Data Processing Addendum

Scope and Purpose

This Data Processing Addendum ("DPA") supplements the Terms of Service and applies when Favvy Corp ("Processor") processes personal data on behalf of a business customer ("Controller") in connection with the AgentBrush service.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (GDPR) and establishes the obligations of the Processor with respect to the processing of personal data.

Processor Obligations

The Processor shall:

- Process personal data only on documented instructions from the Controller, unless required by EU or Member State law.

- Ensure that persons authorized to process the personal data have committed to confidentiality.

- Take all measures required pursuant to Article 32 GDPR (security of processing).

- Respect the conditions for engaging sub-processors as outlined in this DPA.

- Assist the Controller in responding to data subject requests.

- Assist the Controller in ensuring compliance with Articles 32-36 GDPR.

- Delete or return all personal data upon termination, at the Controller's choice.

- Make available all information necessary to demonstrate compliance and allow for audits.

Sub-Processor Management

The Controller provides general authorization for the Processor to engage sub-processors. The current list of sub-processors is available at {{link:/sub-processors|Sub-processors List}}.

The Processor shall inform the Controller of any intended changes to the list of sub-processors, giving the Controller the opportunity to object to such changes within 30 days.

The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

Data Security Measures

The Processor implements the following technical and organizational measures:

- Encryption in transit: TLS 1.3 for all data transmitted between clients and servers.

- Encryption at rest: AES-256 encryption via Cloudflare for stored data.

- Access controls: Role-based access, JWT and API key authentication, principle of least privilege.

- PII scrubbing: Automated removal of personal identifiers from error monitoring (Sentry beforeSend).

- Infrastructure security: Serverless architecture on Cloudflare Workers (no persistent servers, reduced attack surface).

Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of affected data subjects, and measures taken to address the breach.

Audit Rights

The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. Audits shall be conducted with reasonable notice and during normal business hours.

The Processor may charge reasonable fees for audit assistance beyond what is required by applicable law.

Data Return and Deletion

Upon termination of the service agreement, the Processor shall, at the Controller's election, delete or return all personal data processed on behalf of the Controller within 30 days, unless retention is required by applicable law.

Cross-Border Transfers

Where personal data is transferred outside the EEA, the Processor relies on the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or other appropriate safeguards as required by applicable law.

The Processor shall promptly inform the Controller if it becomes aware that it can no longer comply with transfer obligations.