Feng-GUI Data Processing Agreement

1. Definitions

• Agreement: the written or electronic agreement (including online Terms) governing the Services.
• Controller/Processor, Personal Data, Processing, Personal Data Breach, Supervisory Authority, Data Subject: as defined in the GDPR.
• EU SCCs: the Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914.
• UK Addendum: ICO International Data Transfer Addendum to the EU SCCs.
• Sub-processor: a processor engaged by Feng-GUI.
• TOMs: technical and organizational measures.

2. Scope; Roles; Instructions

For the Processing described in this DPA, Controller is the Controller and Feng-GUI is the Processor.

Feng-GUI shall Process Personal Data only on documented instructions from Controller (including via the Agreement, this DPA, order forms, and Controller’s written admin settings). If an instruction infringes Data Protection Law, Feng-GUI will inform Controller.

Processing is limited to providing and supporting the Services for the term of the Agreement (see Annex I).

Controller determines the purposes and means of Processing, provides all notices, obtains and records any consents (if used as a legal basis), and ensures the lawfulness, accuracy, and completeness of Personal Data provided to Feng-GUI.

3. Confidentiality

Feng-GUI ensures its personnel are bound by confidentiality and access Personal Data on a need-to-know basis.

4. Security

Feng-GUI implements and maintains TOMs appropriate to the risk, including at minimum the controls listed in Annex II (e.g., access control, encryption in transit/at rest, logging/monitoring, vulnerability management, secure development, BCP/DR).

Upon request once per year, Feng-GUI will provide a summary of relevant audits/certifications (e.g., ISO/IEC 27001) or equivalent third-party assurance.

5. Sub-processors

Controller authorizes the Sub-processors listed in Annex III and general authorization for Feng-GUI to appoint new Sub-processors.

Feng-GUI will impose GDPR-equivalent obligations on all Sub-processors and remains fully liable for their performance.

Feng-GUI will notify Controller at least 15 days before replacing/adding Sub-processors (email or news notice). Controller may object on reasonable data protection grounds; the parties will discuss in good faith. If unresolved, Controller may suspend the affected Service or terminate it for convenience (pro-rata refund of prepaid fees for the terminated portion).

6. International Data Transfers

Feng-GUI will not transfer Personal Data outside the EEA/UK unless appropriate transfer mechanisms are in place (e.g., EU SCCs Module Two, UK Addendum).

Where required, the parties enter into the EU SCCs (controller-to-processor, Module Two) incorporated by reference with Annexes from this DPA; the governing law and competent authority are as set out in Annex I(C).

Feng-GUI will conduct transfer impact assessments (TIAs) where applicable and implement supplementary measures where necessary.

7. Assistance

Taking into account the nature of Processing, Feng-GUI will assist Controller by appropriate technical and organizational measures in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection). Target response within 5 business days of a written request from Controller.

Feng-GUI will provide reasonably available information to support Controller’s DPIAs or consultations with Supervisory Authorities regarding the Services.

Where assistance is excessive, repetitive, or outside the Services’ standard scope, Feng-GUI may charge reasonable costs.

8. Personal Data Breach

Feng-GUI will notify Controller without undue delay and in any event within 24 hours of becoming aware of a Personal Data Breach affecting Controller Personal Data, and provide information reasonably available to assist Controller with notifications to authorities and Data Subjects. Notification is not an admission of fault or liability.

9. Audit & Compliance

Feng-GUI will make available information necessary to demonstrate compliance with this DPA (e.g., policy summaries, independent audit reports).

Where such information is insufficient, Controller may conduct (or mandate a reputable independent auditor to conduct) an audit no more than once per 12 months with 15 business days’ prior notice, during business hours, limited to facilities and systems used to Process Controller Personal Data, and subject to confidentiality and security requirements.

Each party bears its own costs; if an audit reveals material non-compliance attributable to Feng-GUI, Feng-GUI will bear reasonable audit costs.

10. Return and Deletion

Within 30 days after termination or expiry of the Agreement, upon Controller request, Feng-GUI will make available a reasonable export of Personal Data. After this export window, Feng-GUI will delete Controller Personal Data from active systems and schedule deletion from backups per Annex II timelines, except as necessary to:

• comply with legal obligations or enforce rights, or
• retain only irreversibly anonymized data, aggregated where possible, for the exclusive purpose of improving Feng-GUI’s own models, and platform features, provided that such data no longer constitutes Personal Data within the meaning of the GDPR, cannot reasonably be reidentified by any party, and is not traceable to the Controller or any individual.

Feng-GUI ensures that any retained data under this section is segregated from live production systems and subject to appropriate technical and organizational measures.

11. Liability; Precedence

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Agreement, except where prohibited by law.

If there is conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict on data protection matters. If there is conflict between this DPA and the SCCs, the SCCs prevail.

12. Term

This DPA remains in force while Feng-GUI Processes Personal Data on behalf of Controller under the Agreement.

Annex I — Description of Processing (SCCs, Annex I.A–C)

• Data Exporter (Controller): Customer identified in the Order Form / Admin Settings
• Data Importer (Processor): Feng-GUI

• Data Subjects: Controller’s authorized users; Controller’s customers/end-users whose data Controller uploads to or collects via the Services.
• Categories of Personal Data: Identification and contact data (name, email, phone, address), account identifiers (user ID/username), business identifiers (company name, tax IDs), usage and log data, uploaded documents/metadata needed for onboarding/verification/reporting.
• Special Categories: Not intended to be processed. If Controller uploads such data, it remains responsible for a lawful basis and instructions.
• Frequency: Continuous for the term.
• Nature & Purpose: Hosting, storage, computation, verification, enrichment, transformation, reporting, support, security, and related operations necessary to provide the Services.
• Duration: For the Agreement term plus deletion timelines in Section 10.
• Subject-matter of Processing by Sub-processors: Same as above, limited to what is necessary to provide the Services.
• AI & Analytics Use: Feng-GUI may retain anonymized or pseudonymized usage and deleted data solely for the purpose of improving the accuracy, efficiency, and user experience of its AI-driven features and analytics systems. Such data is excluded from Personal Data under GDPR once anonymized.

• Supervisory Authority: means an independent public authority which is established by a European Union Member State; and shall also include the Israeli Privacy Protection Authority.
• SCC Governing Law & Forum: Israel.

Annex II — Technical and Organisational Measures (TOMs)

Feng-GUI maintains an ISO-27001–aligned ISMS including, at a minimum:

1. Governance & Policies: documented security policies; risk assessments; security awareness training.
2. Access Control: unique user IDs, least-privilege, RBAC, MFA for admin access, timely de-provisioning.
3. Encryption: TLS for data in transit; industry-standard encryption for data at rest (e.g., AES-256); key management via managed KMS.
4. Network Security: segmentation, firewalls, DDoS protection provided by cloud providers; hardened endpoints.
5. Vulnerability & Patch Management: regular scanning, remediation SLAs; annual penetration testing.
6. Secure SDLC: code review, dependency scanning, secrets management, CI/CD controls.
7. Logging & Monitoring: centralized logs, audit trails for access and admin actions, alerting.
8. Business Continuity & Disaster Recovery: backups with cross-region redundancy; RTO ≤ 24h, RPO ≤ 24h targets unless otherwise agreed.
9. Data Retention & Deletion: production data deleted within 30 days after export window; backups overwritten on rolling cycles ≤ 12 months.
10. Incident Response: documented IR plan, breach notification workflow meeting Section 8.
11. Vendor Management: security due diligence and SCCs/transfer safeguards for relevant vendors; contractual flow-downs.
12. Physical Security: data centers managed by reputable cloud providers with industry certifications.

Annex III — Authorized Sub-processors

The Controller authorizes Feng-GUI to use the following categories of Sub-processors: