v1.5 Effective June 24, 2025

Data Processing Agreement

GDPR compliance and data protection for EU-based customers.

1. Scope and Application

This Data Processing Agreement ("DPA") applies to the processing of Personal Data on behalf of Controller in connection with the services provided under our Terms of Service. This DPA forms part of the main service agreement.

2. Definitions

  • Controller: The customer who determines the purposes and means of processing Personal Data
  • Processor: FEND AI, Inc., which processes Personal Data on behalf of the Controller
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Data Subject: An identified or identifiable natural person
  • GDPR: General Data Protection Regulation (EU) 2016/679

3. Data Processing Details

Subject Matter

Processing of Personal Data necessary for the provision of pilot program facilitation services through the Fend.ai platform.

Duration

For the term of the service agreement and as long as necessary for the provision of services or as required by law.

Nature and Purpose

  • User account management and authentication
  • Pilot program facilitation and communication
  • Payment processing and financial transactions
  • Platform analytics and service improvement

Types of Personal Data

  • Contact information (name, email, phone)
  • Professional information (job title, company)
  • Account credentials and authentication data
  • Communication data and correspondence
  • Payment and billing information
  • Usage data and platform analytics

Categories of Data Subjects

  • Platform users (enterprise and startup representatives)
  • Pilot program participants
  • Customer support contacts

4. Processor Obligations

FEND AI, Inc. will:

  • Process Personal Data only on documented instructions from Controller
  • Ensure authorized personnel have committed to confidentiality
  • Implement appropriate technical and organizational security measures
  • Engage sub-processors only with Controller consent
  • Assist Controller in responding to Data Subject requests
  • Assist Controller with data protection impact assessments
  • Delete or return Personal Data at the end of services
  • Make available information necessary to demonstrate compliance

5. Security Measures

Technical and organizational measures implemented:

Technical Measures

  • Encryption of data in transit and at rest
  • Regular security updates and patch management
  • Access controls and authentication systems
  • Network security and firewall protection
  • Regular security monitoring and logging

Organizational Measures

  • Staff training on data protection principles
  • Regular security policy reviews and updates
  • Incident response and breach notification procedures
  • Vendor management and due diligence processes

6. Sub-processors

Current sub-processors include:

  • Stripe, Inc.: Payment processing services
  • Amazon Web Services: Cloud hosting infrastructure
  • Cloudflare, Inc.: Content delivery and security
  • Google LLC: Analytics and communication services

Controller will be notified of any changes to sub-processors with 30 days' notice.

7. Data Subject Rights

We assist Controllers in fulfilling Data Subject rights:

  • Access: Provide copies of Personal Data held
  • Rectification: Correct inaccurate Personal Data
  • Erasure: Delete Personal Data when required
  • Restriction: Limit processing in certain circumstances
  • Portability: Provide data in machine-readable format
  • Objection: Stop processing for certain purposes

8. Data Breach Notification

In case of a Personal Data breach:

  • Controller notified within 72 hours of awareness
  • Notification includes nature, categories, and consequences
  • Assistance provided for regulatory notifications
  • Reasonable assistance for affected individual notifications

9. International Transfers

Personal Data may be transferred outside the EEA under:

  • Adequacy decisions by the European Commission
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules where applicable
  • Other legally recognized transfer mechanisms

10. Data Retention and Deletion

  • Personal Data processed only as long as necessary
  • Deletion upon termination of services unless legally required
  • Secure deletion procedures following industry standards
  • Certificate of deletion provided upon request

11. Audits and Compliance

  • Regular internal audits of data processing activities
  • External security certifications and assessments
  • Controller audit rights with reasonable notice
  • Compliance reporting available upon request

12. Contact Information

For data protection inquiries:

Data Protection Officer
FEND AI, Inc.
131 Continental Dr Suite 305
Newark, DE 19713, USA
Email: [email protected]
EU Representative: Available upon request