Data Processing Addendum

Last Updated: 14/12/2024 (Version 1.0.2)

This Data Processing Addendum (“DPA”) governs Finis processing of Customer Data you provide to Fini through Fini’s API or any Fini’s services for businesses (“Services”) under the terms of the Fini Data Protection Policy, Enterprise Agreement, or other agreement between you and Fini governing your use of the Services (the “Agreement”) and is hereby incorporated into the Agreement. If and to the extent language in this DPA conflicts with the Agreement, the conflicting terms in this DPA shall control.

Fini and Customer each agree to comply with their respective obligations under applicable data privacy and data protection laws (collectively, “Data Protection Laws”) in connection with the Services. Data Protection Laws may include, depending on the circumstances, Cal. Civ. Code §§ 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (the California Consumer Privacy Act) (“CCPA”), Colo. Rev. Stat. §§ 6-1-1301 et seq. (the Colorado Privacy Act) (“CPA”), Connecticut’s Data Privacy Act (“CTDPA”), Utah Code Ann. §§ 13-61-101 et seq. (the Utah Consumer Privacy Act) (“UCPA”), VA Code Ann. §§ 59.1-575 et seq. (the Virginia Consumer Data Protection Act) (“VCDPA”) (collectively “U.S. Privacy Laws”), and the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), and applicable subordinate legislation and regulations implementing those laws.

In connection with the Agreement, Customer is the person that determines the purposes and means for which Customer Data (as defined below) is processed (a “Data Controller”), whereas Fini processes Customer Data in accordance with the Data Controller’s instructions and on behalf of the Data Controller (as a “Data Processor”). “Data Controller” and “Data Processor” are intended to include equivalent concepts under other Data Protection Laws. For purposes of the Agreement and this DPA, “Customer Data” means personal data (or equivalent concepts, as defined by Data Protection Laws) that Customer provides to the Services that Fini processes on behalf of Customer. Fini will process Customer Data as your Data Processor to provide or maintain the Services and for the purposes set forth in this DPA, the Agreement and/or in any other applicable agreements between you and Fini. Fini acknowledges that you are disclosing personal data for the aforementioned limited and specific purposes.

  1. Processing Requirements. As a Data Processor, Fini agrees to:

  • process Customer Data (i) for the purpose of providing and supporting Fini’s services (including to provide insights, reporting, analytics and platform abuse, trust and safety monitoring); (ii) in compliance with the instructions received from Customer;

  • promptly inform you in writing if it cannot comply with the requirements of this DPA;

  • not provide you with remuneration in exchange for Customer Data from you. The parties acknowledge and agree that Customer has not “sold” (as such term is defined by the CCPA) Customer Data to Fini;

  • not “sell” (as such term is defined by U.S. Privacy Laws) or “share” (as such term is defined by the CCPA) personal data;

  • inform you promptly if, in Fini’s opinion, an instruction from you violates applicable Data Protection Laws;
  • take commercially reasonable steps to require (i) persons employed by it and (ii) other persons engaged to perform on Fini’s behalf to be subject to a duty of confidentiality with respect to the Personal Data and to comply with the data protection obligations applicable to Fini under the Agreement and this DPA;

  • engage the organizations Fini works with to process Customer Data (each a “Subprocessor) to help Fini satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Subprocessors. Customer hereby consents to the use of such Subprocessors. In the event that Fini seeks to use additional Subprocessors and update the Subprocessor List, Fini will provide notice of such additional Subprocessors to you (which may be via email, a posting or notification on an online portal for our services or other reasonable means). In the event that you do not wish to consent to the use of such additional Subprocessor, you may notify Fini that you do not consent within fifteen (15) days on reasonable grounds relating to the protection of Customer Data by following the instructions set forth in the Subprocessor List or contacting hello@usefini.com. In such case, Fini shall have the right to cure the objection through one of the following options: (i) Fini will cancel its plans to use the Subprocessor with regards to processing Customer Data or will offer an alternative to provide its Services or services without such Subprocessor; (ii) Fini will take the corrective steps requested by you in your objection notice and proceed to use the Subprocessor; (iii) Fini may cease to provide, or you may agree not to use whether temporarily or permanently, the particular aspect or feature of the Fini Services or services that would involve the use of such Subprocessor; or (iv) you may cease providing Customer Data to Fini for processing. If none of the above options are commercially feasible, in Fini’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the parties within thirty (30) days of Fini’s receipt of your objection notice, then either party may terminate any subscriptions, order forms or usage regarding the Services or Fini services for cause and in such case, you will be refunded any pre-paid fees for the applicable subscriptions, order forms or usage to the extent they cover periods or terms following the date of such termination. Such termination right is your sole and exclusive remedy if you object to any new Subprocessor. Fini shall enter into contractual arrangements with each Subprocessor binding them to provide the same level of data protection and information security to that provided for herein;
  • upon request, provide you with Fini’s privacy and security policies and other such information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable Data Protection Laws;

  • where required by law and upon reasonable notice and appropriate confidentiality agreements, cooperate with assessments, audits, or other steps performed by or on behalf of Customer that are necessary to confirm that Fini is processing Personal Data in a manner consistent with this DPA. Where permitted by law, Fini may instead make available to customer a summary of the results of a third-party audit or certification reports relevant to Fini’s compliance with this DPA;

  • to the extent that Fini received deidentified data derived from personal data subject to U.S. Privacy Laws from Customer, Fini shall (i) adopt reasonable measures to prevent such deidentified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) publicly commit to maintain and use such deidentified data in a de identified form and to not attempt to re-identify the deidentified data, except that the recipient may attempt to re- identify the data solely for the purpose of determining whether its de-identification processes are compliant with U.S. Privacy Laws; and (iii) before sharing de-identified data with any other party, including Subprocessors, contractually obligate any such recipients to comply with the requirements of this provision;

  • where the personal data is subject to the CCPA, not (i) retain, use, disclose, or otherwise process personal data except as necessary for the business purposes specified in the Agreement or this Addendum; (ii) retain, use, disclose, or otherwise process personal data in any manner outside of the direct business relationship between Fini and Customer; or (iii) combine any personal data with personal data that Fini receives from or on behalf of any other third party or collects from Fini’s own interactions with individuals, provided that Fini may so combine personal data for a purpose permitted under the CCPA if directed to do so by Customer or as otherwise permitted by the CCPA;

  • where required by law, grant the Data Controller the rights to (i) take reasonable and appropriate steps to ensure that Fini uses Customer Data in a manner consistent with Data Protection Laws and (ii) stop and remediate unauthorized use of Customer Data.

  1. Notice to Customer. Fini will inform you if Fini becomes aware of:

  • any legally binding request for disclosure of Customer Data by a law enforcement authority, unless Fini is otherwise forbidden by law to inform you, for example to preserve the confidentiality of an investigation by law enforcement authorities;
  • any notice, inquiry or investigation by an independent public authority established by a member state pursuant to Article 51 of the GDPR (a “Supervisory Authority”) with respect to Customer Data; or
  • any complaint or request (in particular, requests for access to, rectification or blocking of Customer Data) received directly from your data subjects. Fini will not respond to any such request without your prior written authorization.

  1. Assistance to Customer. Fini will provide reasonable assistance to Customer regarding:

  • any requests from your data subjects in respect of access to or the rectification, erasure, restriction, portability, objection, blocking or deletion of Customer Data that Fini processes for you. In the event that a data subject sends such a request directly to Fini, Fini will promptly send such request to you;

  • the investigation of any breach of Fini’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Data processed by Fini for you (a “Personal Data Breach”); and

  • where appropriate, the preparation of data protection impact assessments with respect to the processing of Customer Data by Fini and, where necessary, carrying out consultations with any supervisory authority with jurisdiction over such processing.

  1. Required Processing. If Fini is required by Data Protection Laws to process any Customer Data for a reason other than in connection with the Agreement, Fini will inform you of this requirement in advance of any processing, unless Fini is legally prohibited from informing you of such processing.

  1. Security. Fini will:

  • maintain reasonable and appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Data and to protect the rights of the subjects of that Customer Data;

  • take appropriate steps to confirm that Fini personnel are protecting the security, privacy and confidentiality of Customer Data consistent with the requirements of this DPA; and

  • notify you of any Personal Data Breach by Fini, its Subprocessors, or any other third parties acting on Fini’s behalf without undue delay after Fini becomes aware of such Personal Data Breach.

  1. Obligations of Customer.

  • Customer represents, warrants and covenants that it has and shall maintain throughout the term all necessary rights, consents and authorizations to provide the Customer Data to Fini and to authorize Fini to use, disclose, retain and otherwise process that Customer Data as contemplated by this DPA, the Agreement and/or other processing instructions provided to Fini.

  • Customer shall comply with all applicable Data Protection Laws.

  • Customer shall reasonably cooperate with Fini to assist Fini in performing any of its obligations with regard to any requests from Customer’s data subjects, including, without limitation by maintaining a record of which “completion ID” or similar numbers that are related to which data subjects in order to facilitate individual rights requests.

  • Customer acknowledges and agrees that it, rather than Fini, is responsible for certain configurations and design decisions for the services and that Customer, and not Fini, is responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Laws. Without limitation to the foregoing, Customer represents, warrants and covenants that it shall only transfer Customer Data to Fini using secure, reasonable and appropriate mechanisms.

  • Customer shall not provide Customer Data to Fini except through agreed mechanisms. For example, Customer shall not include Customer Data other than technical contact information, or in technical support tickets, transmit user Customer Data to Fini by email.

  • Customer shall not take any action that would (i) render the provision of Customer Data to Fini a “sale” under U.S. Privacy Laws or a “share” under the CCPA; or (ii) render Fini not a “service provider” under the CCPA.

  1. Standard Contractual Clauses.

  • Fini will process Customer Data that originates in the European Economic Area in accordance with the standard contractual clauses adopted by the EU Commission on June 4, 2021 (“EU SCCs”) which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
    • Module Two (Controller to Processor) of the EU SCCs apply when Customer is a controller and Fini is processing Customer Data as a processor.
    • Module Three (Processor to Sub-Processor) of the EU SCCs apply when Customer is a processor and Fini is processing Customer Data as a sub-processor.

  • For each module of the EU SCCs, where applicable, the following applies:
    • The optional docking clause in Clause 7 does not apply;
    • In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 1(g) of this DPA.
    • In Clause 11, the optional language does not apply;
    • All square brackets in Clause 13 are hereby removed;
    • In Clause 17 (Option 1), the EU SCCs will be governed by the EU member state where the data exporter is located;
    • In Clause 18(b), disputes will be resolved before the courts of the EU member state where the data exporter is located;
    • Exhibit A to this DPA contains the information required in Annex I and Annex III of the EU SCCs;
    • Exhibit B to this DPA contains the information required in Annex II of the EU SCCs; and

  • Customer Data originating from Switzerland shall be processed in accordance with the EU SCCs with the following amendments:
    • “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.
    • “Revised FADP” means the revised version of the FADP of 25 September 2020, which is scheduled to come into force on 1 January 2023.
    • The term “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
    • The EU SCCs also protect the data of legal entities until the entry into force of the Revised FADP.
    • The FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP

  • With respect to Customer Data originating from the United Kingdom, the parties will comply with the terms of Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses (the “UK Addendum”). The parties also agree (i) that the information included in Part 1 of the UK Addendum is as set out in Annex I of Appendix A to this DPA and (ii) that either party may end the UK Addendum as set out in Section 19 of the UK Addendum.

  1. Term; Data Return and Deletion. This DPA shall remain in effect as long as Fini carries out Customer Data processing operations on your behalf or until the termination of the Agreement (and all Customer Data has been returned or deleted in accordance with this DPA). On the termination of the data processing services, upon your reasonable request, and in any case at least once every thirty (30) days, Fini shall, and shall direct each Subprocessor to, return to you or delete the Customer Data, unless Data Protection Laws prevent Fini from returning or destroying all or part of the Customer Data. For clarity, Fini may continue to process information derived from Customer Data that has been aggregated or stored in a manner that does not identify individuals or customers to improve Fini’s systems and services.

Exhibit A

ANNEX I

A. LIST OF PARTIES

Data exporter(s): the Services customer identified on the applicable Services registration documents Data importer(s):

Name: Fini Technologies Inc.

Address: 1209 N Orange St, Wilmington, US, DE, 19801 Contact Person’s name, position and contact details:

Deepak Singla Co-founder

deepak@usefini.com

Activities relevant to the data transferred under these Clauses: The performance of the services described in the agreement to which this is attached.


B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred Users of data exporters applications.

Categories of personal data transferred

Name, contact information, demographic information, or other information provided by the user in unstructured data.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

No sensitive data is intended to be transferred unless the user includes it unexpectedly in unstructured data.  

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous.

Nature of the processing

The performance of the services described in the agreement to which this appendix is attached. Purpose(s) of the data transfer and further processing

The performance of the services described in the agreement to which this appendix is attached.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

During the term of the agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing The performance of the services described in the agreement to which this appendix is attached.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The data protection authority of the EU Member State in which the exporter is established.

Contact Us
If you have any questions about this Policy, please contact us: By email: hello@usefini.com.