Data Processing Agreement

Last updated: January 26, 2026

This Data Processing Agreement (“DPA”) forms part of the Fyncall Master Subscription Agreement (the “Agreement”) between the applicable Fyncall customer which is a party to such Agreement (“Customer”), and Builderson Group Limited which is also a party to such Agreement (“Fyncall”). Customer and Fyncall are each referred to as a “Party” and collectively as the “Parties”.

Except as modified below, the terms of the Agreement shall remain in full force and effect. Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this DPA and the Agreement, this DPA will control. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

The DPA has been automatically pre-signed and executed by the Parties upon the Customer’s electronic signature of the Agreement.

Alternatively, to the extent that the Customer has already executed the Agreement, the DPA will become legally binding on the Parties upon the Customer’s completion of the information in the signature box and receipt of the unmodified, completed and countersigned DPA by Fyncall through any e-signature tool.

For the avoidance of doubt, signature of this DPA shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, including their annexes.

1. DEFINITIONS

The terms used in this DPA shall have the meanings set forth in this DPA or as defined by Applicable Privacy Law, whichever is broader. Capitalized terms not otherwise defined herein or defined by Applicable Privacy Law shall have the meaning given to them in the Agreement. The following terms have the meanings set forth below:

1.1. “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with either Fyncall or Customer, respectively.

1.2. “Applicable Privacy Law” shall mean applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which Fyncall is subject, including, but not limited to:

  • (a) the EU General Data Protection Regulation 2016/679 (“GDPR”) including the applicable implementing legislation of each Member State (“EU GDPR”);
  • (b) the UK Data Protection Act 2018 and the UK General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR” and together with the EU GDPR, the “GDPR”);
  • (c) the Swiss Federal Act on Data Protection of 19 June 1992;
  • (d) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”);
  • (e) the Singapore Personal Data Protection Act 2012 (“PDPA Singapore”);
  • (f) the Malaysia Personal Data Protection Act 2010 (“PDPA Malaysia”);
  • (g) the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486);
  • (h) any other applicable law with respect to any Personal Data in respect of which Fyncall is subject to; and
  • (i) any other data protection law and any guidance or statutory codes of practice issued by any relevant Privacy Authority, in each case, as amended from time to time and any successor legislation to the same.

1.3. “Commerce Channel” means the messaging platforms through which the Services enable conversational commerce, including WhatsApp Business API, Instagram Direct Messages, and such other messaging channels as may be supported by Fyncall from time to time, and which are operated by third-party Commerce Channel Providers.

1.4. “Commerce Channel Provider” means the third-party operators of Commerce Channels, including Meta Platforms, Inc. (operator of WhatsApp Business API and Instagram), and such other third parties that operate messaging platforms integrated with the Services.

1.5. “Conversation Data” means the content of conversations, messages, and communications between Customer (through its Authorized Users or AI functionality) and End Customers conducted through the Commerce Channels via the Services, including message text, timestamps, metadata, and any media or files exchanged.

1.6. “Data Subject” shall mean an identified or identifiable natural person, including End Customers and Authorized Users.

1.7. “E-commerce Platform” means the third-party e-commerce platform(s) with which Customer’s online store is built and operated, including Shopify and such other platforms as may be supported by Fyncall from time to time.

1.8. “End Customer” means Customer’s customers, consumers, or prospective customers who interact with Customer’s business through the Commerce Channels enabled by the Services.

1.9. “Fyncall Entity” shall mean Builderson Group Limited and/or any Fyncall Affiliate.

1.10. “Personal Data” shall mean:

  • (i) personal data, personal information, personally identifiable information, or similar term as defined by Applicable Privacy Law; or
  • (ii) if not defined by Applicable Privacy Law, any information that relates to a Data Subject;

in each case, to the extent Processed by Fyncall, on behalf of Customer, in connection with Fyncall’s performance of the Services. For clarity, Personal Data includes:

  • End Customer contact information (names, phone numbers, email addresses, messaging app identifiers);
  • Conversation Data;
  • Order and transaction information;
  • Product browsing and purchasing history;
  • Customer preferences and profile information; and
  • Any other information about End Customers that is processed through the Services.

1.11. “Privacy Authority” shall mean any competent supervisory authority, attorney general, commissioner, or other regulator with responsibility for privacy or data protection matters in the applicable jurisdiction, including but not limited to:

  • The Personal Data Protection Commission (Singapore);
  • The Department of Personal Data Protection (Malaysia);
  • The Privacy Commissioner for Personal Data (Hong Kong);
  • Data protection authorities in the European Economic Area;
  • The UK Information Commissioner’s Office;
  • The Swiss Data Protection and Information Commissioner; and
  • Any other relevant privacy or data protection authority.

1.12. “Process”, “Processing” or “Processed” shall mean any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, analyzing, profiling, automated decision-making, blocking, erasing and destroying Personal Data.

1.13. “Security Breach” shall mean an actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data when transmitted, stored or otherwise processed by Fyncall or its Subprocessors.

1.14. “Services” shall mean the conversational commerce services as described in the Agreement or any related Order Form or statement of work, including the provision of AI-powered conversational capabilities, omnichannel inbox functionality, and integration with E-commerce Platforms and Commerce Channels.

1.15. “Standard Contractual Clauses” means:

  • (a) with respect to transfers of Personal Data which are subject to the EU GDPR from the European Economic Area (EEA) to countries outside the EEA that do not provide adequate protection of Personal Data, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time as set out in Exhibit D of this DPA (“EU SCCs”);
  • (b) with respect to restricted transfers (as such term is defined under UK GDPR) subject to the UK GDPR, the UK international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers issued by the Information Commissioner on March 21, 2022, as set out in Exhibit E of this DPA (“UK SCCs”); and
  • (c) with respect to transfers of Personal Data which are subject to the Swiss Federal Act on Data Protection of 19 June 1992, the EU SCCs as approved by the Swiss Data Protection and Information Commissioner, including the necessary adaptations to ensure compliance with Swiss data protection law, as set out in Exhibit F of this DPA (“Swiss SCCs”).

1.16. “Subprocessor” shall mean any subcontractor (including any third party and/or Fyncall Affiliate) engaged by Fyncall to Process Personal Data on behalf of Customer, including but not limited to cloud infrastructure providers, AI and machine learning service providers, analytics providers, and customer support service providers.

1.17. “Supervisory Authority” shall mean:

  • (a) in the context of the UK GDPR, the UK Information Commissioner’s Office;
  • (b) in the context of the EU GDPR, shall have the meaning given to that term in Article 4(21) of the EU GDPR;
  • (c) in the context of the Swiss Federal Act on Data Protection of 19 June 1992, the Swiss Data Protection and Information Commissioner;
  • (d) in the context of the PDPA Singapore, the Personal Data Protection Commission;
  • (e) in the context of the PDPA Malaysia, the Department of Personal Data Protection; and
  • (f) in the context of the Hong Kong Personal Data (Privacy) Ordinance, the Privacy Commissioner for Personal Data.

2. PROCESSING REQUIREMENTS

2.1 Lawful Processing

Fyncall shall comply with Applicable Privacy Law in the Processing of Personal Data and only Process Personal Data for the purposes of providing the Services and in accordance with Customer’s documented instructions, and as may subsequently be agreed between the Parties in writing. The Parties acknowledge and agree that:

(a) Customer is the data controller (or equivalent role under Applicable Privacy Law) with respect to Personal Data of End Customers;

(b) Fyncall is the data processor (or equivalent role under Applicable Privacy Law) acting on behalf of Customer with respect to Personal Data of End Customers;

(c) The subject matter, nature, purpose, and duration of the Processing, the types of Personal Data, and categories of Data Subjects are set forth in Exhibit A (Details of Processing);

(d) Customer’s instructions for the Processing of Personal Data include:

  • (i) Processing necessary to provide the Services as described in the Agreement;
  • (ii) Processing necessary to facilitate conversational commerce between Customer and End Customers through Commerce Channels;
  • (iii) Processing necessary to enable AI functionality to generate responses and handle customer interactions;
  • (iv) Processing necessary to integrate with Customer’s E-commerce Platform to retrieve and update order, product, and inventory information;
  • (v) Processing necessary to maintain conversation history and customer context;
  • (vi) Processing as directed by Customer through Customer’s configuration and use of the Services; and
  • (vii) Any other Processing specifically instructed by Customer in writing.

Fyncall shall promptly inform Customer if (i) in Fyncall’s opinion, an instruction from Customer violates Applicable Privacy Law; or (ii) Fyncall is required by applicable law to otherwise Process Personal Data, unless Fyncall is prohibited by that law from notifying Customer.

2.2 Facilitating Data Subject Rights

Fyncall shall implement and maintain reasonable and appropriate technical and organizational measures that will ensure that Customer’s reasonable and lawful instructions can be complied with, including the following:

(a) Updating, amending, correcting, or providing access to the Personal Data of any Data Subject upon written request of Customer from time to time, to the extent technically feasible and subject to the limitations of the Services;

(b) Canceling, deleting, or blocking access to any Personal Data upon receipt of written instructions from Customer, subject to the requirements of Section 9 and the limitations imposed by Commerce Channel Providers;

(c) Providing Customer with the functionality and information reasonably necessary to facilitate Customer’s responses to Data Subject requests as required under Applicable Privacy Law, including requests for access, rectification, erasure, data portability, restriction of processing, and objection to processing;

(d) Fyncall shall promptly redirect any request received directly from a Data Subject to exercise any of its Data Subject rights to Customer, and shall not respond directly to the Data Subject unless instructed to do so by Customer in writing; and

(e) Fyncall acknowledges that certain Personal Data, particularly Conversation Data stored or transmitted through Commerce Channels, may be subject to the data retention and control policies of Commerce Channel Providers, which may limit Fyncall’s and Customer’s ability to delete or modify such data. Fyncall shall use commercially reasonable efforts to assist Customer in fulfilling Data Subject requests to the extent technically and legally feasible.

2.3 Restrictions on Processing

Fyncall acknowledges that:

(a) Customer discloses Personal Data to Fyncall solely for the business purpose of providing the Services to Customer;

(b) Fyncall has not and will not receive any monetary or other valuable consideration in exchange for their receipt of the Personal Data, and any consideration paid by Customer to Fyncall under the Agreement relates only to Fyncall’s provision of the Services;

(c) Fyncall shall not collect, retain, use, disclose, or otherwise Process the Personal Data:

  • (i) for any purpose other than for the specific purpose of providing the Services to Customer;
  • (ii) outside of the direct business relationship between Fyncall and Customer; or
  • (iii) in any manner that would constitute a “sale” or “sharing” as defined under CCPA or similar concepts under other Applicable Privacy Laws;

(d) Fyncall shall not “sell,” as defined under Applicable Privacy Law (including, without limitation, CCPA), any Personal Data or otherwise disclose any Personal Data to a third party for cross-context behavioral or targeted advertising purposes; and

(e) Subject to Section 4.2 (AI and Machine Learning Processing) below, Fyncall will not use Personal Data to build or improve products or services other than the Services provided to Customer.

2.4 Cooperation with Customer

Fyncall shall provide to Customer such cooperation, assistance, and information as Customer may reasonably request to enable it to:

(a) Comply with its obligations under Applicable Privacy Law;

(b) Respond to inquiries from Privacy Authorities;

(c) Cooperate with and comply with the directions or decisions of a relevant Privacy Authority;

(d) Conduct data protection impact assessments or privacy impact assessments as required under Applicable Privacy Law; and

(e) Fulfill its obligations to End Customers and other Data Subjects;

in each case (i) solely to the extent applicable to Fyncall’s provision of the Services, and (ii) within such reasonable time as would enable Customer to meet any time limit imposed by the Privacy Authority or Applicable Privacy Law. Such assistance may be subject to Fyncall’s then-current professional services rates if the assistance requires substantial time or resources beyond normal operations.

3. SECURITY OF PERSONAL DATA

3.1 Security Measures

Fyncall shall maintain, during the term of the Agreement, appropriate technical and organizational security measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, in accordance with industry standards and Applicable Privacy Law, as set forth in Exhibit B (Technical and Organizational Security Measures).

Such security measures shall take into account:

  • (a) The state of the art;
  • (b) The costs of implementation;
  • (c) The nature, scope, context, and purposes of Processing;
  • (d) The risks of varying likelihood and severity for the rights and freedoms of Data Subjects; and
  • (e) The sensitivity of the Personal Data being Processed, including the highly personal nature of Conversation Data.

3.2 Personnel Security

Fyncall shall:

(a) Ensure the reliability of any employees, contractors, or other personnel who Process Personal Data;

(b) Ensure that any employees, contractors, or other personnel entrusted with the Processing of Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) Provide appropriate training to personnel regarding data protection requirements and security measures; and

(d) Limit access to Personal Data to those personnel who require such access to perform their duties in providing the Services.

3.3 Encryption and Data Protection

Fyncall shall:

(a) Encrypt Personal Data in transit using industry-standard encryption protocols;

(b) Encrypt Personal Data at rest where technically feasible and appropriate given the nature of the data;

(c) Implement and maintain appropriate access controls to limit access to Personal Data; and

(d) Regularly test, assess, and evaluate the effectiveness of technical and organizational measures for ensuring the security of the Processing.

3.4 Commerce Channel Security

Customer acknowledges that:

(a) Conversation Data transmitted through Commerce Channels is subject to the security measures, policies, and practices of the Commerce Channel Providers;

(b) Fyncall’s security obligations apply to Personal Data within Fyncall’s systems and control but do not extend to Personal Data within the systems and control of Commerce Channel Providers; and

(c) Customer is responsible for reviewing and accepting the security and privacy practices of Commerce Channel Providers before integrating such channels with the Services.

4. SPECIAL PROVISIONS FOR AI AND MACHINE LEARNING

4.1 AI Processing of Personal Data

Customer acknowledges and agrees that:

(a) The Services utilize artificial intelligence, machine learning, and natural language processing technologies that Process Personal Data to provide conversational commerce functionality;

(b) Such AI Processing includes:

  • (i) Analyzing Conversation Data to understand End Customer intent and generate appropriate responses;
  • (ii) Processing End Customer information to personalize conversations;
  • (iii) Analyzing patterns in End Customer behavior and preferences to improve conversation quality;
  • (iv) Processing order and transaction information to provide relevant product recommendations and support; and
  • (v) Other AI-powered features as described in the Documentation;

(c) AI Processing of Personal Data is conducted solely for the purpose of providing the Services to Customer and in accordance with Customer’s instructions; and

(d) Customer has obtained or will obtain all necessary consents and has provided or will provide all necessary privacy notices to End Customers to enable Fyncall to Process Personal Data using AI functionality as contemplated by the Services.

4.2 AI Model Training and Improvement

Fyncall may use Personal Data to train and improve its AI models and the Services, subject to the following conditions:

(a) Anonymization for Model Training:

  • (i) Fyncall may use Conversation Data, Usage Data, and other Personal Data to train and improve its internal AI models, provided that such data is first anonymized or aggregated in a manner that prevents the identification of any specific Data Subject, Customer, or individual;
  • (ii) Anonymization shall be conducted using industry-standard techniques such that the anonymized data cannot reasonably be re-identified;
  • (iii) Anonymized data used for model training shall not include personally identifiable information such as names, email addresses, phone numbers, or other direct identifiers;

(b) Prohibition on Third-Party Model Training:

  • Fyncall shall not use identifiable Personal Data to train any third-party AI provider’s models;
  • Any third-party AI services utilized by Fyncall shall operate under a zero-data-retention policy with respect to Personal Data, such that Personal Data is not retained by the third-party provider after the AI processing task is completed;

(c) Transparency:

  • Fyncall shall maintain transparency regarding its AI model training practices and shall provide Customer with information about such practices upon reasonable request; and

(d) Compliance with Applicable Privacy Law:

  • All AI model training shall be conducted in compliance with Applicable Privacy Law, including any requirements for lawful basis, purpose limitation, data minimization, and transparency.

4.3 Automated Decision-Making

Customer acknowledges that the Services may utilize AI to make automated recommendations or generate automated responses to End Customers. Customer agrees that:

(a) Customer is responsible for determining whether such automated decision-making is appropriate for Customer’s use case and complies with Applicable Privacy Law;

(b) Customer shall configure the Services to ensure human oversight and review of AI-generated decisions where required by Applicable Privacy Law or Customer’s own policies;

(c) Customer shall provide appropriate notices to End Customers regarding automated decision-making where required by Applicable Privacy Law; and

(d) Fyncall provides functionality within the Services to enable human review and override of AI-generated content.

5. CUSTOMER OBLIGATIONS

5.1 Customer’s Security Responsibilities

Customer agrees that, without limitation of Fyncall’s obligations under Section 3 (Security of Personal Data) or the Parties’ obligations under the Agreement, Customer is solely responsible for:

(a) Making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data;

(b) Securing the account authentication credentials, systems and devices Customer and Authorized Users use to access the Services;

(c) Securing Customer’s systems and devices that Fyncall uses to provide the Services or from which Customer Data is transmitted;

(d) Backing up Personal Data and Customer Data;

(e) Implementing appropriate security controls for Authorized Users’ access to the Services;

(f) Monitoring and controlling Authorized Users’ activities within the Services; and

(g) Reviewing and approving AI-generated content before it is sent to End Customers, where such review is necessary to ensure compliance with Applicable Privacy Law or Customer’s obligations to End Customers.

5.2 Customer’s Compliance Obligations

Customer represents, warrants, and agrees that:

(a) Customer has implemented and will maintain a lawful basis for Processing Personal Data under Applicable Privacy Law, including obtaining necessary consents from End Customers;

(b) Customer has provided and will maintain appropriate privacy notices to End Customers that accurately describe:

  • (i) What Personal Data is collected;
  • (ii) How Personal Data is used, including use by Fyncall as Customer’s service provider;
  • (iii) That conversations may be facilitated by AI technology;
  • (iv) How End Customers can exercise their data subject rights; and
  • (v) Any other information required by Applicable Privacy Law;

(c) Customer will comply with all marketing and communications laws applicable to messages sent through the Services, including obtaining appropriate consents before sending marketing communications to End Customers;

(d) Customer will process Data Subject requests (such as access, deletion, and portability requests) in accordance with Applicable Privacy Law and will work with Fyncall to fulfill such requests;

(e) Customer has the authority to instruct Fyncall to Process Personal Data as contemplated by the Services and this DPA; and

(f) Customer’s provision of Personal Data to Fyncall and Customer’s instructions to Fyncall regarding Processing do not and will not violate any applicable law, regulation, or third-party right.

5.3 Customer’s Security Assessment

Customer agrees that it has reviewed the Services and Fyncall’s commitments under this DPA, including the security measures described in Exhibit B, and that such measures are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Privacy Law, and provide a level of security appropriate to the risk in respect of the Personal Data being Processed through the Services.

6. SUBPROCESSORS

6.1 Authorization to Use Subprocessors

Customer generally authorizes Fyncall to engage Subprocessors in connection with the Processing of Personal Data for the performance of the Agreement. Fyncall will maintain a current list of its Subprocessors at the following URL: https://www.fyncall.com/legal/subprocessors, and will update such list to include the names of new and replacement Subprocessors as applicable from time to time.

Subprocessors may include:

  • Cloud infrastructure and hosting providers;
  • AI and machine learning service providers;
  • E-commerce Platform providers (to the extent they Process Personal Data on behalf of Fyncall);
  • Customer support and communication tools providers;
  • Analytics and monitoring service providers;
  • Security and fraud prevention service providers; and
  • Other service providers necessary for Fyncall to provide the Services.

6.2 Notice and Objection

Fyncall will provide Customer with notice of its intention to engage any new or replacement Subprocessor at least fifteen (15) days in advance of the date of the intended commencement of the engagement by:

Customer may object to such intended engagement by giving written notice to legal@fyncall.com at the latest ten (10) days in advance of the date of the intended commencement of the engagement, provided that such objection is based on reasonable grounds relating to the protection of Personal Data and compliance with Applicable Privacy Law.

If Customer objects to Fyncall’s appointment of a Subprocessor on such reasonable grounds, then Fyncall will use reasonable commercial efforts to:

  • (a) Make available to Customer a change in the Services; or
  • (b) Recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid using the objected-to Subprocessor.

If Fyncall is unable to make available such change within a reasonable period of time (not to exceed 30 days), Customer may terminate the Agreement with respect only to those Services which cannot be provided without the use of the objected-to Subprocessor by providing written notice to Fyncall. Fyncall will refund Customer any prepaid base Subscription Fees (excluding overage charges) covering the remainder of the monthly term following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.

6.3 Subprocessor Obligations

Fyncall shall:

(a) Ensure that any contract with a Subprocessor imposes data protection obligations on the Subprocessor that are substantially similar to those imposed on Fyncall under this DPA, including with respect to:

  • (i) Processing only in accordance with documented instructions;
  • (ii) Maintaining confidentiality;
  • (iii) Implementing appropriate security measures;
  • (iv) Engaging sub-subprocessors only with prior authorization;
  • (v) Assisting with Data Subject requests;
  • (vi) Assisting with security incidents;
  • (vii) Deleting or returning Personal Data; and
  • (viii) Making information available for audits;

(b) Where the Subprocessor is located in a jurisdiction that does not provide adequate protection for Personal Data under Applicable Privacy Law, ensure that appropriate transfer mechanisms (such as Standard Contractual Clauses) are in place;

(c) Ensure that Subprocessors are bound by written agreements that protect Personal Data to a standard not less protective than this DPA; and

(d) Remain fully liable for the performance of any obligations Subprocessors perform on Fyncall’s behalf and for any acts or omissions of the Subprocessor that cause Fyncall to breach any of its obligations under this DPA.

6.4 Commerce Channel Providers

Customer acknowledges and agrees that:

(a) Commerce Channel Providers (such as Meta Platforms, Inc. for WhatsApp Business API and Instagram) are not Subprocessors as defined in this DPA;

(b) Commerce Channel Providers process Personal Data (including Conversation Data) pursuant to their own terms of service and privacy policies as independent controllers or processors;

(c) Fyncall’s obligations under this DPA do not extend to the Processing of Personal Data by Commerce Channel Providers in their capacity as independent service providers;

(d) Customer is responsible for reviewing and accepting the data processing terms of Commerce Channel Providers before integrating such channels with the Services; and

(e) Fyncall is not liable for the data processing practices or any actions or omissions of Commerce Channel Providers.

7. SECURITY BREACH NOTIFICATION

7.1 Notification to Customer

Unless otherwise prohibited by applicable law or law enforcement, Fyncall shall notify Customer without undue delay, and in any event within seventy-two (72) hours after Fyncall becomes aware of a Security Breach affecting Personal Data Processed on behalf of Customer.

Such notification shall include, to the extent such information is available to Fyncall at the time of notification:

(a) A detailed description of the Security Breach, including:

  • (i) The nature of the breach;
  • (ii) How the breach occurred;
  • (iii) The systems or data affected; and
  • (iv) The approximate date and time of the breach;

(b) The type of Personal Data that was the subject of the Security Breach (e.g., names, contact information, Conversation Data, transaction information);

(c) The identity of each affected Data Subject (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned);

(d) The name and contact details of Fyncall’s data protection officer or other point of contact where more information can be obtained;

(e) A description of the likely consequences of the Security Breach, including potential impact on Data Subjects;

(f) A description of the measures taken or proposed to be taken by Fyncall to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects; and

(g) If applicable, a description of the measures Data Subjects can take to protect themselves.

Fyncall will provide such information to Customer in phases as it becomes available, recognizing that complete information may not be available within the initial 72-hour notification period.

7.2 Investigation and Remediation

Fyncall shall:

(a) Take prompt action to investigate the Security Breach and determine the scope, cause, and impact;

(b) Use industry standard, commercially reasonable efforts to contain and mitigate the effects of the Security Breach;

(c) Implement measures to prevent recurrence of similar Security Breaches;

(d) Provide Customer with regular updates on the investigation and remediation efforts;

(e) Cooperate with Customer in investigating the Security Breach and fulfilling Customer’s obligations under Applicable Privacy Law, including notification to Privacy Authorities and affected Data Subjects; and

(f) Preserve evidence relating to the Security Breach in accordance with Fyncall’s incident response procedures and any applicable legal requirements.

7.3 Customer Notification Obligations

Customer acknowledges and agrees that:

(a) Fyncall’s notification to Customer under this Section 7 does not constitute an acknowledgment by Fyncall of any fault or liability with respect to the Security Breach;

(b) Customer is solely responsible for determining whether the Security Breach requires notification to Privacy Authorities, Data Subjects, or other third parties under Applicable Privacy Law;

(c) Customer is solely responsible for making any required notifications to Privacy Authorities, Data Subjects, or other third parties;

(d) Fyncall will reasonably cooperate with Customer in fulfilling such notification obligations; and

(e) Customer shall not make any public statements regarding a Security Breach without Fyncall’s prior written consent, except as required by Applicable Privacy Law.

8. PRIVACY IMPACT ASSESSMENTS AND AUDITS

8.1 Privacy Impact Assessments

Fyncall shall, promptly upon receipt of written request by Customer and where required by Applicable Privacy Law:

(a) Make available to Customer such information in Fyncall’s possession as is reasonably necessary to demonstrate Fyncall’s compliance with its obligations under this DPA and Applicable Privacy Law, to the extent such information is relevant to Customer’s own compliance with Applicable Privacy Law;

(b) Reasonably assist Customer in carrying out any privacy impact assessment or data protection impact assessment required under Applicable Privacy Law, taking into account the nature of the Processing and the information available to Fyncall; and

(c) Reasonably assist Customer in any required prior consultations with Privacy Authorities regarding high-risk Processing.

Fyncall shall reasonably cooperate with Customer to implement such mitigation actions as are reasonably required to address privacy risks identified in any such privacy impact assessment, subject to technical feasibility and commercial reasonableness.

Unless such request follows a Security Breach or is otherwise required by Applicable Privacy Law, Customer shall not make any request under this Section 8.1 more than once in any twelve (12) month period. Fyncall may charge Customer its then-current professional services rates for assistance provided under this Section 8.1 that requires substantial time or resources beyond normal operations.

8.2 Audit Rights

Subject to the terms of this Section 8.2, Customer or Customer’s authorized third-party auditor may audit Fyncall’s compliance with its obligations under this DPA no more than once per year, upon reasonable notice and during regular business hours.

8.2.1 Audit Request Procedure

To request an audit, Customer must:

(a) Submit a proposed audit plan to legal@fyncall.com at least thirty (30) days in advance of the proposed audit date;

(b) Ensure that any third-party auditor signs a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof; and

(c) Provide a detailed description of the proposed scope, duration, start date, and objectives of the audit.

8.2.2 Audit Scope Limitations

The proposed audit plan must be reasonable in scope and:

(a) Shall not include any activities that could compromise Fyncall’s security, privacy, confidentiality of other customers, employment practices, or other legitimate business interests;

(b) Shall be limited to matters relevant to Fyncall’s Processing of Personal Data on behalf of Customer under this DPA;

(c) Shall not unreasonably interfere with Fyncall’s business activities;

(d) Shall be conducted in a manner that complies with Fyncall’s security, safety, and confidentiality policies; and

(e) Nothing in this Section 8.2 shall require Fyncall to breach any duties of confidentiality owed to other customers or third parties.

8.2.3 Alternative to On-Site Audit

If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO 27001, or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request, and Fyncall has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an on-site audit of such controls or measures.

8.2.4 Audit Costs

(a) Any audits conducted under this Section 8.2 are at Customer’s sole expense;

(b) Customer shall reimburse Fyncall for any time expended by Fyncall and any third parties engaged by Fyncall in connection with any audits or inspections under this Section 8.2 at Fyncall’s then-current professional services rates, which shall be made available to Customer upon request; and

(c) Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

8.2.5 Audit by Privacy Authority

Notwithstanding the above, if a Privacy Authority requests an audit of Fyncall’s Processing of Personal Data on behalf of Customer, Fyncall will reasonably cooperate with such audit in accordance with Applicable Privacy Law.

9. DELETION AND RETURN OF PERSONAL DATA

9.1 Deletion Upon Termination

Fyncall shall, within ninety (90) days of the expiration or termination of the Agreement, or following receipt of written notice from Customer (except as otherwise required by Applicable Privacy Law):

(a) At Customer’s option, either:

  • (i) Return a complete copy of all Personal Data to Customer by secure file transfer in such commonly used, machine-readable format as is reasonably specified by Customer to Fyncall; or
  • (ii) Securely delete and procure the deletion of all Personal Data in Fyncall’s possession or control;

(b) Certify in writing to Customer that Fyncall has complied with the requirements of this Section 9.1; and

(c) Fyncall may retain Personal Data to the extent required by applicable law, provided that Fyncall will ensure the confidentiality of any such Personal Data and will ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its retention, and will delete such Personal Data when no longer required to be retained by law.

9.2 Limitations on Deletion

Customer acknowledges and agrees that:

(a) Commerce Channel Data: Conversation Data and other Personal Data transmitted through or stored by Commerce Channels may be retained by Commerce Channel Providers in accordance with their own data retention policies, and Fyncall cannot delete or return such data that is solely within the control of Commerce Channel Providers;

(b) E-commerce Platform Data: Personal Data that originates from or is stored within Customer’s E-commerce Platform account is controlled by Customer and the E-commerce Platform provider, and Fyncall’s deletion obligations apply only to copies of such data within Fyncall’s systems;

(c) Backup and Disaster Recovery: Personal Data may persist in Fyncall’s backup and disaster recovery systems for a limited period after deletion from production systems, in accordance with Fyncall’s backup retention policies, provided that such data will be deleted in the ordinary course of Fyncall’s backup rotation schedule;

(d) Aggregated and Anonymized Data: Fyncall is not required to delete aggregated or anonymized data derived from Personal Data that can no longer be associated with an identified or identifiable Data Subject; and

(e) Usage Data: Fyncall may retain Usage Data and system logs that do not contain Personal Data for Fyncall’s business purposes, including security monitoring and service improvement.

9.3 Deletion During Service Term

If Customer requests deletion of specific Personal Data during the term of the Agreement (such as to fulfill a Data Subject deletion request), Fyncall shall comply with such request within a reasonable timeframe, taking into account the nature of the request and the technical feasibility of deletion, and subject to the limitations in Section 9.2.

9.4 Data Export Functionality

Fyncall will maintain functionality within the Services that enables Customer to export Personal Data in commonly used formats during the term of the Agreement, as described in the Documentation.

This deletion obligation is in addition to Fyncall’s obligations concerning the destruction or return of Customer’s Confidential Information as provided in the Agreement.

Requests to delete Personal Data should be directed to: legal@fyncall.com

10. THIRD PARTY DISCLOSURE REQUESTS

10.1 Disclosure Requests from Authorities and Data Subjects

Unless prohibited by applicable law, Fyncall shall promptly notify Customer of any inquiry, communication, request or complaint, to the extent relating to Fyncall’s Processing of Personal Data on behalf of Customer, from:

(a) Any governmental, regulatory or supervisory authority, including Privacy Authorities, law enforcement agencies, or courts;

(b) Any Data Subject exercising their rights under Applicable Privacy Law; and

(c) Any other third party claiming rights with respect to Personal Data.

Fyncall shall, taking into account the nature of the Processing, provide reasonable assistance to enable Customer to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines, including by:

(i) Redirecting the inquiring party to Customer where appropriate;

(ii) Providing Customer with relevant information and data within Fyncall’s possession or control;

(iii) Assisting Customer in preparing responses; and

(iv) Implementing Customer’s instructions regarding such requests.

Fyncall shall not disclose Personal Data to any of the persons or entities in (a), (b), or (c) above unless it is legally required to do so and has otherwise complied with the obligations in this Section 10.

In the event that Fyncall is required by law, court order, warrant, subpoena, or other legal or judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Customer, including any national security authority, law enforcement agency, or other government body, Fyncall shall:

(a) Unless prohibited by applicable law, notify Customer promptly of the Legal Request, providing sufficient detail to enable Customer to understand the nature and scope of the request;

(b) Attempt to redirect the Legal Request to Customer where legally permissible and technically feasible;

(c) If unable to redirect the Legal Request, provide all reasonable assistance to Customer to enable Customer to respond to, object to, or challenge any such Legal Request and to meet applicable statutory or regulatory deadlines;

(d) Limit the disclosure to the minimum amount of Personal Data required to comply with the Legal Request;

(e) Assert any applicable legal privileges or protections available to Customer with respect to the Personal Data;

(f) If prohibited by applicable law from providing notice to Customer of a Legal Request, use commercially reasonable efforts to:

  • (i) Object to, or challenge, any such Legal Request on grounds relating to its legality, scope, or necessity;
  • (ii) Seek a waiver of the prohibition on providing notice to Customer;
  • (iii) Request that any Legal Request be narrowed in scope; and
  • (iv) Seek protection for the Personal Data through confidentiality orders or similar protections; and

(g) Provide Customer with notice of the Legal Request as soon as legally permissible.

Fyncall shall not disclose Personal Data pursuant to a Legal Request unless Fyncall is legally compelled to do so and has otherwise complied with the obligations in this Section 10.2 to the extent legally permitted.

10.3 Documentation

Fyncall shall maintain documentation of any Legal Requests received and any disclosures made pursuant to such Legal Requests, to the extent permitted by applicable law, and shall make such documentation available to Customer upon request.

11. INTERNATIONAL TRANSFERS OF PERSONAL DATA

11.1 Transfers Outside the European Economic Area

Where Personal Data subject to the EU GDPR is transferred from the European Economic Area to a country outside the European Economic Area that has not been designated by the European Commission as providing an adequate level of protection for Personal Data pursuant to Article 45 of the EU GDPR, the Parties agree that such transfer shall be governed by the EU SCCs set forth in Exhibit D, which form an integral part of this DPA.

The EU SCCs are deemed entered into and completed as follows:

  • Module Two (Controller-to-Processor) applies;
  • The information required in Annexes I and II of the EU SCCs is provided in Exhibit D;
  • The optional docking clause in Clause 7 applies;
  • Option 2 in Clause 9(a) (General Authorization) applies, with the time period for objection being 10 days;
  • The optional language in Clause 11(a) does not apply;
  • Option 1 in Clause 17 applies, with the governing law being the law of the EU Member State in which the data exporter is established, or where an EU Member State’s law cannot be selected, the law of Ireland;
  • Option 1 in Clause 18(b) applies, with the courts being those of the EU Member State in which the data exporter is established, or where such courts do not have jurisdiction, the courts of Ireland.

11.2 Transfers from the United Kingdom

Where Personal Data subject to the UK GDPR is transferred from the United Kingdom to a country outside the United Kingdom that is not designated as providing an adequate level of protection under the UK GDPR, the Parties agree that such transfer shall be governed by the UK SCCs set forth in Exhibit E, which form an integral part of this DPA.

11.3 Transfers from Switzerland

Where Personal Data subject to the Swiss Federal Act on Data Protection is transferred from Switzerland to a country outside Switzerland that is not recognized as providing an adequate level of protection under Swiss data protection law, the Parties agree that such transfer shall be governed by the Swiss SCCs set forth in Exhibit F, which form an integral part of this DPA.

For transfers from Switzerland only, the term “personal data” as used in the Standard Contractual Clauses shall include, as applicable, personality profiles and the personal data of legal persons.

11.4 Transfers from Singapore and Malaysia

For Personal Data subject to PDPA Singapore or PDPA Malaysia, Customer and Fyncall acknowledge that:

(a) Fyncall may transfer Personal Data outside Singapore or Malaysia (as applicable) for the purpose of providing the Services;

(b) Customer consents to such transfers for the purpose of providing the Services;

(c) Fyncall shall ensure that such transfers comply with the requirements of PDPA Singapore or PDPA Malaysia (as applicable), including ensuring that the foreign recipient provides a standard of protection that is comparable to the protection under the applicable PDPA; and

(d) Where required by Applicable Privacy Law, Fyncall shall enter into appropriate data transfer agreements with foreign recipients of Personal Data.

11.5 Provision of Standard Contractual Clauses

Fyncall shall provide a copy of the executed Standard Contractual Clauses applicable to Customer’s transfers to Customer upon reasonable request.

11.6 Changes to Transfer Mechanisms

If any Standard Contractual Clauses incorporated into this DPA are amended, replaced, or invalidated by a competent authority, the Parties agree to cooperate in good faith to negotiate an alternative data transfer mechanism that provides adequate protection for Personal Data and enables the continued provision of the Services.

12. LIMITATION OF LIABILITY

Any claims brought under, or in connection with, this DPA, shall be subject to the exclusions and limitations of liability set forth in the Master Subscription Agreement between the Parties.

For clarity, Fyncall’s total aggregate liability arising out of or related to this DPA, whether in contract, tort, or otherwise, shall not exceed the limitations set forth in the Agreement.

13. TERM AND TERMINATION

13.1 Term

This DPA shall commence on the effective date of the Agreement and shall remain in effect for so long as Fyncall Processes Personal Data on behalf of Customer, including during any period following termination of the Agreement during which Fyncall is required to delete or return Personal Data in accordance with Section 9.

13.2 Survival

The provisions of this DPA that by their nature should survive termination or expiration of the Agreement shall survive, including but not limited to Sections 9 (Deletion and Return of Personal Data), 12 (Limitation of Liability), and any other provisions necessary to give effect to the Parties’ obligations regarding Personal Data.

14. GENERAL PROVISIONS

14.1 Entire Agreement

This DPA, together with the Agreement and any exhibits and annexes to this DPA, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, whether oral or written, concerning such subject matter.

14.2 Amendments

Fyncall may amend this DPA from time to time to reflect changes in Applicable Privacy Law, changes to the Services, or changes to Fyncall’s data processing practices, provided that such amendments do not materially reduce the protections provided to Personal Data. Fyncall will provide Customer with at least thirty (30) days’ notice of any material amendments to this DPA. Continued use of the Services following the effective date of such amendments constitutes Customer’s acceptance of the amended DPA.

14.3 Conflict

In the event of any conflict or inconsistency between:

  • (a) This DPA and the Agreement, this DPA shall control with respect to the Processing of Personal Data;
  • (b) This DPA and any Standard Contractual Clauses incorporated herein, the Standard Contractual Clauses shall prevail; and
  • (c) Different language versions of this DPA, the English language version shall prevail.

14.4 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid, illegal, or unenforceable provision shall be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable while preserving its intent.

14.5 Notices

All notices under this DPA shall be in writing and shall be sent to:

For Customer: The email address associated with Customer’s account or as otherwise specified by Customer in writing.

For Fyncall:

  • Email: legal@fyncall.com
  • Address: Builderson Group Limited, FLAT/RM B, 1/F, 8 FUK WA STREET SHAM SHUI PO, KL

14.6 Governing Law

This DPA shall be governed by and construed in accordance with the laws specified in the Agreement, except that the Standard Contractual Clauses shall be governed by the laws specified therein.

14.7 Compliance with Laws

Each Party shall comply with all applicable laws in connection with its performance under this DPA, including Applicable Privacy Law.

EXHIBITS

The following exhibits form an integral part of this DPA:

Exhibit A: Details of Processing Activities

Exhibit B: Technical and Organizational Security Measures

Exhibit C: List of Subprocessors (available at https://www.fyncall.com/legal/subprocessors)

Exhibit D: EU Standard Contractual Clauses

Exhibit E: UK Standard Contractual Clauses (UK Addendum)

Exhibit F: Swiss Standard Contractual Clauses

EXHIBIT A: DETAILS OF PROCESSING ACTIVITIES

1. Subject Matter of Processing

The subject matter of the Processing is the provision of Fyncall’s conversational commerce platform services to Customer, which enable Customer to conduct commerce transactions and customer service interactions with End Customers through Commerce Channels such as WhatsApp Business API and Instagram Direct Messages.

2. Nature and Purpose of Processing

The nature of the Processing includes:

  • Storing and transmitting Conversation Data between Customer and End Customers;
  • Analyzing Conversation Data to understand End Customer intent and generate AI-powered responses;
  • Retrieving and displaying product, order, and inventory information from Customer’s E-commerce Platform;
  • Processing End Customer requests related to orders, returns, tracking, and customer support;
  • Maintaining conversation history and customer context to enable continuity of service;
  • Facilitating handoffs between AI-powered responses and human agents;
  • Generating analytics and insights about conversation performance;
  • Enabling Customer to manage and respond to End Customer communications through an omnichannel inbox.

The purpose of the Processing is to:

  • Enable Customer to provide conversational commerce experiences to End Customers;
  • Automate routine customer service tasks;
  • Improve customer engagement and conversion rates;
  • Provide efficient order management and customer support through messaging channels;
  • Enable Customer to scale customer interactions while maintaining quality.

3. Duration of Processing

The duration of the Processing is the period during which Customer subscribes to the Services, plus the period required to delete or return Personal Data in accordance with Section 9 of this DPA (typically up to 90 days following termination).

4. Types of Personal Data

The types of Personal Data Processed include:

a) End Customer Contact Information:

  • Names
  • Email addresses
  • Phone numbers
  • Messaging app identifiers (e.g., WhatsApp phone numbers, Instagram usernames)
  • Postal addresses

b) Conversation Data:

  • Message content
  • Timestamps
  • Conversation metadata
  • Images, videos, or other media shared in conversations
  • Voice messages (if supported by the Commerce Channel)

c) Order and Transaction Information:

  • Order numbers and order details
  • Product information and quantities
  • Order status and tracking information
  • Shipping information
  • Payment status (but not full payment card details)

d) Customer Behavior and Preference Data:

  • Purchase history
  • Product browsing history
  • Customer preferences and interests expressed in conversations
  • Customer service history
  • Returns and refund information

e) Technical Data:

  • IP addresses (to the extent provided by Commerce Channels)
  • Device information (to the extent provided by Commerce Channels)
  • Timestamps and usage data

f) Profile Information:

  • Customer account information from the E-commerce Platform
  • Customer notes and tags created by Customer
  • Customer segments or classifications

5. Categories of Data Subjects

The categories of Data Subjects include:

  • End Customers: Individuals who are customers or prospective customers of Customer’s e-commerce business and who communicate with Customer through the Commerce Channels enabled by the Services;

  • Authorized Users: Customer’s employees, contractors, agents, or other personnel who access and use the Services on Customer’s behalf.

6. Special Categories of Personal Data

Customer shall not provide, and shall ensure that End Customers do not provide, special categories of Personal Data (also known as sensitive personal data) through the Services, including:

  • Health information
  • Biometric data
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Data concerning sexual orientation or sex life

If Fyncall becomes aware that special categories of Personal Data are being Processed through the Services, Fyncall will notify Customer and Customer will promptly remove or delete such data.

EXHIBIT B: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Fyncall implements and maintains the following categories of technical and organizational security measures to protect Personal Data. These measures are subject to technical progress and development and may be updated by Fyncall from time to time, provided that such updates do not result in a material degradation of the security of the Services.

1. Measures of Pseudonymization and Encryption

  • Encryption in Transit: All Personal Data transmitted between Customer, Fyncall’s systems, and Commerce Channels is encrypted using industry-standard encryption protocols (TLS 1.2 or higher).

  • Encryption at Rest: Personal Data stored in Fyncall’s systems is encrypted at rest using industry-standard encryption algorithms (AES-256 or equivalent).

  • Key Management: Encryption keys are securely managed, rotated regularly, and access to keys is restricted to authorized personnel only.

  • Anonymization for AI Training: Personal Data used for AI model training is anonymized such that individual Data Subjects cannot be identified.

2. Measures for Ensuring Ongoing Confidentiality, Integrity, Availability and Resilience

  • Access Controls:

    • Role-based access control (RBAC) systems limit access to Personal Data to authorized personnel only.
    • Multi-factor authentication is required for access to systems containing Personal Data.
    • Access to Personal Data is logged and monitored.

  • Network Security:

    • Firewalls and intrusion detection/prevention systems protect network boundaries.
    • Network segmentation isolates systems containing Personal Data.
    • Regular vulnerability scanning and penetration testing.

  • System Availability:

    • Redundant infrastructure to ensure high availability of Services.
    • Regular backups of Personal Data with secure storage.
    • Disaster recovery and business continuity plans are in place and tested regularly.

  • Data Integrity:

    • Checksums and validation mechanisms to ensure data integrity.
    • Version control and audit logging of data changes.

3. Measures for Ensuring the Ability to Restore Availability and Access to Personal Data

  • Backup and Recovery:

    • Regular automated backups of Personal Data.
    • Backups are encrypted and stored securely.
    • Documented backup and recovery procedures.
    • Regular testing of backup restoration processes.

  • Incident Response:

    • Documented incident response plan for security incidents.
    • Designated incident response team.
    • Regular incident response drills and tabletop exercises.

4. Processes for Regularly Testing, Assessing and Evaluating Effectiveness

  • Security Testing:

    • Regular vulnerability assessments and penetration testing by qualified third parties.
    • Automated security scanning of applications and infrastructure.
    • Code security reviews for applications that Process Personal Data.

  • Compliance Audits:

    • Regular internal audits of security controls and compliance with this DPA.
    • External audits such as SOC 2 Type 2 examinations.

  • Monitoring and Logging:

    • Security information and event management (SIEM) systems monitor for security incidents.
    • Audit logs of access to and changes to Personal Data.
    • Automated alerting for suspicious activities.

  • Continuous Improvement:

    • Regular review and update of security measures in response to new threats.
    • Security awareness training for all personnel.
    • Engagement with security research community.

5. Measures for User Identification and Authorization

  • Authentication:

    • Strong password requirements enforced.
    • Multi-factor authentication for access to systems containing Personal Data.
    • Single sign-on (SSO) capabilities for Customer users.

  • Authorization:

    • Role-based access control limits access based on job function.
    • Principle of least privilege applied to all access grants.
    • Regular review of access rights and removal of unnecessary access.

6. Measures for the Protection of Data During Transmission

  • Encrypted Connections:

    • All connections to the Services use HTTPS with TLS 1.2 or higher.
    • Secure protocols for API communications.

  • Data Transfer Security:

    • Secure file transfer mechanisms for data import/export.
    • Validation and sanitization of data inputs.

7. Measures for the Protection of Data During Storage

  • Encryption at Rest: As described in Section 1 above.

  • Secure Storage:

    • Personal Data stored in secure, access-controlled data centers.
    • Physical security measures at data center facilities.
    • Secure deletion procedures for decommissioned storage media.

8. Measures for Ensuring Physical Security

Fyncall utilizes reputable cloud infrastructure providers (Subprocessors) that maintain:

  • Physical access controls at data center facilities (biometric access, security personnel, CCTV).
  • Environmental controls (fire suppression, temperature control, power redundancy).
  • Security certifications (SOC 2, ISO 27001, etc.).

9. Measures for Ensuring Incident Management

  • Incident Detection:

    • Automated monitoring and alerting systems.
    • Security operations center (SOC) monitoring.

  • Incident Response:

    • Documented incident response procedures as described in Section 7 of the DPA.
    • Designated incident response team with defined roles and responsibilities.
    • Communication protocols for notifying Customer of Security Breaches.

  • Post-Incident Activities:

    • Root cause analysis following incidents.
    • Implementation of corrective actions.
    • Documentation and lessons learned.

10. Measures for Ensuring Data Minimization

  • Processing only Personal Data that is necessary for the purposes of providing the Services.
  • Configuration options for Customer to control what data is collected and retained.
  • Retention periods for Personal Data in accordance with Customer’s instructions and legal requirements.
  • Regular review and deletion of Personal Data that is no longer necessary.

11. Measures for Ensuring Data Quality

  • Validation mechanisms to ensure accuracy of Personal Data.
  • Processes for Customer to update or correct Personal Data.
  • Data quality monitoring and error detection.

12. Measures for Ensuring Limited Retention

  • Personal Data is retained only for as long as necessary for the purposes of providing the Services or as required by law.
  • Automated deletion of Personal Data upon termination in accordance with Section 9 of the DPA.
  • Customer controls over data retention periods where technically feasible.

13. Measures for Ensuring Accountability

  • Documentation of data processing activities.
  • Audit trails of access to and modifications of Personal Data.
  • Regular internal compliance reviews.
  • Third-party audit and certification reports.

14. Measures for Allowing Data Portability and Ensuring Erasure

  • Functionality within the Services to export Personal Data in commonly used formats.
  • Procedures for deleting Personal Data upon Customer’s request as described in Section 9 of the DPA.
  • Secure deletion methods to ensure data cannot be recovered after deletion.

EXHIBIT C: LIST OF SUBPROCESSORS

The current list of Subprocessors is maintained at:

https://www.fyncall.com/legal/subprocessors

This list includes:

  • The name of each Subprocessor
  • The location of the Subprocessor
  • A description of the processing activities performed by the Subprocessor

Customer may subscribe to receive email notifications of changes to the Subprocessor list by contacting legal@fyncall.com.

EXHIBIT D: EU STANDARD CONTRACTUAL CLAUSES

[The EU Standard Contractual Clauses as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated here by reference. The full text would be included in the executed version of the DPA.]

Module Selected: Module Two (Controller to Processor)

Annexes Completion:

Annex I.A (List of Parties):

  • Data exporter: Customer (as identified in the Agreement)
  • Data importer: Builderson Group Limited

Annex I.B (Description of Transfer): As set forth in Exhibit A of this DPA.

Annex I.C (Competent Supervisory Authority): The supervisory authority of the EU Member State in which the data exporter is established, or the Irish Data Protection Commission if the data exporter is not established in an EU Member State.

Annex II (Technical and Organizational Measures): As set forth in Exhibit B of this DPA.

Annex III (List of Sub-processors): As set forth in Exhibit C of this DPA and available at https://www.fyncall.com/legal/subprocessors.

EXHIBIT E: UK STANDARD CONTRACTUAL CLAUSES

[The UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0) issued by the UK Information Commissioner on March 21, 2022 is incorporated here by reference. The full text would be included in the executed version of the DPA.]

EXHIBIT F: SWISS STANDARD CONTRACTUAL CLAUSES

[The EU Standard Contractual Clauses with the Swiss adaptations required by the Swiss Federal Data Protection and Information Commissioner are incorporated here by reference. The full text would be included in the executed version of the DPA.]

Swiss-specific modifications:

  • References to the GDPR are replaced with references to the Swiss Federal Act on Data Protection.
  • References to EU Member States include Switzerland.
  • The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
  • The term “personal data” includes personality profiles and data of legal persons.