TheFabrik, Inc. DATA PROCESSING ADDENDUM to EUSA
[Last Updated June 25, 2025]
This Data Processing Addendum ("DPA") supplements and forms part of the Fabrik End User SaaS Agreement ("Agreement") between TheFabrik, Inc., a Delaware corporation ("Fabrik", "we", "us", or "our"), and the Customer identified in the Agreement ("Customer", "you", or "your"). This DPA governs the processing of Personal Data by Fabrik on behalf of Customer in connection with the Services.
1. DEFINITIONS
1.1. Capitalized terms not defined in this DPA have the meanings given in the Agreement. The following definitions apply to this DPA:
2. SCOPE AND ROLES
2.1. Scope. This DPA applies only to Personal Data processed by Fabrik on behalf of Customer in connection with the Services. This DPA does not apply to Personal Data for which Fabrik is the Controller.
2.2. Role of the Parties. Customer is the Controller of Personal Data processed under this DPA. Fabrik is the Processor of such Personal Data. Each party will comply with its obligations under Applicable Data Protection Laws in its respective role.
2.3. Customer Instructions. Fabrik will process Personal Data only on behalf of and in accordance with Customer's documented instructions, which include: (a) this DPA; (b) the Agreement; and (c) other written instructions provided by Customer that are consistent with this DPA and the Agreement ("Intructions"). Customer represents that its Instructions comply with Applicable Data Protection Laws.
2.4. Aggregated Data Processing. Notwithstanding Section 2.3, Customer hereby instructs and authorizes Fabrik to use Customer Services Data (including Personal Data contained therein) in accordance with the Agreement for the creation of aggregated, de-identified, and anonymized insights, analytics, benchmarks, reports, marketing materials, surveys, feature suggestions, product analytics, and new product features or services ("Aggregated Data"). Customer acknowledges that: (a) such processing serves the legitimate interests of Fabrik and its customers in improving the Services and providing industry insights; (b) Aggregated Data will not identify Customer, its users, or Data Subjects; and (c) Fabrik may act as Controller with respect to such Aggregated Data once it no longer constitutes Personal Data. This instruction is deemed given upon Customer's acceptance of the Agreement and remains in effect for the duration of the Agreement unless Customer withdraws this instruction by written notice to Fabrik.
3. PROCESSING DETAILS
3.1. Categories of Personal Data. The Personal Data processed may include:
3.2. Categories of Data Subjects. Data Subjects may include:
3.3. Purposes of Processing. Fabrik processes Personal Data for the following purposes:
4. FABRIK'S OBLIGATIONS
4.1. Processing Limitations. Fabrik will:
4.2. Security Measures. Fabrik implements and maintains appropriate technical and organizational measures to protect Personal Data, including:
4.3. Data Subject Requests. Fabrik will assist Customer in responding to Data Subject requests by:
4.4. Data Protection Impact Assessments. Upon Customer's request, Fabrik will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities.
5. SUB-PROCESSORS
5.1. Authorized Sub-processors. Customer consents to Fabrik's engagement of Sub-processors for processing Personal Data in connection with the Services subject to the following requirements:
5.2. Sub-processor Requirements. Fabrik will:
5.3. Changes to Sub-processors. Fabrik will provide at least 30 days' advance notice of any addition or replacement of Sub-processors by updating the list referenced in Section 5.1. Customer may object to new Sub-processors by providing written notice within 30 days. If Customer objects, the parties will work together in good faith to resolve concerns or, if no resolution is possible, Customer may terminate the affected Services.
6. INTERNATIONAL TRANSFERS
6.1. Restricted Transfers. For any Restricted Transfer of Personal Data, Fabrik will ensure appropriate safeguards are in place, including:
6.2. Government Access. Fabrik represents that it has no reason to believe that applicable local laws would prevent it from fulfilling its obligations under this DPA or that requirements imposed by government authorities would likely have a substantial adverse effect on Customer's or Data Subjects' rights.
7. DATA SECURITY AND BREACH NOTIFICATION
7.1. Security Incidents. Fabrik will promptly notify Customer (without undue delay and within 72 hours where feasible) upon becoming aware of any Personal Data breach that affects Customer's Personal Data.
7.2. Breach Response. Fabrik will:
8. RETURN AND DELETION
8.1. Data Return/Deletion. Upon termination or expiration of the Agreement, or upon Customer's written request, Fabrik will (at Customer's election):
8.2. Retention Period. Notwithstanding Section 8.1, Fabrik may retain Personal Data to the extent required by applicable law, provided that Fabrik will limit further processing to compliance purposes only.
9. AUDITS AND COMPLIANCE
9.1. Audit Rights. Subject to reasonable notice and confidentiality obligations, Customer may audit Fabrik's compliance with this DPA no more than once annually, or more frequently if required by Applicable Data Protection Laws or if a Personal Data breach occurs.
9.2. Audit Cooperation. Fabrik will provide reasonable cooperation and access to information necessary for such audits, subject to confidentiality and security requirements.
9.3. Third-Party Certifications. Fabrik may satisfy audit requirements by providing copies of third-party audit reports or certifications demonstrating compliance with this DPA.
10. LIABILITY AND INDEMNIFICATION
10.1. Liability. Each party's liability under this DPA is subject to the limitation of liability provisions in the Agreement.
10.2. Regulatory Enforcement. Each party will be responsible for its own compliance with Applicable Data Protection Laws and any related fines or penalties imposed by supervisory authorities.
11. TERM AND AMENDMENTS
11.1. Term. This DPA will remain in effect for the duration of the Agreement.
11.2. Amendments. Fabrik may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or business practices. Material changes will be communicated to Customer with reasonable advance notice.
11.3. Conflict. In the event of conflict between this DPA and the Agreement regarding Personal Data processing, this DPA will prevail.
12. GOVERNING LAW AND CONTACT INFORMATION
12.1. Data Protection Contact. Customer may contact Fabrik's Data Protection Contact at privacy@thetrustfabrik.com for any questions regarding this DPA or Fabrik's processing of Personal Data.
12.2. Governing Law. This DPA is governed by the same law as the Agreement. For matters related to European Data Subjects, the parties agree to the jurisdiction of courts in the European Union for resolving disputes related to this DPA.
STANDARD CONTRACTUAL CLAUSES
For Restricted Transfers subject to GDPR, the Standard Contractual Clauses (Module Two: Controller to Processor) as set out in Commission Implementing Decision (EU) 2021/914 are hereby incorporated by reference and form an integral part of this DPA, with the following specifications:
The parties agree that:
ANNEX I (Categories of data subjects, personal data, processing operations, purposes, and retention periods) is as described in Section 3 of this DPA.
ANNEX II (Technical and organizational measures) includes the security measures described in Section 4.2 of this DPA and as further detailed in Fabrik's security documentation.