Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Fibric Inc. ("Fibric," "we") and the customer ("Customer," "you") and governs Fibric's processing of personal data on the Customer's behalf. Where the GDPR, UK GDPR, or similar laws apply, this DPA reflects the parties' obligations under them. Capitalized terms not defined here have the meaning given in the Terms.
Scope & roles
This DPA applies where Fibric processes personal data contained in Customer Data on the Customer's behalf in providing the Service. For that data, the Customer is the controller (or a processor acting for its own customers) and Fibric is the processor (or subprocessor). For personal data about website visitors, account holders, and prospects, Fibric acts as an independent controller under our Privacy Policy, and this DPA does not apply.
Processing details
The required particulars of processing are as follows:
| Element | Detail |
|---|---|
| Subject matter | Fibric's provision of the platform and the products built on it, under which operators sense, reason, and act on the Customer's connected systems. |
| Duration | For the term of the Terms, plus any deletion or return period described below. |
| Nature | Collection, storage, structuring, retrieval, transmission, and other operations necessary to provide, secure, and support the Service, including governed action and receipt-keeping. |
| Purpose | To deliver the Service in accordance with the Customer's documented instructions. |
| Categories of data | Identifiers and contact details, account and configuration data, operational records from connected systems, usage and telemetry data, and any other personal data the Customer routes through the Service. |
| Categories of data subjects | The Customer's authorized users, end customers, employees, contacts, and other individuals whose data appears in the connected systems. |
Customer instructions
Fibric processes personal data only on the Customer's documented instructions, including those set out in the Terms, this DPA, and the configuration the Customer establishes in the Service. We will inform the Customer if, in our opinion, an instruction infringes applicable data-protection law, and we will not be required to follow an unlawful instruction. The Customer is responsible for the lawfulness of the data it provides and the instructions it gives.
Confidentiality
Fibric ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations and are granted access on a least-privilege, need-to-know basis. These obligations survive the end of their engagement.
Security measures
Fibric implements and maintains appropriate technical and organizational measures designed to protect personal data, taking into account the state of the art and the risks of processing. These include encryption in transit and at rest, least-privilege access controls, strong authentication, network segmentation, logging and monitoring, a fail-closed trust model, and tenant isolation enforced at the data layer — a reseller and tenant identifier rides every event and row so one customer's data is never exposed to another. We test and review these measures and update them as risks evolve.
Subprocessors
The Customer authorizes Fibric to engage subprocessors to support the Service. We impose data-protection obligations on each subprocessor that are no less protective than those in this DPA, and we remain responsible for their performance. A current list is at Subprocessors. We notify the Customer of intended changes and provide an opportunity to object, as described there.
Data subject rights assistance
Taking into account the nature of the processing, Fibric provides reasonable assistance — through appropriate technical and organizational measures and the controls available in the Service — to help the Customer respond to requests from data subjects exercising their rights of access, correction, deletion, restriction, portability, or objection. If a request reaches Fibric directly, we will, unless legally prohibited, refer it to the Customer.
Personal data breach notification
Fibric notifies the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's personal data, and provides information reasonably available to help the Customer meet its own notification obligations. We take reasonable steps to contain and remediate the breach. Our notification is not an acknowledgment of fault or liability.
International transfers
Where Fibric transfers personal data across borders in a way that requires a transfer mechanism under applicable law, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum where relevant), which are incorporated into this DPA by reference and completed by the particulars in the Processing details above. We make information about transfers reasonably available on request.
Deletion & return on termination
On termination or expiry of the Service, and at the Customer's choice, Fibric deletes or returns the personal data it processes on the Customer's behalf, and deletes existing copies, unless retention is required by law. The Customer may export Customer Data during a limited window before deletion. Receipts and audit records are retained per the Customer's configured policy.
Audits
Fibric makes available information reasonably necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by the Customer or an independent auditor it mandates. Audits are subject to reasonable notice, confidentiality, frequency, and scope limits, and may be satisfied through Fibric's then-current reports, certifications, or documentation where these reasonably address the Customer's questions.
Contact
Data-protection questions or requests under this DPA? Contact our data protection office at dpo@fibric.io, or write to Fibric Inc., Attn: Data Protection Officer.