Data Processing Addendum

TheFabrik, Inc. DATA PROCESSING ADDENDUM to EUSA

[Last Updated June 25, 2025]

This Data Processing Addendum ("DPA") supplements and forms part of the Fabrik End User SaaS Agreement ("Agreement") between TheFabrik, Inc., a Delaware corporation ("Fabrik", "we", "us", or "our"), and the Customer identified in the Agreement ("Customer", "you", or "your"). This DPA governs the processing of Personal Data by Fabrik on behalf of Customer in connection with the Services.

1. DEFINITIONS

1.1. Capitalized terms not defined in this DPA have the meanings given in the Agreement. The following definitions apply to this DPA:

  • "Applicable Data Protection Laws" means all applicable laws, regulations, and binding guidance relating to the processing, privacy, and/or protection of Personal Data, including: (a) Regulation (EU) 2016/679 (General Data Protection Regulation or "GDPR"); (b) the California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (collectively, "CCPA"); (c) the UK Data Protection Act 2018 and UK GDPR; and (d) any successor or replacement legislation.
  • "Controller" means the entity that determines the purposes and means of processing Personal Data.
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Fabrik on behalf of Customer in connection with the Services.
  • "Processing" (and its derivatives) means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
  • "Processor" means the entity that processes Personal Data on behalf of a Controller.
  • "Restricted Transfer" means a transfer of Personal Data from the European Economic Area, United Kingdom, or Switzerland to a country that has not been subject to an adequacy decision by the European Commission or relevant UK authority.
  • "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be updated or replaced.
  • "Sub-processor" means any Processor engaged by Fabrik to process Personal Data in connection with the Services.

2. SCOPE AND ROLES

2.1. Scope. This DPA applies only to Personal Data processed by Fabrik on behalf of Customer in connection with the Services. This DPA does not apply to Personal Data for which Fabrik is the Controller.

2.2. Role of the Parties. Customer is the Controller of Personal Data processed under this DPA. Fabrik is the Processor of such Personal Data. Each party will comply with its obligations under Applicable Data Protection Laws in its respective role.

2.3. Customer Instructions. Fabrik will process Personal Data only on behalf of and in accordance with Customer's documented instructions, which include: (a) this DPA; (b) the Agreement; and (c) other written instructions provided by Customer that are consistent with this DPA and the Agreement ("Intructions"). Customer represents that its Instructions comply with Applicable Data Protection Laws.

2.4. Aggregated Data Processing. Notwithstanding Section 2.3, Customer hereby instructs and authorizes Fabrik to use Customer Services Data (including Personal Data contained therein) in accordance with the Agreement for the creation of aggregated, de-identified, and anonymized insights, analytics, benchmarks, reports, marketing materials, surveys, feature suggestions, product analytics, and new product features or services ("Aggregated Data"). Customer acknowledges that: (a) such processing serves the legitimate interests of Fabrik and its customers in improving the Services and providing industry insights; (b) Aggregated Data will not identify Customer, its users, or Data Subjects; and (c) Fabrik may act as Controller with respect to such Aggregated Data once it no longer constitutes Personal Data. This instruction is deemed given upon Customer's acceptance of the Agreement and remains in effect for the duration of the Agreement unless Customer withdraws this instruction by written notice to Fabrik.

3. PROCESSING DETAILS

3.1. Categories of Personal Data. The Personal Data processed may include:

  • Contact information (names, email addresses, phone numbers)
  • Professional information (job titles, company affiliations)
  • Account credentials and authentication data
  • Usage and activity data
  • Communication records
  • Any other Personal Data that Customer submits to or processes through the Services

3.2. Categories of Data Subjects. Data Subjects may include:

  • Customer's employees, contractors, and authorized users
  • Customer's customers, suppliers, and business partners
  • Other individuals whose Personal Data Customer processes through the Services

3.3. Purposes of Processing. Fabrik processes Personal Data for the following purposes:

  • Providing the Services as described in the Agreement
  • Customer support and technical assistance
  • Creating Aggregated Data as instructed by Customer pursuant to Section 2.4
  • Service improvement and analytics (in aggregated, de-identified form)
  • Compliance with legal obligations
  • Other purposes as instructed by Customer

4. FABRIK'S OBLIGATIONS

4.1. Processing Limitations. Fabrik will:

  • Process Personal Data only in accordance with Instructions
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Not transfer Personal Data outside the scope of this DPA without Customer's prior written consent

4.2. Security Measures. Fabrik implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication procedures
  • Regular security assessments and monitoring
  • Incident response procedures
  • Employee training on data protection

4.3. Data Subject Requests. Fabrik will assist Customer in responding to Data Subject requests by:

  • Providing reasonable cooperation and assistance
  • Implementing appropriate technical and organizational measures to facilitate Customer's compliance
  • Promptly notifying Customer of any Data Subject requests received directly by Fabrik

4.4. Data Protection Impact Assessments. Upon Customer's request, Fabrik will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities.

5. SUB-PROCESSORS

5.1. Authorized Sub-processors. Customer consents to Fabrik's engagement of Sub-processors for processing Personal Data in connection with the Services subject to the following requirements:

  • Sub-processors must be bound by data protection obligations substantially equivalent to this DPA
  • The engaging party remains fully liable for Sub-processor compliance
  • Sub-processor lists must be maintained and made available upon request

5.2. Sub-processor Requirements. Fabrik will:

  • Enter into written agreements with Sub-processors containing data protection obligations substantially equivalent to this DPA
  • Remain fully liable for Sub-processor compliance with such obligations
  • Regularly monitor Sub-processor compliance

5.3. Changes to Sub-processors. Fabrik will provide at least 30 days' advance notice of any addition or replacement of Sub-processors by updating the list referenced in Section 5.1. Customer may object to new Sub-processors by providing written notice within 30 days. If Customer objects, the parties will work together in good faith to resolve concerns or, if no resolution is possible, Customer may terminate the affected Services.

6. INTERNATIONAL TRANSFERS

6.1. Restricted Transfers. For any Restricted Transfer of Personal Data, Fabrik will ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (incorporated by reference and deemed executed between the parties)
  • Other adequacy mechanisms as recognized under Applicable Data Protection Laws

6.2. Government Access. Fabrik represents that it has no reason to believe that applicable local laws would prevent it from fulfilling its obligations under this DPA or that requirements imposed by government authorities would likely have a substantial adverse effect on Customer's or Data Subjects' rights.

7. DATA SECURITY AND BREACH NOTIFICATION

7.1. Security Incidents. Fabrik will promptly notify Customer (without undue delay and within 72 hours where feasible) upon becoming aware of any Personal Data breach that affects Customer's Personal Data.

7.2. Breach Response. Fabrik will:

  • Investigate and remediate security incidents
  • Provide Customer with sufficient information to assess the incident and comply with breach notification requirements
  • Reasonably cooperate with Customer's incident response efforts
  • Implement measures to prevent similar incidents

8. RETURN AND DELETION

8.1. Data Return/Deletion. Upon termination or expiration of the Agreement, or upon Customer's written request, Fabrik will (at Customer's election):

  • Return all Personal Data to Customer in a commonly used electronic format; or
  • Securely delete all Personal Data

8.2. Retention Period. Notwithstanding Section 8.1, Fabrik may retain Personal Data to the extent required by applicable law, provided that Fabrik will limit further processing to compliance purposes only.

9. AUDITS AND COMPLIANCE

9.1. Audit Rights. Subject to reasonable notice and confidentiality obligations, Customer may audit Fabrik's compliance with this DPA no more than once annually, or more frequently if required by Applicable Data Protection Laws or if a Personal Data breach occurs.

9.2. Audit Cooperation. Fabrik will provide reasonable cooperation and access to information necessary for such audits, subject to confidentiality and security requirements.

9.3. Third-Party Certifications. Fabrik may satisfy audit requirements by providing copies of third-party audit reports or certifications demonstrating compliance with this DPA.

10. LIABILITY AND INDEMNIFICATION

10.1. Liability. Each party's liability under this DPA is subject to the limitation of liability provisions in the Agreement.

10.2. Regulatory Enforcement. Each party will be responsible for its own compliance with Applicable Data Protection Laws and any related fines or penalties imposed by supervisory authorities.

11. TERM AND AMENDMENTS

11.1. Term. This DPA will remain in effect for the duration of the Agreement.

11.2. Amendments. Fabrik may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or business practices. Material changes will be communicated to Customer with reasonable advance notice.

11.3. Conflict. In the event of conflict between this DPA and the Agreement regarding Personal Data processing, this DPA will prevail.

12. GOVERNING LAW AND CONTACT INFORMATION

12.1. Data Protection Contact. Customer may contact Fabrik's Data Protection Contact at privacy@thetrustfabrik.com for any questions regarding this DPA or Fabrik's processing of Personal Data.

12.2. Governing Law. This DPA is governed by the same law as the Agreement. For matters related to European Data Subjects, the parties agree to the jurisdiction of courts in the European Union for resolving disputes related to this DPA.

STANDARD CONTRACTUAL CLAUSES

For Restricted Transfers subject to GDPR, the Standard Contractual Clauses (Module Two: Controller to Processor) as set out in Commission Implementing Decision (EU) 2021/914 are hereby incorporated by reference and form an integral part of this DPA, with the following specifications:

  • Data exporter: Customer (as Controller)
  • Data importer: Fabrik (as Processor)
  • Competent supervisory authority: The supervisory authority with responsibility for ensuring compliance by the Data exporter
  • Governing law: The law of the EU Member State in which the Data exporter is established

The parties agree that:

  • Clause 7 (the optional docking clause) applies
  • Clause 11(a) applies (general written authorization for Sub-processor engagement)
  • Clause 17 (Option 1) applies for governing law
  • Clause 18(b) applies for choice of forum and jurisdiction

ANNEX I (Categories of data subjects, personal data, processing operations, purposes, and retention periods) is as described in Section 3 of this DPA.

ANNEX II (Technical and organizational measures) includes the security measures described in Section 4.2 of this DPA and as further detailed in Fabrik's security documentation.