Data Processing Addendum

Last updated: January 7, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Feldar LLC ("Feldar", "we", "us", or "Processor") and the customer ("Customer", "you", or "Controller") who has agreed to the Terms of Service for the Feldar platform (the "Service").

This DPA applies to the extent that Feldar processes Personal Data on behalf of Customer in providing the Service, and such processing is subject to Data Protection Laws.

For information about how we handle personal data generally, see our Privacy Policy.

Definitions

In this DPA:

• "Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, the California Consumer Privacy Act ("CCPA"), and any other applicable data protection legislation.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "EEA" means the European Economic Area.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Feldar on behalf of Customer in connection with the Service.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
• "Processor" means an entity that processes Personal Data on behalf of a Controller.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries.
• "Subprocessor" means any third party engaged by Feldar to process Personal Data on behalf of Customer.

Scope and application

When this DPA applies

This DPA applies when:

• You use the Service and Personal Data is processed as part of that use
• Such processing is subject to Data Protection Laws
• Feldar processes Personal Data on your behalf as a Processor

Incorporation

This DPA is incorporated into and forms part of the Terms of Service. In the event of any conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail.

Term

This DPA shall remain in effect for the duration of your use of the Service and for as long as Feldar retains any Personal Data processed on your behalf.

Roles of the parties

Customer as Controller

For Personal Data that you upload, create, or generate using the Service (such as content you create that contains personal information), you are the Controller. You determine the purposes and means of processing such Personal Data.

Feldar as Processor

When processing Personal Data on your behalf in providing the Service, Feldar acts as a Processor. We process Personal Data only in accordance with your documented instructions and this DPA.

Feldar as Controller

For certain processing activities, Feldar acts as an independent Controller. This includes:

• Processing your account and contact information to provide and manage the Service
• Processing payment information to collect fees
• Processing usage data for our legitimate business interests

Our Privacy Policy describes this processing.

Processing of personal data

Documented instructions

Feldar shall process Personal Data only on documented instructions from you, unless required to do so by applicable law. The Terms of Service and this DPA constitute your initial documented instructions.

Purpose limitation

Feldar shall process Personal Data only for the purposes of providing the Service as described in the Terms of Service, and for no other purpose unless:

• You provide additional documented instructions
• Processing is required by applicable law (in which case, Feldar shall inform you of such requirement before processing, unless prohibited by law)

Obligations of the processor

Feldar shall:

Confidentiality

• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Treat Personal Data as confidential information

Security

• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Regularly assess and improve security measures as appropriate

Subprocessing

• Not engage another processor (Subprocessor) without your prior authorization
• Ensure that any Subprocessor is bound by data protection obligations no less protective than those in this DPA

Assistance

Assist you, taking into account the nature of processing and information available, with:

• Responding to Data Subject requests to exercise their rights
• Ensuring compliance with security, breach notification, impact assessment, and prior consultation obligations under Data Protection Laws
• Provide information necessary to demonstrate compliance with obligations under Data Protection Laws

Data return and deletion

• At your choice, delete or return all Personal Data upon termination of the Service, unless retention is required by applicable law
• Delete existing copies unless storage is required by applicable law

Subprocessors

Authorization

You provide general authorization for Feldar to engage Subprocessors to process Personal Data on your behalf. The current list of Subprocessors:

• Supabase Inc. — Authentication, database, real-time features — United States
• Stripe, Inc. — Payment processing — United States
• Google Cloud Platform (Google LLC) — Cloud infrastructure and hosting — United States
• Firebase (Google LLC) — Analytics — United States
• Resend Inc. — Transactional email delivery — United States

Subprocessor obligations

Feldar shall:

• Enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this DPA
• Remain liable to you for the performance of the Subprocessor's obligations

Changes to Subprocessors

When engaging a new Subprocessor or replacing an existing Subprocessor:

• Feldar shall notify you by updating the Subprocessor list and/or by email at least 14 days before the new Subprocessor begins processing Personal Data
• You may object to the new Subprocessor by notifying Feldar within 14 days of receiving notice
• If you object, we will work with you to address your concerns. If we cannot resolve your concerns, you may terminate the affected Service.

International data transfers

Transfer mechanisms

Personal Data may be transferred to and processed in the United States and other countries where Feldar and its Subprocessors operate.

For transfers of Personal Data from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of data protection, Feldar relies on:

• Standard Contractual Clauses approved by the European Commission
• Other appropriate safeguards as required by Data Protection Laws

Standard Contractual Clauses

To the extent that transfers of Personal Data are subject to the GDPR and transferred to a country without an adequacy decision:

• The Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference into this DPA
• For transfers from the UK, the UK Addendum to the SCCs applies
• For transfers from Switzerland, the SCCs apply with necessary modifications

Supplementary measures

Feldar implements supplementary technical and organizational measures to protect Personal Data during international transfers, including encryption in transit and at rest.

Data subject rights

Assistance with requests

Feldar shall assist you in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including rights to:

• Access their Personal Data
• Rectify inaccurate Personal Data
• Erase Personal Data ("right to be forgotten")
• Restrict processing
• Data portability
• Object to processing

Response process

If Feldar receives a request directly from a Data Subject:

• Feldar shall promptly notify you of the request (unless prohibited by law)
• Feldar shall not respond directly to the Data Subject except to acknowledge receipt and refer them to you, unless otherwise instructed by you or required by law

Costs

Feldar may charge a reasonable fee for assistance with Data Subject requests that are excessive, repetitive, or manifestly unfounded.

Security measures

Technical and organizational measures

Feldar implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and accidental loss, destruction, or damage.

These measures include:

• Encryption of Personal Data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments
• Incident response procedures
• Employee security training

Encryption details

• Data in transit: TLS 1.2 or higher for all communications
• Data at rest: AES-256 encryption for stored data

Access controls

• Role-based access control for internal systems
• Multi-factor authentication for administrative access
• Principle of least privilege for employee access
• Regular access reviews

Infrastructure security

• Cloud infrastructure hosted on Google Cloud Platform
• Network segmentation and firewalls
• Regular security patching and updates
• DDoS protection

Ongoing security

Feldar shall:

• Regularly test and evaluate the effectiveness of security measures
• Take appropriate steps to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
• Implement measures to restore availability and access to Personal Data in a timely manner in the event of an incident

Personal data breach

Notification

In the event of a Personal Data Breach affecting Personal Data processed on your behalf, Feldar shall:

• Notify you without undue delay after becoming aware of the breach
• Provide sufficient information to enable you to meet your obligations under Data Protection Laws

Breach notification content

Notification shall include, to the extent known:

• Description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
• Contact point for more information
• Description of likely consequences
• Description of measures taken or proposed to address the breach

Cooperation

Feldar shall cooperate with you and take reasonable steps to assist in investigating, mitigating, and remediating the breach.

Documentation

Feldar shall document Personal Data Breaches, including facts, effects, and remedial actions taken.

Audits and assessments

Audit rights

Feldar shall make available to you information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

Audit process

Audits shall be conducted:

• Upon reasonable written notice (at least 30 days, except in emergencies)
• During normal business hours
• In a manner that minimizes disruption to Feldar's operations
• Subject to reasonable confidentiality obligations

Third-party certifications

Feldar may satisfy audit requirements by providing:

• Third-party audit reports (such as SOC 2)
• Certifications from recognized bodies
• Responses to reasonable security questionnaires

Costs

You shall bear the costs of any audit you request, except where an audit reveals material non-compliance by Feldar.

Data retention and deletion

Retention period

Feldar shall retain Personal Data processed on your behalf only for as long as necessary to provide the Service and fulfill obligations under this DPA.

Deletion upon termination

Upon termination of the Service or upon your request:

• Feldar shall delete or return all Personal Data processed on your behalf within 30 days
• Feldar shall delete existing copies unless storage is required by applicable law
• Upon request, Feldar shall certify deletion in writing

Backup retention

Encrypted backups may retain Personal Data for up to 90 days after deletion from active systems before being purged.

Legal retention

Feldar may retain Personal Data to the extent required by applicable law, in which case Feldar shall protect the confidentiality of such data and process it only as required by law.

Liability

Liability cap

Liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.

Indemnification

The indemnification provisions in the Terms of Service apply to this DPA.

Allocation of liability

Each party shall be liable for damages caused by its own breach of this DPA or Data Protection Laws. Where both parties are responsible for damage, liability shall be allocated according to each party's responsibility for the damage.

General provisions

Conflict

In the event of any conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail.

Amendments

This DPA may be amended by Feldar to reflect changes in Data Protection Laws or data protection practices. Material changes will be notified to you in accordance with the Terms of Service.

Severability

If any provision of this DPA is found invalid or unenforceable, the remaining provisions shall remain in full force and effect.

Governing law

This DPA is governed by the same law that governs the Terms of Service, except that provisions relating to GDPR compliance shall be governed by the laws of the EU member state where you are established (for EU customers) or by the laws of England and Wales (for UK customers).

How to contact us

For questions about this DPA or data protection matters:

Feldar LLC
Email: support@feldar.com
Location: Delaware, United States

For DPA-specific inquiries, use the subject line "Data Processing Addendum" to ensure prompt handling.

Details of processing

Subject matter of processing

Processing of Personal Data to provide the Feldar AI writing platform.

Duration of processing

For the duration of the Terms of Service and as necessary to fulfill obligations under this DPA.

Nature and purpose of processing

• Storage and retrieval of content created by Customer
• Processing of content through AI features to provide writing assistance
• Account management and service delivery
• Customer support and communications

Types of Personal Data

Personal Data that may be contained in User Content uploaded or created by Customer, which may include:

• Names and contact information
• Biographical information
• Any other personal information included by Customer in their content

Categories of Data Subjects

Data Subjects whose Personal Data may be included in User Content, which may include:

• Customer's employees or contractors
• Customer's clients or customers
• Individuals referenced in Customer's creative works
• Any other individuals whose data Customer includes in content