Data Processing Agreement

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below:

3. Scope of Processing

This section describes the scope, nature, and purpose of the data processing activities performed by Fiddle:

3.1 Categories of Data Subjects

• Customer's employees and authorized users
• Customer's customers and contacts
• Customer's suppliers and vendors
• Other individuals whose data Customer uploads to the Services

3.2 Categories of Personal Data

• Contact information (name, email, phone, address)
• Business information (company name, job title)
• Account credentials and authentication data
• Transaction and order data
• Communication records and correspondence
• Usage data and system logs

3.3 Purpose of Processing

Fiddle processes Personal Data solely for the purpose of providing the Services as described in the Agreement, including:

• Providing inventory management and tracking functionality
• Enabling order processing and fulfillment features
• Facilitating customer relationship management
• Generating reports and analytics
• Providing technical support and maintenance
• Ensuring security and preventing fraud

3.4 Duration of Processing

Fiddle will process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by applicable law.

4. Customer Responsibilities

As the Data Controller, Customer agrees to:

• Ensure that Personal Data is collected and processed lawfully and in compliance with applicable Data Protection Laws
• Provide all necessary notices to, and obtain all required consents from, Data Subjects prior to transferring their Personal Data to Fiddle
• Ensure that the processing instructions provided to Fiddle comply with applicable Data Protection Laws
• Implement appropriate security measures for data transmitted to and from the Services
• Notify Fiddle promptly of any changes to data protection requirements that may affect the processing
• Respond to Data Subject requests and complaints relating to their Personal Data

5. Fiddle Responsibilities

As the Data Processor, Fiddle agrees to:

• Process Personal Data only on documented instructions from Customer, unless required to do so by applicable law
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Assist Customer in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation
• At Customer's choice, delete or return all Personal Data after the end of the provision of Services, unless storage is required by applicable law
• Make available to Customer all information necessary to demonstrate compliance with Data Processor obligations

6. Sub-processors

Customer acknowledges and agrees that Fiddle may engage Sub-processors to assist in providing the Services. Fiddle will:

• Maintain a list of current Sub-processors, which is available upon request
• Notify Customer of any intended changes concerning the addition or replacement of Sub-processors, giving Customer the opportunity to object
• Ensure that Sub-processors are bound by written agreements that require them to provide at least the same level of data protection as this DPA
• Remain fully liable to Customer for the performance of Sub-processor obligations

7. Data Subject Rights

Fiddle will assist Customer in responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws, including:

• Right of access to Personal Data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

If Fiddle receives a request from a Data Subject directly, Fiddle will promptly notify Customer unless prohibited by law, and will not respond to the request without Customer's prior authorization except to confirm that the request relates to Customer.

8. Security Measures

Fiddle implements and maintains appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:

For more details about our security practices, please visit our Security page or Trust Center.

9. Data Breach Notification

In the event of a Personal Data breach, Fiddle will:

• Notify Customer without undue delay after becoming aware of a breach affecting Customer's Personal Data (and in any event within 72 hours where feasible)
• Provide reasonable assistance to Customer in meeting Customer's obligations to notify supervisory authorities and/or affected Data Subjects
• Take reasonable steps to identify the cause and mitigate the effects of the breach
• Document all breaches, including the facts, effects, and remedial actions taken

10. International Data Transfers

Fiddle is based in the United States and processes Personal Data in the United States. When transferring Personal Data from the EU/EEA, UK, or Switzerland to the United States or other countries, Fiddle relies on the following safeguards:

• Standard Contractual Clauses (SCCs): We incorporate the EU Commission's Standard Contractual Clauses for international data transfers
• UK International Data Transfer Agreement: For UK transfers, we use the UK Addendum to the EU SCCs
• Supplementary Measures: Additional technical and organizational measures to ensure adequate protection during transfer

The SCCs are incorporated into this DPA by reference. Upon request, Fiddle will provide a copy of the executed SCCs.

11. Audits and Inspections

Fiddle will make available to Customer information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

Audit rights are subject to the following conditions:

• Customer must provide reasonable advance notice (at least 30 days) of any audit
• Audits may be conducted no more than once annually, unless required by law or following a security incident
• Auditors must execute appropriate confidentiality agreements
• Customer will bear the costs of the audit unless the audit reveals material non-compliance by Fiddle

As an alternative to on-site audits, Customer may review Fiddle's most recent SOC 2 Type II report and other relevant certifications, which Fiddle will provide upon request under NDA.

12. Termination and Data Return

Upon termination or expiration of the Agreement, Fiddle will:

• At Customer's election, return a complete copy of all Personal Data to Customer in a commonly used, machine-readable format, or securely destroy all Personal Data
• Complete the return or destruction within 30 days of termination, unless a longer period is agreed or required by law
• Provide written certification of destruction upon Customer's request
• Ensure that Sub-processors also delete or return Personal Data as applicable

Fiddle may retain Personal Data to the extent required by applicable law, provided that Fiddle ensures the confidentiality of such data and processes it only as necessary for the purpose(s) specified in the applicable legal requirement.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits either party's liability for:

• Death or personal injury caused by negligence
• Fraud or fraudulent misrepresentation
• Any other liability that cannot be limited or excluded by applicable law

Fiddle shall be liable for any damages caused by processing that infringes this DPA or applicable Data Protection Laws only to the extent that Fiddle has not complied with obligations specifically directed to data processors under such laws or has acted outside of or contrary to Customer's lawful instructions.

14. Amendments

Fiddle may update this DPA from time to time to reflect changes in Data Protection Laws or our data processing practices. Material changes will be notified to Customer with at least 30 days' notice before they become effective.

If Customer objects to any material change, Customer may terminate the Agreement within 30 days of receiving notice of the change. Continued use of the Services after the effective date of any change constitutes acceptance of the updated DPA.

15. Contact Information

For questions about this DPA or to exercise any rights, please contact us: