Data Processing Addendum (DPA)

Effective Date: March 25, 2026
Version: Public v1.0

This Data Processing Addendum (“DPA“) forms part of and is incorporated into the Terms and Conditions, Master Services Agreement, Order Form, Subscription Agreement, or other written or electronic agreement governing Customer’s use of the Services (the “Agreement“) between FireGroup JSC (“Company“) and the customer entity agreeing to the Agreement (“Customer“).

This DPA applies where and to the extent that Company processes Personal Data on behalf of Customer in connection with the Services as a Processor, Service Provider, or equivalent role under applicable Data Protection Laws.

If there is a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA will control to the extent of that conflict.

For purposes of this DPA:

  • “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
  • “Applicable Data Protection Laws” means all privacy, data protection, data security, and cross-border transfer laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, the GDPR, UK GDPR, Swiss data protection laws, the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA“), and other applicable U.S. state privacy laws.
  • “Controller”, “Processor”, “Data Subject”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” have the meanings given under Applicable Data Protection Laws.
  • “Customer Personal Data” means Personal Data processed by Company or its Subprocessors on behalf of Customer in connection with the Services.
  • “GDPR” means Regulation (EU) 2016/679.
  • “UK GDPR” means the GDPR as incorporated into the laws of the United Kingdom.
  • “SCCs” means the Standard Contractual Clauses approved by the European Commission for the transfer of personal data to processors established in third countries, as updated, replaced, or superseded from time to time.
  • “Services” has the meaning set out in the Agreement.

“Subprocessor” means any third party engaged by Company to process Customer Personal Data on behalf of Customer in connection with the Services.

2.1 Scope

This DPA applies only to the extent Company processes Customer Personal Data on behalf of Customer in connection with the Services.

2.2 Roles of the Parties

The parties acknowledge and agree that:

  • Customer acts as a Controller, Business, or equivalent role under Applicable Data Protection Laws with respect to Customer Personal Data processed under this DPA, except where applicable law expressly provides otherwise.
  • Company acts as a Processor, Service Provider, or equivalent role with respect to such Customer Personal Data.
  • Each party may also independently act as a Controller or equivalent with respect to certain data processed for its own purposes, such as account administration, billing, security, support, fraud prevention, and legal compliance, as described in the Company’s Privacy Policy.

2.3 Nature of the Services

The Services may include translation, localization, multilingual content processing, AI-assisted processing, currency display support, mobile app building and publishing support, loyalty-related features, analytics-related features, customer engagement tools, integrations, and related support and operational services.

3.1 Documented Instructions

Company will process Customer Personal Data only on Customer’s documented instructions, including as set out in:

  • the Agreement;
  • this DPA;
  • Customer’s use and configuration of the Services; and
  • other documented instructions mutually agreed in writing.

3.2 Instruction Compliance

Customer is responsible for ensuring that its instructions comply with Applicable Data Protection Laws. Customer represents and warrants that it has all necessary rights, permissions, and lawful bases to disclose or otherwise make available Customer Personal Data to Company for processing under the Agreement and this DPA.

3.3 Unlawful Instructions

If Company believes that a Customer instruction infringes Applicable Data Protection Laws, Company may notify Customer and may suspend the relevant processing until the issue is resolved.

The details of processing under this DPA are described in Annex 1 (Details of Processing).

Company will ensure that persons authorized to process Customer Personal Data are subject to appropriate obligations of confidentiality, whether contractual or statutory.

6.1 Appropriate Measures

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to Data Subjects, Company will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

6.2 Security Program

Such measures may include, as appropriate:

  • access controls and role-based access restrictions;
  • authentication and credential management;
  • encryption in transit and, where appropriate, at rest;
  • logging and monitoring;
  • vulnerability management and patching practices;
  • backup and recovery measures;
  • incident detection and response processes;
  • vendor and subprocessor risk management; and
  • internal training and policy controls.

6.3 No Absolute Security Guarantee

Customer acknowledges that no security measure is infallible and that Company cannot guarantee absolute security.

To the extent required by Applicable Data Protection Laws, Company will provide commercially reasonable assistance to Customer, taking into account the nature of the processing, to enable Customer to respond to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Laws.

Where Company receives a request directly from a Data Subject relating to Customer Personal Data processed on behalf of Customer, Company may, where legally permitted, direct the Data Subject to Customer and will not respond to the request except as required by law or as instructed by Customer.

Taking into account the nature of the processing and the information available to Company, Company will provide commercially reasonable assistance to Customer with Customer’s compliance obligations relating to:

  • security of processing;
  • notification of Personal Data Breaches;
  • data protection impact assessments, where required; and
  • prior consultation with Supervisory Authorities,

in each case to the extent required by Applicable Data Protection Laws and subject to reasonable reimbursement of Company’s costs where such assistance is materially burdensome and not already included in the Services.

9.1 Notification

Company will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

9.2 Contents of Notice

Such notice will include, to the extent reasonably available at the time:

  • the nature of the Personal Data Breach;
  • the categories of affected data and Data Subjects, where known;
  • the likely consequences of the Personal Data Breach, where known; and
  • the measures taken or proposed to address the Personal Data Breach.

9.3 No Admission

Company’s notification of a Personal Data Breach is not an acknowledgment of fault or liability.

10.1 Authorization

Customer grants Company a general written authorization to engage Subprocessors in connection with the Services.

10.2 Subprocessor Obligations

Company will impose data protection obligations on Subprocessors that are materially no less protective of Customer Personal Data than those set out in this DPA, to the extent applicable to the nature of the services provided by the Subprocessor.

10.3 Subprocessor List and Changes

Company may make available a current list of Subprocessors through a public webpage or other documentation. Company may update its Subprocessors from time to time. Where required by Applicable Data Protection Laws or contract, Company will provide notice of material changes to Subprocessors through the Services, email, or relevant documentation.

10.4 Liability for Subprocessors

Company remains responsible for the performance of its Subprocessors’ obligations under this DPA to the extent required by Applicable Data Protection Laws.

11.1 General

Customer acknowledges that Company and its Subprocessors may process Customer Personal Data in countries outside the EEA, UK, Switzerland, or the jurisdiction in which Customer or the Data Subject is located.

11.2 Transfer Mechanisms

To the extent required by Applicable Data Protection Laws, Company will ensure that cross-border transfers of Customer Personal Data are subject to an appropriate transfer mechanism, which may include:

  • SCCs;
  • the UK International Data Transfer Addendum or other UK-approved transfer mechanism;
  • Swiss-approved transfer mechanisms;
  • adequacy decisions; or
  • another lawful transfer mechanism recognized under Applicable Data Protection Laws.

11.3 SCC Incorporation

Where required, the SCCs are incorporated by reference into this DPA and deemed completed as follows:

  • Module Two (Controller to Processor) applies where Customer is a Controller and Company is a Processor.
  • Module Three (Processor to Processor) applies where Customer is a Processor and Company is a subprocessor.
  • The optional docking clause applies.
  • The optional independent dispute resolution clause does not apply unless required by law.
  • The governing law and competent supervisory authority will be those identified in accordance with Applicable Data Protection Laws and Customer’s establishment.
  • The annexes to the SCCs will be deemed completed with the information set out in this DPA and Annex 1 and Annex 2.

If a successor transfer mechanism replaces the SCCs, that successor mechanism will apply automatically to the extent legally required.

12.1 Information Rights

Upon reasonable written request, Company will make available information reasonably necessary to demonstrate compliance with this DPA, which may include summaries of relevant security documentation, certifications, audit reports, or responses to reasonable security questionnaires, to the extent available and subject to confidentiality restrictions.

12.2 Audit Limitations

To the extent required by Applicable Data Protection Laws, and where the information provided under Section 12.1 is insufficient, Customer may request an audit of Company’s compliance with this DPA no more than once per year, subject to:

  • reasonable advance written notice;
  • mutually agreed scope, timing, and duration;
  • confidentiality obligations;
  • the audit being conducted during normal business hours and in a manner that does not unreasonably interfere with Company’s operations or compromise the security or confidentiality of other customers’ data; and
  • Customer bearing its own costs and reimbursing Company for reasonable internal costs, unless the audit reveals a material breach of this DPA.

Company may satisfy an audit request by providing recent third-party audit reports or certifications where appropriate.

Upon termination or expiration of the Services, and subject to the Agreement and applicable law, Company will, at Customer’s choice and to the extent supported by the Services, delete or return Customer Personal Data after the end of the applicable retention or retrieval period, unless retention is required by law or reasonably necessary for security, backup, fraud prevention, legal defense, or compliance purposes.

Customer acknowledges that deletion from backups and archival systems may occur in accordance with Company’s standard deletion cycles.

To the extent Company processes Customer Personal Data subject to U.S. state privacy laws in a Service Provider, Contractor, or Processor capacity:

  • Company will not retain, use, or disclose such Customer Personal Data for any purpose other than the specific business purposes set out in the Agreement and this DPA, except as otherwise permitted by applicable law;
  • Company will not sell or share such Customer Personal Data, as those terms are defined under applicable law, except as instructed by Customer or otherwise permitted by law;
  • Company will not combine such Customer Personal Data with personal data received from other sources except as permitted by applicable law;
  • Company will comply with applicable restrictions and provide the level of privacy protection required by applicable law; and
  • Company will notify Customer if Company determines that it can no longer meet its obligations under applicable U.S. state privacy laws.

Customer may take reasonable and appropriate steps, consistent with the Agreement and this DPA, to ensure that Company uses Customer Personal Data in a manner consistent with Customer’s obligations under applicable U.S. state privacy laws.

Each party’s liability arising out of or relating to this DPA is subject to the exclusions and limitations of liability set out in the Agreement, unless Applicable Data Protection Laws require otherwise.

16.1 Entire Agreement

This DPA supplements the Agreement and forms part of it.

16.2 Order of Precedence

In the event of a conflict between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA controls to the extent of that conflict.

16.3 Amendments for Legal Changes

If changes in Applicable Data Protection Laws, transfer mechanisms, or regulatory guidance require modifications to this DPA, the parties will work in good faith to implement reasonably necessary amendments.

16.4 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect.

A. Subject Matter

Provision of the Services under the Agreement.

B. Duration

For the duration of the Agreement and any applicable post-termination retention or deletion period.

C. Nature and Purpose of the Processing

Processing necessary to provide, maintain, support, secure, improve, and operate the Services, including hosting, storage, transmission, organization, retrieval, localization, translation, AI-assisted processing, app-building support, loyalty and engagement features, analytics-related functions, troubleshooting, customer support, and related service operations.

D. Categories of Data Subjects

May include:

  • Customer’s employees, contractors, administrators, agents, and authorized users;
  • Customer’s end customers, app users, visitors, shoppers, subscribers, or loyalty participants; and
  • other individuals whose Personal Data is submitted to the Services by or on behalf of Customer.

E. Categories of Personal Data

May include:

  • names;
  • email addresses;
  • contact details;
  • billing and account information;
  • order-related identifiers;
  • app or device-related identifiers;
  • IP address and technical usage information;
  • language, locale, and country signals;
  • prompts, source text, translations, generated outputs, and metadata;
  • loyalty-related activity;
  • support records and attachments; and
  • any other Personal Data submitted by Customer through the Services.

F. Sensitive Data

Customers must not submit special-category or similarly sensitive data except where explicitly approved in writing and supported by the relevant Service configuration.

The Company maintains a security program that includes measures appropriate to the nature of the Services and the risks involved. Such measures may include:

  • policies governing access control, acceptable use, and information security;
  • user authentication and role-based access controls;
  • encryption in transit and, where appropriate, at rest;
  • logging, monitoring, and alerting;
  • vulnerability management and patching;
  • backup, disaster recovery, and business continuity practices;
  • incident response procedures;
  • employee confidentiality obligations and security awareness measures;
  • vendor and subprocessor due diligence; and
  • processes designed to restrict access to Customer Personal Data to authorized personnel with a legitimate business need.

The Company may update these measures from time to time, provided that such updates do not materially diminish the overall security of the Services.

We encourage you to review the following related legal documents so you can better understand your rights, how your data is protected, and what to expect from our services: