Data Processing Agreement

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Kontraktr Terms of Service or applicable data protection law. For the purposes of this DPA:

• “Personal Data”means any information relating to an identified or identifiable natural person (“Data Subject”) that the Controller submits to, or that is generated by, the Service.
• “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.
• “Data Controller” means the Customer, who determines the purposes and means of processing Personal Data.
• “Data Processor” means Fuzed Labs LLC (Kontraktr), which processes Personal Data on behalf of the Controller.
• “Sub-Processor” means any third party engaged by the Processor to process Personal Data in connection with the Service.
• “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data adopted by the European Commission (2021/914/EU).

2. Scope and Nature of Processing

2.1 Subject Matter

Processor shall process Personal Data solely to provide the Service and ancillary services (e.g., support, security monitoring) as directed by Controller.

2.2 Categories of Data Subjects

• Controller's employees and team members who use the Service.
• Controller's customers and business contacts whose data is entered into the Service.
• Third parties whose information is submitted by Controller (e.g., suppliers, recipients on invoices or job records).

2.3 Categories of Personal Data

• Identification data: name, email address, phone number, company name.
• Account data: login credentials (stored as one-way hashed passwords), role assignments, avatar images.
• Business data: job records, orders, invoice details, shipping addresses, customer notes.
• Communication data: team chat messages, file attachments, automated email and SMS content.
• Usage data: session logs, feature interactions, error reports (collected in anonymized or pseudonymized form).

2.4 Purpose of Processing

Personal Data is processed solely for the purpose of delivering the Service, including job management, invoicing, customer communication, production scheduling, file storage, analytics, and team collaboration features as described in the Kontraktr Terms of Service.

2.5 Duration

Processing continues for the duration of the subscription term and for up to thirty (30) days following account cancellation, after which Personal Data is permanently deleted (except where retention is required by law).

3. Controller Obligations

The Controller warrants and undertakes that:

• It has a lawful basis (as defined under applicable data protection law) for processing all Personal Data submitted to the Service, and for instructing Processor to process such data.
• It has provided all required notices and obtained all necessary consents from Data Subjects whose data is entered into the Service.
• It will not instruct Processor to process Personal Data in a manner that violates applicable law or the rights of Data Subjects.
• It will promptly inform Processor if any instruction given violates, or is reasonably likely to violate, applicable data protection law.
• It is solely responsible for the accuracy, legality, and integrity of Personal Data submitted to the Service.

4. Processor Obligations

Processor shall:

• Process Personal Data only on documented instructions from Controller, including as set out in this DPA and the Terms of Service, unless required by applicable law.
• Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
• Implement and maintain the technical and organizational security measures described in Section 7 of this DPA.
• Assist Controller, to the extent reasonably practicable, in fulfilling its obligations to respond to Data Subject requests exercising their rights under applicable data protection law.
• Assist Controller in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
• At Controller's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless retention is required by applicable law.
• Make available to Controller all information reasonably necessary to demonstrate compliance with this DPA.
• Not use Personal Data for AI model training. Where AI-powered features are used, data is transmitted to sub-processors solely for the purpose of generating the specific feature response and is not retained for training purposes.

5. Sub-Processors

5.1 Authorized Sub-Processors

Controller grants general authorization for Processor to engage the following sub-processors in connection with the Service:

5.2 Changes to Sub-Processors

Processor will provide at least thirty (30) days' prior written notice (by email or in-Service notice) before adding or replacing a sub-processor. If Controller reasonably objects to a new sub-processor on data protection grounds, the parties will work in good faith to resolve the objection. If unresolved within thirty (30) days, Controller may terminate the Service with a pro- rated refund for the unused subscription period.

5.3 Sub-Processor Contracts

Processor has entered into, or will enter into, written agreements with each sub-processor that impose data protection obligations no less protective than those in this DPA. Processor remains responsible to Controller for sub-processors' compliance with this DPA.

6. Data Subject Rights

To the extent that Controller is unable to independently address a Data Subject request through the Service interface, Processor will, upon written request from Controller, provide commercially reasonable assistance to Controller in responding to:

• Right of Access (GDPR Art. 15 / CCPA): Requests to confirm what Personal Data is processed and to receive a copy.
• Right to Rectification (GDPR Art. 16): Requests to correct inaccurate Personal Data.
• Right to Erasure (GDPR Art. 17 / CCPA): Requests to delete Personal Data. Controller may exercise this right via the data deletion API endpoint at DELETE /api/settings/data-retention or by contacting privacy@kontraktr.io.
• Right to Restriction (GDPR Art. 18): Requests to restrict processing in defined circumstances.
• Right to Portability (GDPR Art. 20): Requests to receive Personal Data in a structured, machine-readable format. Data export is available through the Service.
• Right to Object (GDPR Art. 21): Objections to processing based on legitimate interests.

Processor will not respond directly to Data Subject requests without Controller's prior written authorization, except where required by applicable law.

7. Security Measures

Processor implements and maintains the following technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access:

7.1 Technical Measures

• Encryption of data in transit using TLS 1.2 or higher (HTTPS enforced via HSTS).
• Encryption of data at rest provided by Neon PostgreSQL and Vercel infrastructure.
• Password hashing using bcrypt with appropriate cost factor; plaintext passwords are never stored.
• Multi-factor authentication (TOTP) available for all user accounts.
• Account lockout after five (5) consecutive failed authentication attempts (15-minute lockout period).
• Session management with automatic invalidation on password change.
• API rate limiting to prevent unauthorized bulk data extraction.
• Content Security Policy (CSP) and additional HTTP security headers on all responses.

7.2 Organizational Measures

• Role-based access control (RBAC) limiting data access to personnel with a legitimate need.
• Structured audit logging of administrative actions and data access events.
• Automated data retention and cleanup procedures to minimize unnecessary data storage.
• Dependabot-enabled dependency monitoring for security vulnerability patching.
• Infrastructure hosted on SOC 2 Type II compliant providers (Vercel, Neon).

Processor may update security measures over time to reflect changes in technology and best practices, provided that updates do not materially reduce the overall level of protection.

8. Data Breach Notification

In the event that Processor becomes aware of a Security Incident affecting Controller's Personal Data, Processor shall:

• Notify Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of the Security Incident (to the extent permitted by applicable law).
• Provide Controller with sufficient information to allow Controller to meet its obligations to notify supervisory authorities and affected Data Subjects, including: (a) nature of the incident; (b) categories and approximate number of Data Subjects affected; (c) categories and approximate number of Personal Data records affected; (d) likely consequences; and (e) measures taken or proposed to address the incident.
• Cooperate with Controller and take such reasonable steps as directed by Controller to remediate the Security Incident.

Notification to Controller shall be sent to the email address associated with the Controller's account. Controller is responsible for providing an accurate notification email address and for updating it when necessary.

Processor's notification of a Security Incident does not constitute an acknowledgment by Processor of fault or liability.

9. International Data Transfers

Processor and its sub-processors are located in the United States. To the extent that processing involves a transfer of Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States or other third countries without an adequacy decision, such transfers are subject to appropriate safeguards.

9.1 Transfer Mechanisms

• Standard Contractual Clauses (SCCs):The parties agree that for EEA-originating transfers, the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) adopted under Decision 2021/914/EU are hereby incorporated by reference and apply to such transfers. The relevant Appendices are completed as follows: Appendix I — as described in Section 2 of this DPA; Appendix II — as described in Section 7 of this DPA.
• UK Addendum: Where applicable, the UK International Data Transfer Addendum (IDTA) to the SCCs applies for transfers from the UK.

If the legal basis for international transfers changes or is invalidated, the parties will cooperate in good faith to implement an alternative lawful transfer mechanism.

10. Term and Termination

This DPA takes effect on the date Controller first accepts the Kontraktr Terms of Service and continues until the expiry or termination of Controller's subscription.

Upon termination of the subscription, Processor shall, within thirty (30) days and at Controller's choice:

• Return all Personal Data to Controller in a machine-readable format (CSV/JSON), or
• Securely delete all Personal Data and certify deletion in writing upon request.

Processor may retain Personal Data to the extent required by applicable law, provided that it continues to protect such data in accordance with this DPA.

11. Liability

Each party's liability to the other under or in connection with this DPA is subject to the limitations and exclusions set out in the Kontraktr Terms of Service. Nothing in this DPA is intended to limit either party's liability to Data Subjects or supervisory authorities under applicable data protection law.

Where a party is held liable for a violation caused by the other party, the party held liable shall be entitled to claim back from the other party that part of the compensation corresponding to the other party's responsibility.

12. Governing Law

This DPA shall be governed by the laws of the State of Delaware, United States of America, subject to the mandatory requirements of applicable data protection law (including GDPR and CCPA). Any dispute arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Kontraktr Terms of Service.

Nothing in this clause shall limit the right of a Data Subject to bring proceedings before a competent supervisory authority or court in their jurisdiction as provided by applicable data protection law.

13. Execution

This DPA is incorporated into and forms part of the Kontraktr Terms of Service. By subscribing to and using the Service, Controller accepts this DPA as a binding agreement.

Enterprise customers requiring a countersigned copy of this DPA for their compliance records (e.g., GDPR Article 28 documentation requirements) may request a signed version by contacting:

Note: This DPA is a template and has not yet been reviewed by legal counsel. Fuzed Labs LLC recommends that enterprise customers consult their own legal advisors before relying on this agreement for compliance purposes. A lawyer-reviewed version will supersede this template upon completion.