Data Processing Agreement

Last updated: March 21, 2026

This Data Processing Agreement ("DPA") supplements the Terms and Conditions ("Terms") and applies to personal data processed by Figstra Software GmbH ("Company", "we", "us") on behalf of the customer ("Customer", "you") through the Services.

Customer acts as controller and/or processor, as applicable, with respect to Customer Personal Data. Company acts as processor or sub-processor, as applicable. This DPA does not apply to personal data the Company processes as an independent controller for its own purposes.

This DPA applies only where expressly agreed in writing, including electronically, between Company and Customer. It does not apply automatically to anonymous or public use of the Services without an identifiable contractual relationship.

1. Definitions

"Customer Personal Data" means personal data submitted to the Services by or on behalf of Customer and processed by Company on Customer's behalf under this DPA.

2. Processing instructions

We will process Customer Personal Data only on your documented instructions, unless applicable law requires otherwise. Documented instructions include the Terms, this DPA, your use and configuration of the Services, and other documented instructions mutually agreed by the parties.

If we become aware that applicable law requires us to process Customer Personal Data beyond your instructions, we will notify you before processing unless the law prohibits such notification.

If we believe that an instruction infringes applicable data protection law, we will notify you without undue delay. We are not obliged to make a legal assessment of your instructions.

We will not process Customer Personal Data for our own marketing or advertising purposes.

3. Confidentiality

All persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations, whether by contract or statutory duty.

4. Security measures

We will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex C. We review and update these measures from time to time based on changes to the Services, processing activities, and relevant risks.

5. Sub-processors

We use the sub-processors listed in Annex B. You grant a general authorization for us to engage further sub-processors, subject to the following:

We will notify you of any intended changes to our sub-processors at least 14 days before the change takes effect, using the contact details you have provided to us. If you object to a new sub-processor within the notice period, we will discuss reasonable alternatives with you for 14 days. If no resolution is reached, you may terminate the affected Service by notifying us in writing.

Where a sub-processor change is required by law or necessary to address an urgent security, legal, or operational issue or risk, we may make the change on shorter notice or immediately and will notify you as soon as reasonably practicable.

We will impose contractual obligations on each sub-processor that are no less protective than those in this DPA.

6. Data subject rights

If we receive a request from a data subject relating to Customer Personal Data, we will promptly notify you. We will not respond to the request independently, except to direct the data subject to you.

Taking into account the nature of the processing, we will provide reasonable assistance through appropriate technical and organizational measures, insofar as possible, to help you respond to requests to exercise data subject rights.

7. Breach notification

If we become aware of a personal data breach affecting Customer Personal Data, we will notify you without undue delay.

Our notification will include, to the extent available at the time: the nature of the breach, the categories and approximate number of affected data subjects, the likely consequences, and the measures taken or proposed to address the breach. We will provide periodic updates as further information becomes available.

We will not make a public announcement about a breach affecting Customer Personal Data without your consent, unless required by law.

8. Compliance assistance

Taking into account the nature of processing and the information available to us, we will provide reasonable assistance to you with:

• data protection impact assessments
• prior consultations with supervisory authorities
• ensuring compliance with your obligations regarding security of processing, breach notification, and related obligations under applicable data protection law

9. Deletion and return

On termination of the Terms, we will delete or return Customer Personal Data at your choice. If you do not request return within 30 days after termination, we will delete Customer Personal Data from active systems without undue delay.

Some data may take longer to remove where we are legally required to keep it or where needed for billing, security, or fraud prevention. Deleted data may persist in backups, caches, or redundant storage until those are overwritten or cleared in the ordinary course.

Written confirmation of deletion is available on request within a reasonable period.

10. Audit

We will make available the information reasonably necessary to demonstrate compliance with this DPA. Audit requests should normally be satisfied through a third-party audit report or written questionnaire. No on-site audits.

Audit requests may be made no more than once per 12 months. Customer bears reasonable costs associated with audit activities. We will not disclose other customers' data or proprietary architecture details during an audit.

11. Customer obligations

You warrant that you have a lawful basis for the processing of Customer Personal Data, that the data you submit is accurate and lawful, and that you are responsible for breach notification to supervisory authorities and data subjects where you are the controller.

You are responsible for determining whether the Services are suitable for your intended use and for configuring available security features appropriately.

Customer must not submit special categories of personal data within the meaning of Article 9 GDPR, or personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR, except to the extent Customer has satisfied all requirements under applicable data protection law.

12. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms, except to the extent liability cannot be limited under applicable data protection law.

13. International transfers

Where Customer Personal Data is transferred outside the EEA, UK, or Switzerland, we will ensure that an appropriate transfer mechanism under applicable data protection law applies to the transfer, including, where applicable, an adequacy decision, certification under the EU–US Data Privacy Framework and the UK Extension and/or Swiss framework, the EU Standard Contractual Clauses, and/or the UK International Data Transfer Addendum.

We will cooperate with you in any transfer impact assessment if reasonably requested.

14. Government access requests

If we receive a request from a government authority for access to Customer Personal Data, we will:

• notify you promptly, unless legally prohibited from doing so
• challenge the request to the extent it is unlawful or overbroad, to a reasonable extent
• disclose only the minimum data legally required
• not provide any government authority with direct or backdoor access to Customer Personal Data
• not disclose encryption keys unless legally required to do so

15. Term

This DPA is in effect for the duration of the Terms. The obligations in Sections 3, 9, and 14 survive termination. In the event of a conflict between this DPA and the Terms on data protection matters, this DPA prevails.

---

Annex A — Processing details

Field	Details
Subject matter	Processing of personal data through the Services
Duration	Duration of the Terms
Nature and purpose	Receiving, storing, displaying, forwarding, and replaying webhook HTTP requests and associated payload data as necessary to provide the Services
Frequency	Continuous
Categories of data subjects	Customer's end users, Customer's employees or contractors, and other individuals whose personal data is included in webhook payloads
Categories of personal data	Names, email addresses, and other contact details; transaction and order identifiers; HTTP request metadata (headers, IP addresses, timestamps); any other personal data included in webhook payloads by Customer or third parties sending requests on Customer's behalf
Special categories	None, unless Customer has satisfied all applicable legal requirements pursuant to Section 11 of this DPA

Annex B — Sub-processor list

Name	Purpose	Location
UpCloud Oy	Hosting and storage	Finland
Hetzner Online GmbH	Analytics infrastructure	Germany
Cloudflare, Inc.	CDN, storage, and security	United States
Functional Software, Inc. (Sentry)	Error reporting	United States

Annex C — Technical and organizational measures

Data protection by design:
- Pseudonymization and data minimization where feasible

Encryption and key management:
- Encryption of data in transit and at rest
- Encryption key management procedures

Access control:
- Role-based access and least-privilege principles
- Multi-factor authentication for privileged access
- Regular review of access rights

System security:
- Network segmentation
- Vulnerability management and patching
- Logging and monitoring
- Incident detection and response procedures

Organizational measures:
- Employee confidentiality obligations and training
- Physical security of infrastructure (where applicable)

Resilience and continuity:
- Backup and recovery procedures, including backup testing
- Resilience and availability measures

Assurance:
- Regular testing and evaluation of security measures