Ficzd will, at the Customer's election, delete or return all personal data processed under this DPA. Personal data will be deleted from all systems within 90 days of termination, unless required to be retained by applicable law.

Ficzd will provide written confirmation of deletion upon request.

Ficzd will make available all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, with reasonable notice (minimum 30 days) and at the Customer's cost.

As an alternative to an individual audit, Ficzd may provide the Customer with its most recent third-party audit reports (e.g., SOC 2 Type II) as evidence of compliance.

This DPA takes effect on the date the Customer first uses the Services and remains in force until all personal data processed under it has been deleted or returned in accordance with Section 11. This DPA forms part of, and is subject to, the Ficzd Terms of Service.

For data protection enquiries, contact:

Enterprise customers requiring a countersigned DPA should contact legal@ficzd.com. We will provide a countersigned agreement within 5 business days.