Data Processing Agreement

Last updated: February 25, 2026

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer," "you," or "Data Controller") and Fedna Research LLP ("Fedna AI," "we," "us," "Data Processor") for the provision of our Services as described in our Terms of Service.

This DPA applies when and to the extent that Fedna AI processes Personal Data on behalf of the Customer in the course of providing the Services, and such processing is subject to Data Protection Laws of the European Economic Area (EEA), the United Kingdom (UK), Switzerland, or other applicable jurisdictions.

This DPA is designed to comply with the requirements of Article 28 of the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

Terms used in this DPA have the meanings given to them in the GDPR and other applicable Data Protection Laws. In particular:

  • "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including GDPR, UK GDPR, Swiss Federal Act on Data Protection, California Consumer Privacy Act (CCPA), and any successor or replacement legislation.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Fedna AI on behalf of the Customer in connection with the Services.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, use, disclosure, erasure, or destruction.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by Fedna AI to process Personal Data on behalf of the Customer.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (GDPR).

3. Roles and Responsibilities

3.1 Data Controller

The Customer acts as the Data Controller of Customer Data. The Customer:

  • Determines the purposes and means of processing Personal Data
  • Is responsible for ensuring that it has a lawful basis for processing Personal Data
  • Must comply with all applicable Data Protection Laws
  • Is responsible for obtaining necessary consents from Data Subjects
  • Must provide required privacy notices to Data Subjects

3.2 Data Processor

Fedna AI acts as the Data Processor and:

  • Processes Personal Data only on documented instructions from the Customer
  • Implements appropriate technical and organizational security measures
  • Assists the Customer in meeting its obligations under Data Protection Laws
  • Returns or deletes Personal Data upon termination of Services (unless required by law to retain)
  • Makes available to the Customer all information necessary to demonstrate compliance with this DPA

4. Details of Processing

4.1 Nature and Purpose of Processing

Fedna AI processes Personal Data to provide the Services, which include:

  • Multi-channel customer communication management (WhatsApp, phone, web, email, social media)
  • AI-powered conversation analysis and response generation
  • Customer relationship management (CRM)
  • Call recording, transcription, and analysis
  • Task and workflow management
  • Analytics and reporting

4.2 Duration of Processing

Processing will continue for the duration of the Services agreement and for 30 days thereafter (retention period), unless Data Protection Laws require longer retention or the Customer requests earlier deletion.

4.3 Types of Personal Data

Personal Data processed may include:

  • Contact information (names, email addresses, phone numbers, physical addresses)
  • Account credentials (usernames, encrypted passwords)
  • Communication content (messages, call recordings, transcripts, emails)
  • Device and technical information (IP addresses, browser type, operating system)
  • Usage data (login times, features used, actions taken)
  • Business information (company name, job title, business address)
  • Transaction data (payment information, billing history)
  • Any other Personal Data uploaded or created by the Customer through the Services

4.4 Categories of Data Subjects

Data Subjects may include:

  • Customer's employees and team members
  • Customer's customers and end users
  • Prospects and leads
  • Website visitors
  • Support ticket submitters

5. Data Processing Instructions

5.1 Scope of Instructions

Fedna AI will process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. The initial instructions are that Fedna AI shall process Personal Data:

  • As necessary to provide the Services in accordance with the Terms of Service
  • As specified in Customer's configuration and use of the Services
  • As further documented in written instructions provided by the Customer

5.2 Unlawful Instructions

If Fedna AI believes that any instruction from the Customer violates Data Protection Laws, Fedna AI will promptly inform the Customer and may refuse to comply with such instruction until the Customer confirms or modifies it.

5.3 Additional Instructions

The Customer may issue additional written instructions regarding Personal Data processing that are consistent with the Terms of Service. Fedna AI will assess whether additional instructions require changes to the Services or additional fees.

6. Security Measures

6.1 Technical and Organizational Measures

Fedna AI implements and maintains appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include:

Access Controls:

  • Multi-factor authentication for employee access
  • Role-based access controls (RBAC)
  • Row-level security (RLS) for multi-tenant data isolation
  • Principle of least privilege access
  • Regular access reviews and revocations

Encryption:

  • Data encrypted in transit using TLS 1.2+ (HTTPS)
  • Data encrypted at rest using AES-256 encryption
  • Encrypted backups stored in secure, geographically distributed locations
  • Encrypted storage of sensitive credentials using Fernet encryption

Network Security:

  • Firewalls and intrusion detection systems
  • Network segmentation and isolation
  • DDoS protection and rate limiting
  • Regular security scanning and vulnerability assessments

Application Security:

  • Secure software development lifecycle (SDLC)
  • Code reviews and security testing
  • CSRF protection and input validation
  • Regular security patches and updates

Organizational Measures:

  • Background checks for employees with access to Personal Data
  • Confidentiality agreements and security training
  • Data breach response plan and incident management procedures
  • Regular security audits and compliance reviews
  • Documented security policies and procedures

6.2 Security Updates

Fedna AI will regularly review and update its security measures to maintain an appropriate level of security, taking into account the state of the art, implementation costs, and the nature and risks of processing.

7. Sub-processors

7.1 Authorized Sub-processors

The Customer provides general authorization for Fedna AI to engage Sub-processors to process Personal Data on Customer's behalf. Current Sub-processors include:

  • Supabase (USA): Database hosting and authentication
  • Railway (USA): Application hosting and infrastructure
  • OpenRouter / Various AI Providers (USA): AI model processing (OpenAI, Anthropic, Google, Meta)
  • Deepgram (USA): Speech-to-text processing
  • ElevenLabs / Other TTS Providers: Text-to-speech synthesis
  • Twilio (USA): Telephony and SMS services
  • Meta / WhatsApp (USA): WhatsApp Business API
  • Stripe (USA): Payment processing

An up-to-date list of Sub-processors is available upon request at legal@fednaresearch.com.

7.2 Sub-processor Requirements

Fedna AI ensures that all Sub-processors:

  • Are bound by written agreements that impose data protection obligations equivalent to those in this DPA
  • Implement appropriate technical and organizational security measures
  • Process Personal Data only for the purposes specified by Fedna AI
  • Comply with applicable Data Protection Laws

7.3 New Sub-processors

Fedna AI will notify the Customer (via email or account notification) at least 30 days before engaging any new Sub-processor. If the Customer objects to the new Sub-processor on reasonable data protection grounds, the Customer may:

  • Notify Fedna AI in writing within 14 days of receiving notice
  • Request Fedna AI to use an alternative Sub-processor (if technically feasible)
  • Terminate the Services upon 30 days' written notice if no alternative is available

7.4 Liability for Sub-processors

Fedna AI remains fully liable to the Customer for the performance of its Sub-processors' obligations as if Fedna AI were performing them directly.

8. Data Subject Rights

8.1 Assistance with Data Subject Requests

Fedna AI will, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject to exercise their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, objection).

Fedna AI will assist the Customer in responding to such requests by:

  • Providing the necessary technical and organizational measures to enable the Customer to respond
  • Making available relevant Personal Data within the Services
  • Implementing changes to Personal Data as instructed by the Customer

8.2 Direct Data Subject Requests

If Fedna AI receives a direct request from a Data Subject, Fedna AI will advise the Data Subject to submit their request to the Customer and will provide reasonable assistance to the Customer in responding to such request.

8.3 Fees for Excessive Requests

If complying with Data Subject requests requires disproportionate effort or resources beyond Fedna AI's normal operations, Fedna AI may charge reasonable fees for such assistance.

9. Data Breach Notification

9.1 Notification Obligation

Fedna AI will notify the Customer without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data Breach affecting Customer's Personal Data.

9.2 Breach Notification Content

The breach notification will include, to the extent known:

  • Description of the nature of the breach, including categories and approximate numbers of Data Subjects and Personal Data records affected
  • Name and contact details of Fedna AI's data protection officer or other contact point
  • Description of the likely consequences of the breach
  • Description of measures taken or proposed to address the breach and mitigate its potential adverse effects

9.3 Incident Response

Upon becoming aware of a Personal Data Breach, Fedna AI will:

  • Investigate the breach and take reasonable steps to remediate
  • Provide regular updates to the Customer as more information becomes available
  • Cooperate with the Customer's investigation and remediation efforts
  • Take measures to prevent future similar breaches

9.4 Customer Responsibilities

The Customer is responsible for:

  • Determining whether to notify affected Data Subjects and supervisory authorities
  • Complying with breach notification obligations under applicable Data Protection Laws
  • Providing required breach notifications to relevant parties

10. Data Protection Impact Assessments and Audits

10.1 DPIA Assistance

Fedna AI will reasonably assist the Customer in conducting Data Protection Impact Assessments (DPIAs) required under Data Protection Laws by providing relevant information about the Services and processing activities.

10.2 Prior Consultation

If required by Data Protection Laws, Fedna AI will assist the Customer with prior consultation with supervisory authorities regarding high-risk processing.

10.3 Audit Rights

Fedna AI will make available to the Customer information necessary to demonstrate compliance with this DPA, including:

  • Security policies and procedures documentation
  • Audit reports and certifications (e.g., SOC 2, ISO 27001, if available)
  • Sub-processor lists and agreements

10.4 On-Site Audits

The Customer may conduct on-site audits of Fedna AI's processing operations, provided that:

  • The Customer provides at least 60 days' prior written notice
  • Audits are conducted no more than once per year unless required by a supervisory authority
  • Audits are conducted during business hours and do not unreasonably interfere with operations
  • The Customer pays Fedna AI's reasonable costs for facilitating the audit
  • The Customer and auditors sign appropriate confidentiality agreements

11. International Data Transfers

11.1 Transfer Mechanisms

Personal Data may be transferred to and processed in countries outside the EEA, UK, or Switzerland, including the United States and India. Fedna AI ensures that such transfers are protected by appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions issued by the European Commission
  • Other legally recognized transfer mechanisms under applicable Data Protection Laws

11.2 Standard Contractual Clauses

Upon request, Fedna AI will enter into the Standard Contractual Clauses with the Customer to legitimize transfers of Personal Data to countries outside the EEA, UK, or Switzerland that do not have an adequacy decision.

11.3 Additional Safeguards

In addition to Standard Contractual Clauses, Fedna AI implements supplementary measures including:

  • Encryption of data in transit and at rest
  • Pseudonymization where technically feasible
  • Strict access controls and monitoring
  • Regular security assessments

11.4 Government Access Requests

Fedna AI will:

  • Notify the Customer of any legally binding request from government authorities for access to Personal Data, unless prohibited by law
  • Challenge unlawful or overbroad requests where legally permitted
  • Provide the minimum amount of information required by law

12. Data Retention and Deletion

12.1 Retention Period

Fedna AI will retain Personal Data for the duration of the Services and for 30 days thereafter to allow for data export and account reactivation.

12.2 Data Deletion Upon Termination

Upon termination of the Services or upon Customer request, Fedna AI will:

  • Delete or return all Personal Data to the Customer within 30 days
  • Delete existing copies of Personal Data (except as required by law)
  • Certify deletion upon Customer request

12.3 Legal Retention Requirements

Fedna AI may retain Personal Data to the extent required by applicable law (e.g., tax, accounting, or legal requirements) or to establish, exercise, or defend legal claims. Such retained data will be securely stored and isolated from active systems.

12.4 Backup Retention

Personal Data stored in backup systems will be securely deleted in accordance with Fedna AI's backup retention schedule (maximum 90 days).

13. Liability and Indemnification

13.1 Allocation of Liability

Each party shall be liable for damages caused by its breach of Data Protection Laws or this DPA in accordance with the limitation of liability provisions in the Terms of Service.

13.2 Indemnification

Fedna AI will indemnify and hold harmless the Customer from and against any damages, losses, costs, or expenses (including reasonable attorney fees) arising from Fedna AI's breach of this DPA, to the extent such breach is attributable to Fedna AI's acts or omissions.

14. Term and Termination

14.1 Term

This DPA takes effect on the date of the Terms of Service and remains in effect until the termination of all Services involving the processing of Personal Data.

14.2 Survival

Sections relating to data deletion, confidentiality, liability, and indemnification will survive termination of this DPA.

15. General Provisions

15.1 Order of Precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail to the extent of the conflict.

15.2 Amendments

Fedna AI may update this DPA to reflect changes in Data Protection Laws or processing practices. Material changes will be notified to the Customer with at least 30 days' notice.

15.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be replaced with a valid provision that most closely reflects the intent of the original provision.

15.4 Governing Law and Jurisdiction

This DPA shall be governed by the laws specified in the Terms of Service, except where Data Protection Laws require otherwise.

16. Contact Information

For questions about this DPA or to exercise your rights, please contact:

Fedna Research LLP

Data Protection Officer

Email: legal@fednaresearch.com

For Standard Contractual Clauses: legal@fednaresearch.com