Data Processing Agreement (DPA) — Template

THIS IS A TEMPLATE. It is provided as a starting point so a customer's counsel can prepare a binding Data Processing Agreement with Fyord. It is not a finished contract. Both parties must review and adapt it with qualified legal advice before signing. Fyord makes no representation that this template is suitable for any particular jurisdiction or business arrangement. Until a signed DPA is in force, the privacy policy at <https://getfyord.com/en/privacy> governs the processing relationship.

Last revised: 2026-05-02 · Template version: 1.0

This DPA is entered into between:

Customer — the legal entity that has subscribed to the Fyord service (the "Controller"); and
Blue House Technologies Sp. z o.o., a Polish limited liability company with registered office at Wspólna 17, 16-300 Augustów, Poland, VAT ID PL8461666787 (the "Processor" or "Fyord").

Each a "Party"; together the "Parties".

It supplements the Customer's subscription to the Fyord service ("the Principal Agreement") and is incorporated by reference. In case of conflict between this DPA and the Principal Agreement on data-protection matters, this DPA prevails.

This DPA is structured to align with the European Commission's Standard Contractual Clauses (Decision 2021/914 — "SCCs"), Module Two (transfer controller-to-processor). Where signed by Parties not subject to the GDPR, the SCC framework still applies as a contractual baseline.

1. Definitions

Capitalised terms not defined here have the meaning given to them in the GDPR (Regulation 2016/679) and the SCCs.

Personal Data — any information relating to an identified or identifiable natural person that the Controller transmits to, or causes to be processed by, the Processor under the Principal Agreement.
Processing — any operation performed on Personal Data, as defined in GDPR Art. 4(2).
Sub-processor — any third party engaged by the Processor to carry out specific Processing activities on behalf of the Controller.
Personal Data Breach — a breach of security as defined in GDPR Art. 4(12).
Service — the Fyord application and APIs as described at <https://getfyord.com> and made available to the Customer.

2. Subject matter, nature and purpose of processing

The Processor will Process Personal Data on behalf of the Controller to deliver the Service: ingesting messages from connected mailboxes, extracting and proposing draft orders, drafting clarification replies, pushing approved orders to the Controller's downstream ERP, and producing the operational, audit, and security records that the Service depends on.

The Processor will Process Personal Data only on the documented instructions of the Controller, including with regard to transfers to a third country, unless required to do so by Union or Member-State law to which the Processor is subject. In that case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

3. Duration

This DPA enters into force on the effective date of the Principal Agreement and remains in effect for as long as the Processor Processes Personal Data on behalf of the Controller, plus any deletion or return period set out in Section 11.

4. Categories of data subjects

Without limitation, data subjects whose Personal Data may be Processed under this DPA include:

Employees, contractors, and other personnel of the Controller who use the Service or whose communications are processed by it.
Customers, suppliers, and other business contacts of the Controller whose order or quotation correspondence flows through the connected mailbox.
Any natural person referenced in the email content the Controller directs the Processor to process.

5. Categories of Personal Data

Without limitation, the categories of Personal Data Processed include:

Identity and contact details (name, email address, phone, postal address, organisation, role).
Email content and metadata (subjects, bodies, attachments, timestamps, recipients, message IDs).
Order content (article references, quantities, prices, delivery addresses, special instructions).
Authentication identifiers (Clerk-issued user/organisation IDs, OAuth-issued opaque tokens for the Controller's downstream integrations).
Usage and security telemetry (IP address, user agent, action logs, error reports).

The Parties agree that no special-category data within the meaning of GDPR Art. 9 should be transmitted to the Service. The Controller is responsible for ensuring that messages sent into the Service are limited to the data necessary for the order-drafting workflow.

6. Controller responsibilities

The Controller warrants that:

It has a lawful basis under GDPR Art. 6 for the Processing it directs the Processor to perform and, where applicable, has obtained any required consent from data subjects.
Its instructions to the Processor (including those embedded in product configuration such as retention settings, mailbox selection, and rule definitions) comply with applicable data-protection law.
It has provided data subjects with all information required by GDPR Articles 13 and 14, including identifying the Processor as a recipient of Personal Data.
It bears sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it acquires Personal Data.

7. Processor obligations

The Processor will:

Process only on documented instructions. Documented instructions include this DPA, the Principal Agreement, and the configuration the Controller maintains in the Service (e.g. connected mailboxes, retention windows, agent rules). The Controller may issue additional written instructions during the term, subject to the Processor's reasonable acceptance.
Confidentiality. Ensure that personnel authorised to Process Personal Data are bound by confidentiality undertakings.
Security (GDPR Art. 32). Implement and maintain the technical and organisational measures set out in Annex A.
Sub-processors. Engage Sub-processors only in accordance with Section 9.
Assistance with data-subject rights. Insofar as possible, and taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures in fulfilling its obligation to respond to data-subject requests under GDPR Articles 15–22. The Service offers self-service tools for these rights at Settings → Privacy in the application; further assistance can be requested via <hello@getfyord.com>.
Assistance with Articles 32–36. Assist the Controller in ensuring compliance with security, breach-notification, data- protection-impact-assessment, and prior-consultation obligations, taking into account the nature of the Processing and the information available to the Processor.
Deletion or return. At the choice of the Controller, delete or return all Personal Data after the end of the provision of services relating to Processing, in accordance with Section 11.
Audit and information rights. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, in accordance with Section 12.
Notification of unlawful instruction. Inform the Controller immediately if, in the Processor's opinion, an instruction infringes the GDPR or other Union or Member-State data-protection provisions.

8. International transfers

For transfers from the European Economic Area, United Kingdom, or Switzerland to a country not benefitting from an adequacy decision, the Parties shall rely on the SCCs (Module Two — controller-to- processor) which are deemed incorporated by reference into this DPA. The Parties agree that:

For the purposes of Clause 17, the governing law is the law of Poland.
For the purposes of Clause 18(b), the chosen forum is the courts of Poland.
The optional docking clause (Clause 7) applies.
Annex I.A and Annex II of the SCCs are populated by Annex B of this DPA.

Where the data importer relies on supplementary measures to address risks identified in a transfer impact assessment, those measures are described in Annex A.

9. Sub-processors

The Controller hereby grants the Processor general authorisation to engage Sub-processors. As of the Last revised date of this DPA, the Sub-processors are:

Sub-processor	Role	Region
Convex	Application database, file storage, scheduler	EU
Vercel	Next.js hosting + Speed Insights	EU
Clerk	Authentication, user identity	US (DPF-certified)
Microsoft (Graph)	Customer's own Outlook mailbox via OAuth	EU (Microsoft 365 EU)
Fortnox	Customer's own ERP via OAuth	EU
Anthropic / OpenAI	LLM inference for classifier + extractor	US
Polar.sh (incl. Stripe as PSP)	Subscription billing & payment processing	US

The Processor shall notify the Controller in writing of any intended addition or replacement of Sub-processors, giving the Controller the opportunity to object on reasonable data-protection grounds within fifteen (15) calendar days of notice. If the Parties cannot resolve the objection in good faith, the Controller may terminate the affected portion of the Service for cause.

The Processor shall enter into a written contract with each Sub-processor that imposes data-protection obligations no less protective than those in this DPA, in accordance with GDPR Art. 28(4).

10. Personal Data Breach notification

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Controller Personal Data. The notification shall, to the extent feasible at the time, describe:

the nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects and records concerned;
the likely consequences of the breach;
the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

Where the information cannot be provided at the same time, it may be provided in phases without further undue delay.

11. Deletion or return on termination

Upon termination of the Principal Agreement or at any earlier time at the Controller's request, the Processor shall, at the Controller's choice, delete or return all the Personal Data to the Controller and delete existing copies, unless Union or Member-State law requires storage of the Personal Data.

The Service exposes a self-service GDPR Art. 20 export at Settings → Privacy that produces a JSON archive of all Controller data. The Service exposes a GDPR Art. 17 deletion request at the same location, with a configurable cool-off period (default seven days) before final cascade-purge. The Processor's obligation to delete or return data shall be considered fulfilled by execution of the deletion workflow.

The Processor may retain Personal Data after termination only to the extent and for the period required by applicable law, and shall keep the data confidential and Process it only for the purpose of meeting that legal obligation.

12. Audit rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in GDPR Art. 28 and this DPA. Such information shall include:

the technical and organisational measures described in Annex A;
the most recent third-party security attestations of the Sub-processors that hold them (e.g. Convex SOC 2, Vercel SOC 2);
relevant excerpts of internal policies governing access to Customer data, on reasonable request.

Once per twelve (12) months, the Controller may request an audit limited to the matters covered by this DPA. The Parties shall agree on scope, timing, and conditions in good faith. Audits shall be conducted in a manner that minimises disruption to the Processor's normal business operations and protects the confidentiality of other customers. The Controller bears its own costs and the Processor's reasonable costs of cooperation.

13. Liability

Each Party's liability under this DPA is governed by the limitation- of-liability terms of the Principal Agreement, except to the extent that such limitations are inconsistent with mandatory law.

14. Governing law and jurisdiction

This DPA is governed by the laws of Poland. The courts of Poland shall have exclusive jurisdiction over disputes arising out of or in connection with this DPA, without prejudice to the rights of data subjects under GDPR Art. 79.

15. Entire agreement; severability

This DPA, together with the Principal Agreement and the SCCs (where applicable), constitutes the entire agreement between the Parties with respect to the Processing of Personal Data. If any provision is held invalid or unenforceable, the remaining provisions shall remain in full force.

Signatures

For the Controller	For the Processor
Name: ___________________________	Name: ___________________________
Title: __________________________	Title: __________________________
Date: ___________________________	Date: ___________________________
Signature: _____________________	Signature: _____________________
Entity: _________________________	Blue House Technologies Sp. z o.o.
Address: ________________________	Wspólna 17, 16-300 Augustów, Polska

Annex A — Technical and organisational measures (TOMs)

The Processor implements the following measures, each of which is maintained for the duration of the DPA and reviewed at least annually.

A.1 Access control

Customer data is encrypted at rest by the Convex platform and in transit by TLS 1.2+.
OAuth tokens (Fortnox, Microsoft Graph) are stored in an isolated credentials table accessible only via internal Convex functions; export and analytics paths actively exclude this table.
All production access by Processor personnel is gated by Clerk authentication and recorded in an immutable internal audit log.
Multi-factor authentication is required for all Processor staff with production access.

A.2 Pseudonymisation and minimisation

Audit-log entries that reference user IDs or message IDs do so via opaque internal identifiers, not raw customer email addresses.
Telemetry sampled for product analytics (Vercel Speed Insights) is anonymous and contains no Personal Data.

A.3 Resilience

Convex provides automated backups; in the event of restore, only authorised Processor personnel may trigger the restore process.
Sub-processors with SOC 2 attestations are listed in Section 9.

A.4 Security testing

Dependency security advisories are tracked and patched on a rolling basis.
The codebase is subject to TypeScript strict mode, eslint, and a test suite that runs in CI on every change.
Pre-deploy validation gate: lint, typecheck, and tests must pass before code reaches production.

A.5 Monitoring and incident response

A frontend-error reporter and a centralised incident table flag unhealthy production behaviour. The Processor maintains a 24/7 incident webhook for severity-1 alerts.
A documented incident-response playbook governs assessment, containment, eradication, and notification.

A.6 Data subject self-service

The Service exposes a GDPR Art. 20 export and Art. 17 erasure request at Settings → Privacy in the application UI; an admin of the Controller's workspace can use these without contacting Processor support.

A.7 Retention defaults

Frontend errors: 90 days
External API call log: 180 days
AI agent run telemetry: 365 days
Security audit log: 7 years

The Controller can shorten any of these via tenant settings.

Annex B — SCC particulars

The information required by Annex I to the SCCs is as follows.

B.1 Parties

Data exporter (Controller) — the Customer signing this DPA. Contact details: as set out in the Customer's account.
Data importer (Processor) — Blue House Technologies Sp. z o.o., Wspólna 17, 16-300 Augustów, Poland; contact: <hello@getfyord.com>.

B.2 Description of transfer

Categories of data subjects: as set out in Section 4 of the DPA.
Categories of Personal Data: as set out in Section 5 of the DPA.
Sensitive data: none anticipated; the Controller agrees not to transmit special-category data via the Service.
Frequency: continuous, for the duration of the Principal Agreement.
Nature of processing: as set out in Section 2 of the DPA.
Purpose: delivery of the Service, namely the order-drafting workflow described at <https://getfyord.com>.
Retention period: as set out in Annex A.7, subject to the Controller's configuration.

B.3 Competent supervisory authority

The supervisory authority of the Member State in which the Controller is established or, failing that, the supervisory authority of Poland (UODO).

End of template. Customers wishing to execute a DPA with Fyord are invited to mark up this template and email a redline to <hello@getfyord.com>. We will counter-sign or counter-redline within ten (10) business days under standard market terms.