Data Processing Agreement

Effective date: September 24, 2025
Parties: This DPA forms part of the agreement between Furious (“Processor”) and the customer that purchases or uses the Services (“Controller”).

By executing an Order or using the Services, Controller and Processor agree to this DPA.

1) Roles, Scope, and Instructions

• Roles. Controller determines purposes and means; Processor processes Personal Data on Controller’s behalf.
• Scope. Processing is limited to providing, maintaining, and supporting the Services as described in the Agreement.
• Instructions. Processor processes Personal Data only on Controller’s documented instructions (the Agreement and this DPA constitute the complete instructions), including for any international transfers.

2) Confidentiality

Processor ensures persons authorized to process Personal Data are bound by confidentiality obligations.

3) Security

Processor implements appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. (Detailed measures may be described on a separate page and are not part of this DPA.)

4) Subprocessors

• General authorization. Controller authorizes Processor to engage Subprocessors listed in Section 12.
• Flow-down. Processor imposes data protection obligations on Subprocessors no less protective than those in this DPA.
• Updates. The Subprocessor list may be updated by updating this page.

5) Assistance

Taking into account the nature of processing and information available to Processor, Processor will reasonably assist Controller with data subject requests and with obligations under GDPR Articles 32–36. Processor may charge reasonable fees for assistance not inherent to the Services.

6) Personal Data Breach

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on Controller’s behalf and provide information reasonably available to assist Controller in meeting its obligations.

7) Return & Deletion

Upon termination or expiry of the Services, Processor will delete Personal Data within a commercially reasonable period, subject to minimal backup/archival retention required by law. (Return is not offered unless legally required.)

8) Audits and Information

Processor will make available information necessary to demonstrate compliance with this DPA and, upon reasonable request, provide recent independent reports or other information (which may include summaries). Formal audits/inspections occur only where required by law or where provided information is insufficient, no more than once every 12 months, on reasonable notice, during normal business hours, and without undue disruption. Each party bears its own costs; Controller reimburses Processor’s reasonable costs.

9) International Transfers

Where Personal Data is transferred outside the EEA/UK in the absence of an adequacy decision, the EU Standard Contractual Clauses (2021/914, Modules 2 and/or 3) and, where applicable, the UK Addendum apply by reference and form part of this DPA, with Controller as “data exporter” and Processor (or relevant Subprocessor) as “data importer.”

10) Records and Cooperation

Processor maintains records required by GDPR Art. 30(2) and will provide them to supervisory authorities upon request.

11) Liability and Precedence

Liability is governed by the Agreement’s limitations and exclusions. If there is a conflict, this DPA controls to the extent it concerns processing of Personal Data.

12) Subprocessors (live list)

Processing location: EU by default.

Subprocessor	Purpose	Processing Location	Categories of Personal Data	More info
Amazon Web Services, Inc. (AWS)	Hosting & infrastructure for the Services	EU regions by default (e.g., Dublin/Frankfurt)	Customer/end-user account data and usage/log data stored in the Services	aws.amazon.com
Intercom R&D Unlimited Company	Customer support tooling (in-app messaging, helpdesk)	EU/EEA by default (subject to Intercom’s regional routing)	Customer/admin contact data and support conversation metadata	intercom.com/legal

Annex A — Processing Details (GDPR Art. 28(3))

• Subject matter: Provision and support of the Furious Services.
• Duration: Term of the Agreement plus limited backup/archival retention.
• Nature & purpose: Hosting, storage, transmission, display, and processing necessary to provide the Services; support; in-product service analytics.
• Types of Personal Data: Contact details (e.g., names, emails), account/profile data, content uploaded by Controller (as determined by Controller), service usage/log data.
• Categories of data subjects: Controller’s employees, contractors, and end-users (as determined by Controller).
• Controller obligations: Provide lawful instructions and ensure a valid legal basis.