Fiducia Logo
HomeContact
Login

Data Processing Agreement (DPA)

Effective Date: March 1, 2024

Last Updated: March 1, 2024

This Data Processing Agreement ("Agreement") is incorporated into and forms part of the Terms of Service ("Terms") between you ("Data Controller") and Fiducia.gg ("Data Processor" or "we," "us," or "our"). By clicking the "I Agree" button and accepting the Terms, you also agree to be bound by this Agreement. If you do not agree to this Agreement, you may not use our Services.

1. Introduction and Parties Involved

  • Data Controller: The client or user who determines the purposes and means of processing personal data.
  • Data Processor: Fiducia.gg, located at Gstaller Weg 36, 82166 Gräfelfing, Germany, which provides services involving the processing of personal data on behalf of the Data Controller.

Purpose of the Agreement:

This Agreement sets out the terms and conditions under which we will process personal data on your behalf in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

  • "Personal Data": Any information relating to an identified or identifiable natural person ("Data Subject").
  • "Processing": Any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Data Subject": An individual to whom the Personal Data relates.
  • "Supervisory Authority": An independent public authority responsible for monitoring the application of data protection laws.
  • "Sub-Processor": Any third party appointed by us to process Personal Data on your behalf.

3. Subject Matter and Duration

Scope of Processing

We shall provide the following services:

  • Content Moderation: Automated detection and removal of prohibited material, including spam, hate speech, and violations of community standards.
  • Sensitive Data Management: Encrypted processing and storage of personal or business-critical data.
  • Automated Messaging (Auto-DM): Customizable tools for automated messaging to facilitate communication and engagement.

Types of Personal Data Processed:

  • Usernames, email addresses, messages, user-generated content, contact information, and any other data input by users.

Categories of Data Subjects:

  • Users of Fiducia.gg services, their customers, followers, and any individuals whose data is processed through the platform.

Duration

This Agreement is effective from March 1, 2024, and remains in force as long as we process Personal Data on your behalf.

4. Obligations of the Data Processor (Fiducia.gg)

a. Processing Instructions

  • We shall process Personal Data only on documented instructions from you, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law. In such a case, we shall inform you of that legal requirement before processing, unless prohibited by law.

b. Confidentiality

  • We ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

c. Security Measures

  • We shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
    • Encryption: Use of Transport Layer Security (TLS) for data in transit and Advanced Encryption Standard (AES) for data at rest.
    • Access Controls: Strict role-based access controls, password policies, and multi-factor authentication.
    • Physical Security: Secure data centers with controlled access and surveillance systems.
    • Network Security: Firewalls, intrusion detection/prevention systems, and regular vulnerability assessments.
    • Incident Response: Procedures for detecting, reporting, and responding to security incidents.
    • Employee Training: Regular training on data protection and security practices.

d. Assistance to Data Controller

  • We shall assist you in fulfilling your obligations to respond to Data Subject requests for exercising their rights under GDPR.
  • We shall assist you in ensuring compliance with obligations concerning the security of processing, notification of personal data breaches, data protection impact assessments, and prior consultations with supervisory authorities.

5. Sub-Processing

a. Authorization of Sub-Processors

  • You grant us a general authorization to engage Sub-Processors for the processing of Personal Data. We shall inform you of any intended changes concerning the addition or replacement of Sub-Processors, giving you the opportunity to object.

b. Sub-Processor Agreements

  • We shall ensure that Sub-Processors are bound by data protection obligations no less stringent than those set out in this Agreement.
  • We remain fully liable to you for the performance of the Sub-Processor's obligations.

6. Rights of Data Subjects

  • We shall promptly notify you if we receive a request from a Data Subject to exercise their rights under GDPR.
  • We shall assist you by appropriate technical and organizational measures, insofar as possible, to fulfill your obligation to respond to Data Subject requests.

7. Data Breach Notification

  • We shall notify you without undue delay after becoming aware of a personal data breach.
  • The notification shall include:
    • Description of the nature of the personal data breach.
    • Categories and approximate number of Data Subjects concerned.
    • Likely consequences of the personal data breach.
    • Measures taken or proposed to address the personal data breach.

8. Data Protection Impact Assessments (DPIAs)

  • We shall provide assistance to you in conducting DPIAs and prior consultations with supervisory authorities, where required, taking into account the nature of processing and the information available to us.

9. Deletion or Return of Personal Data

  • Upon termination of the Services, at your choice, we shall delete or return all Personal Data to you and delete existing copies unless storage is required by law.
  • Deletion Timeline: Personal Data will be deleted within 30 days after the termination of services, in accordance with the data retention periods mentioned in our Privacy Policy.

10. Audit and Inspection Rights

  • We shall make available to you all information necessary to demonstrate compliance with the obligations laid down in this Agreement.
  • We agree to audits and inspections conducted by you or an auditor mandated by you.
  • Audit Conditions:
    • You shall provide at least 30 days' written notice.
    • Audits are limited to once per year unless required by law or in the event of a data breach.
    • Audits shall be conducted during regular business hours and in a manner that does not disrupt our business operations.

11. International Data Transfers

  • Data Transfer Mechanisms:
    • If transferring Personal Data outside the European Economic Area (EEA), we shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.
  • Compliance with GDPR:
    • We shall ensure that any international data transfers comply with Chapter V of the GDPR.

12. Compliance and Cooperation

a. Record-Keeping

  • We shall maintain records of all categories of processing activities carried out on your behalf.

b. Cooperation with Supervisory Authorities

  • We shall cooperate, on request, with the Supervisory Authority in the performance of its tasks.

13. Liability and Indemnification

a. Liability Limitations

  • Each party's liability arising out of or related to this Agreement shall be subject to the limitations and exclusions of liability set forth in the Terms of Service.

b. Indemnification

  • We agree to indemnify and hold you harmless against any claims, damages, or fines arising from our breach of this Agreement or violation of applicable data protection laws.
  • You agree to indemnify and hold us harmless against any claims, damages, or fines arising from your instructions or breach of this Agreement.

14. Governing Law and Jurisdiction

  • Governing Law:
    • This Agreement is governed by the laws of Germany.
  • Jurisdiction:
    • Any disputes arising from or in connection with this Agreement shall be subject to the exclusive jurisdiction of the competent courts in Munich, Germany.

15. Contact Information

Data Protection Officer (DPO)

16. Annexes

Annex A: Details of Processing

  • Subject Matter:
    • Processing of Personal Data in connection with content moderation, sensitive data management, and automated messaging services provided by Fiducia.gg.
  • Duration:
    • For the duration of the service provision as outlined in the Agreement.
  • Nature and Purpose:
    • To provide AI-powered tools for automated content moderation, sensitive data processing, and direct messaging to enhance user engagement and platform functionality.
  • Types of Personal Data:
    • Usernames, email addresses, messages, user-generated content, contact information, and any other data input by users.
  • Categories of Data Subjects:
    • Users of Fiducia.gg services, their customers, followers, and any individuals whose data is processed through the platform.

Annex B: Technical and Organizational Measures

We shall implement the following technical and organizational measures to ensure the security of Personal Data:

Access Control

  • Role-Based Access Controls: Access to Personal Data is limited to authorized personnel based on job responsibilities.
  • Authentication Measures: Strong password policies and multi-factor authentication are enforced.

Physical Security

  • Secure Facilities: Data centers have controlled access, surveillance systems, and environmental controls.
  • Access Logs: All physical access to servers and data centers is logged and monitored.

Data Encryption

  • Data in Transit: Personal Data is encrypted using TLS protocols during transmission.
  • Data at Rest: Personal Data is stored encrypted using AES encryption standards.

Network Security

  • Firewalls and IDS/IPS: Implementation of firewalls and intrusion detection/prevention systems to protect network boundaries.
  • Regular Security Assessments: Periodic vulnerability assessments and penetration testing are conducted.

Incident Management

  • Incident Response Plan: Procedures are in place for detecting, reporting, and responding to security incidents promptly.
  • Notification Protocols: Clear guidelines on internal and external communications in the event of a data breach.

Employee Training

  • Security Awareness Programs: Regular training for employees on data protection policies, security practices, and GDPR compliance.
  • Confidentiality Agreements: All personnel with access to Personal Data sign confidentiality agreements.

Data Minimization and Pseudonymization

  • Data Minimization: Only Personal Data necessary for the specified purposes is processed.
  • Pseudonymization: Personal Data is pseudonymized where appropriate to reduce the risk of identification.

Regular Testing and Evaluation

  • Technical Measures: Regular testing of security technologies to ensure effectiveness.
  • Organizational Measures: Periodic reviews of policies and procedures related to data protection.

17. General Clauses

a. Amendments

  • We may modify this Agreement from time to time. We will notify you of any significant changes by posting the new Agreement on our website and updating the "Last Updated" date. Continued use of the Services after the effective date constitutes acceptance of the revised Agreement.

b. Severability

  • If any provision of this Agreement is found to be invalid or unenforceable, the remainder shall remain in full force and effect.

c. Entire Agreement

  • This Agreement, along with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties regarding the processing of Personal Data and supersedes all prior agreements.

d. Assignment

  • Neither party may assign or transfer any of its rights or obligations under this Agreement without the prior written consent of the other party.

e. Notices

  • All notices and communications shall be in writing and delivered to the contact information provided in Section 15.

By accepting the Terms of Service, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.

If you have any questions or require further assistance, please contact us at support@mg.fiducia.gg.