This Data Processing Addendum (“DPA”) governs Finis processing of Customer Data you provide to Fini through Fini’s API or any Fini’s services for businesses (“Services”) under the terms of the Fini Data Protection Policy, Enterprise Agreement, or other agreement between you and Fini governing your use of the Services (the “Agreement”) and is hereby incorporated into the Agreement. If and to the extent language in this DPA conflicts with the Agreement, the conflicting terms in this DPA shall control.
Fini and Customer each agree to comply with their respective obligations under applicable data privacy and data protection laws (collectively, “Data Protection Laws”) in connection with the Services. Data Protection Laws may include, depending on the circumstances, Cal. Civ. Code §§ 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (the California Consumer Privacy Act) (“CCPA”), Colo. Rev. Stat. §§ 6-1-1301 et seq. (the Colorado Privacy Act) (“CPA”), Connecticut’s Data Privacy Act (“CTDPA”), Utah Code Ann. §§ 13-61-101 et seq. (the Utah Consumer Privacy Act) (“UCPA”), VA Code Ann. §§ 59.1-575 et seq. (the Virginia Consumer Data Protection Act) (“VCDPA”) (collectively “U.S. Privacy Laws”), and the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), and applicable subordinate legislation and regulations implementing those laws.
In connection with the Agreement, Customer is the person that determines the purposes and means for which Customer Data (as defined below) is processed (a “Data Controller”), whereas Fini processes Customer Data in accordance with the Data Controller’s instructions and on behalf of the Data Controller (as a “Data Processor”). “Data Controller” and “Data Processor” are intended to include equivalent concepts under other Data Protection Laws. For purposes of the Agreement and this DPA, “Customer Data” means personal data (or equivalent concepts, as defined by Data Protection Laws) that Customer provides to the Services that Fini processes on behalf of Customer. Fini will process Customer Data as your Data Processor to provide or maintain the Services and for the purposes set forth in this DPA, the Agreement and/or in any other applicable agreements between you and Fini. Fini acknowledges that you are disclosing personal data for the aforementioned limited and specific purposes.
This DPA shall remain in effect as long as Fini carries out Customer Data processing operations on your behalf or until the termination of the Agreement (and all Customer Data has been returned or deleted in accordance with this DPA). On the termination of the data processing services, upon your reasonable request, and in any case at least once every thirty (30) days, Fini shall, and shall direct each Subprocessor to, return to you or delete the Customer Data, unless Data Protection Laws prevent Fini from returning or destroying all or part of the Customer Data. For clarity, Fini may continue to process information derived from Customer Data that has been aggregated or stored in a manner that does not identify individuals or customers to improve Fini’s systems and services.
A. LIST OF PARTIES
Data exporter(s): the Services customer identified on the applicable Services registration documents Data importer(s):
Name: Fini Technologies Inc.
Address: 1209 N Orange St, Wilmington, US, DE, 19801 Contact Person’s name, position and contact details:
Deepak Singla Co-founder
Activities relevant to the data transferred under these Clauses: The performance of the services described in the agreement to which this is attached.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred Users of data exporters applications.
Categories of personal data transferred
Name, contact information, demographic information, or other information provided by the user in unstructured data.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data is intended to be transferred unless the user includes it unexpectedly in unstructured data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous.
Nature of the processing
The performance of the services described in the agreement to which this appendix is attached. Purpose(s) of the data transfer and further processing
The performance of the services described in the agreement to which this appendix is attached.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the term of the agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing The performance of the services described in the agreement to which this appendix is attached.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The data protection authority of the EU Member State in which the exporter is established.