Data Processing Agreement

Purpose of Processing

Fulmico processes personal data solely to provide business automation services as outlined in our Terms of Service, including:

• Order processing and fulfillment automation
• Subscription management and billing
• Customer communication and notifications
• Analytics and reporting for business operations
• Technical support and platform maintenance

Categories of Personal Data

Data Subjects

Personal data may relate to:

• Customer account holders and authorized users
• Customer's end-users and subscribers
• Contact persons at customer organizations
• Recipients of automated communications

As the Data Controller, Customer warrants and undertakes that:

• It has the legal right to transfer personal data to Fulmico for processing
• It has obtained all necessary consents and provided required notices to data subjects
• Processing instructions comply with applicable data protection laws
• It will implement appropriate measures to ensure data security
• It will promptly notify Fulmico of any changes affecting data processing

As the Data Processor, Fulmico undertakes to:

• Process personal data only according to documented instructions from the Customer
• Ensure personnel processing data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist Customer in responding to data subject rights requests
• Notify Customer of personal data breaches within 72 hours
• Delete or return personal data upon termination of services

Customer provides general authorization for Fulmico to engage sub-processors, subject to the following conditions:

• Sub-processors must provide the same level of data protection as this DPA
• Fulmico remains fully liable for sub-processor compliance
• Customer will be notified of any changes to sub-processors

Current Sub-Processors

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). Such transfers are protected by appropriate safeguards:

• Standard Contractual Clauses: EU-approved SCCs for data transfers
• Adequacy Decisions: Transfers to countries with adequacy decisions
• UK IDTA: UK International Data Transfer Agreement where applicable
• Additional Safeguards: Encryption and access controls for transferred data

Fulmico will assist Customer in fulfilling data subject rights requests, including:

Notification Procedures

• Initial Notification: Within 72 hours of becoming aware of a breach
• Detailed Report: Comprehensive breach assessment within 5 business days
• Ongoing Updates: Regular updates on investigation and remediation

Breach Information

Notifications will include:

• • Nature and scope of the personal data breach
• • Categories and approximate number of data subjects affected
• • Likely consequences of the breach
• • Measures taken or proposed to address the breach
• • Contact information for further inquiries

To demonstrate compliance with this DPA and applicable data protection laws:

• Fulmico will provide relevant compliance documentation upon request
• Third-party audit reports (SOC 2) available under appropriate confidentiality
• Customer may request specific compliance information for regulatory purposes
• Reasonable assistance provided for Customer's own compliance obligations

This DPA remains in effect for the duration of the Terms of Service. Upon termination:

• Fulmico will delete or return all personal data within 30 days
• Customer data export tools available during termination period
• Legal retention requirements may extend deletion timelines
• Certification of deletion provided upon request

For questions about this Data Processing Agreement or data protection matters:

This Data Processing Agreement shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.