Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the Agreement between Fast Technologies ("Fast", "we", "us", or "our") and you ("Customer", "you", or "your") and governs the processing of personal data by Fast on behalf of the Customer. This DPA applies to the extent that Fast processes personal data subject to applicable data protection laws, including the European Union General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable privacy regulations. By using the Services, you agree to the terms of this DPA.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Fast on behalf of the Customer through the Services.
• "Data Controller" means the Customer, who determines the purposes and means of processing Personal Data.
• "Data Processor" means Fast, who processes Personal Data on behalf of the Data Controller.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by Fast to process Personal Data on behalf of the Customer.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Services" means the Fast platform, APIs, MCP servers, desktop applications, and any other products or services provided by Fast.

2. Scope and Purpose of Processing

Fast processes Personal Data solely for the purpose of providing the Services as described in the Agreement, including:

• File storage, synchronization, and sharing services
• Desktop application synchronization (macOS, Windows, Linux)
• Programmatic access via APIs and MCP servers
• Agent Account operations and automated workflows
• Account management and authentication
• Customer support and communication
• Service improvement, analytics, and abuse prevention
• Billing and subscription management

The types of Personal Data processed may include: names, email addresses, IP addresses, device identifiers, file metadata, usage logs, and any Personal Data contained within Content uploaded by the Customer or its users. Data Subjects may include: Customer employees, contractors, customers, and any individuals whose data is stored or processed through the Services.

3. Obligations of Fast as Data Processor

Fast agrees to:

• Process Personal Data only on documented instructions from the Customer, unless required by applicable law
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures as described in Section 5
• Assist the Customer in responding to Data Subject requests to exercise their rights under applicable law
• Assist the Customer in ensuring compliance with security, breach notification, and data protection impact assessment obligations
• Delete or return Personal Data upon termination of the Agreement, unless retention is required by law
• Make available information necessary to demonstrate compliance with this DPA
• Notify the Customer promptly if Fast believes an instruction violates applicable data protection law
• Maintain records of processing activities as required by Article 30 of the GDPR

4. Obligations of the Customer as Data Controller

The Customer agrees to:

• Ensure that the processing of Personal Data through the Services has a valid legal basis
• Provide clear and documented instructions to Fast regarding the processing of Personal Data
• Ensure that Data Subjects have been informed of and have consented to the processing of their data where required
• Comply with all applicable data protection laws in the collection and use of Personal Data
• Maintain appropriate security measures for any devices, Agent Accounts, or programmatic access used to interact with the Services
• Notify Fast promptly of any changes to processing instructions or any Data Subject requests received directly

5. Security Measures

Fast operates its own SOC 2 Type II and ISO 27001 compliant datacenters in addition to utilizing third-party cloud infrastructure. Fast implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• SOC 2 Type II and ISO 27001 certified infrastructure
• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256
• Access controls and authentication mechanisms, including support for two-factor authentication
• Regular security assessments and vulnerability testing
• Employee security training and confidentiality agreements
• Intrusion detection and monitoring systems
• Secure software development practices
• Physical security measures for data center facilities
• Business continuity and disaster recovery procedures
• API rate limiting and automated abuse detection for programmatic access and Agent Accounts

6. Sub-processors

The Customer authorizes Fast to engage Sub-processors to assist in providing the Services. Fast maintains a list of current Sub-processors below. Fast will notify the Customer of any intended changes to Sub-processors at least 30 days in advance, and the Customer may object to such changes by providing written notice within that period. Fast ensures that Sub-processors are bound by data protection obligations no less protective than those in this DPA.

Important: Fast does not transmit Customer files or file metadata to third-party Sub-processors, except as follows: (a) Customer Content is stored on Fast-operated infrastructure and Google Cloud Platform; and (b) when the Customer uses AI Services features, relevant Content may be transmitted to Google Vertex AI and/or Google Gemini AI for processing. Other Sub-processors (such as analytics, payment, and monitoring services) receive only operational data necessary for their specific function and do not have access to Customer files or file metadata. Fast may engage additional processors for similar operational purposes, provided they meet the same data protection standards and do not receive Customer Content.

Current Sub-processors:

• Fast Technologies Datacenters — Primary data storage and compute services, SOC 2 Type II and ISO 27001 certified (United States)
• Google Cloud Platform (GCP) — Cloud infrastructure, data storage, and compute services (United States)
• Google Vertex AI / Gemini AI — Artificial intelligence and machine learning services for AI-powered features (United States)
• Cloudflare, Inc. — Content delivery, security, DNS, and edge compute services via Cloudflare Workers (United States)
• Stripe, Inc. — Payment processing and billing (United States)
• Bugsnag (SmartBear Software) — Error tracking and application monitoring (United States)
• Hotjar Ltd. — Analytics, heatmaps, and user experience improvement (Malta/European Union)

7. Data Subject Rights

Fast will assist the Customer in responding to requests from Data Subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, data portability, and objection. If Fast receives a request directly from a Data Subject, Fast will promptly notify the Customer unless prohibited by law. The Customer is responsible for responding to such requests, and Fast will provide reasonable assistance as needed.

8. Data Breach Notification

Fast will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach. Fast will cooperate with the Customer and provide reasonable assistance in investigating and remediating the breach.

9. Audit Rights

Upon reasonable written request and subject to confidentiality obligations, Fast will make available to the Customer information necessary to demonstrate compliance with this DPA. The Customer may conduct an audit, or engage a third-party auditor, no more than once per year, with at least 30 days' advance notice. Audits shall be conducted during normal business hours and in a manner that minimizes disruption to Fast's operations. The Customer shall bear the costs of any audit unless the audit reveals material non-compliance by Fast.

10. International Data Transfers

Fast stores and processes data primarily in the United States. For transfers of Personal Data from the European Economic Area (EEA) to the United States or other countries not recognized as providing adequate data protection, Fast relies on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision 2021/914). For transfers from the United Kingdom, Fast relies on the UK Addendum to the EU SCCs or the UK International Data Transfer Agreement (IDTA) as appropriate. For transfers from Switzerland, Fast relies on the Swiss-approved SCCs or equivalent mechanisms. Upon request, Fast will execute the applicable Standard Contractual Clauses with the Customer.

11. Desktop Applications and Programmatic Access

This DPA applies to all methods of accessing the Services, including through our desktop applications for macOS, Windows, and Linux, as well as programmatic access via APIs, MCP (Model Context Protocol) servers, SDKs, and Agent Accounts. The Customer acknowledges that:

• Desktop applications store authentication credentials and cache data locally on user devices; the Customer is responsible for the security of those devices
• Programmatic access and Agent Accounts may process Personal Data automatically; the Customer remains the Data Controller for all such processing
• Fast monitors programmatic access for security and abuse prevention, which may involve automated analysis of access patterns
• Agent Account activity is attributable to the Customer, and the Customer is responsible for ensuring agents comply with applicable data protection law

12. Term and Termination

This DPA remains in effect for the duration of Fast's processing of Personal Data on behalf of the Customer. Upon termination of the Agreement, Fast will, at the Customer's choice, delete or return all Personal Data within 90 days, unless retention is required by applicable law. Fast may retain anonymized or aggregated data that does not identify individuals. Provisions of this DPA that by their nature should survive termination (including confidentiality, limitation of liability, and indemnification) will survive.

13. Modifications

Fast may update this DPA from time to time to reflect changes in data protection law or our practices. Significant changes will be communicated to the Customer via email or through a prominent notice on our website at least 30 days before they become effective. Continued use of the Services after the effective date constitutes acceptance of the updated DPA.

14. Privacy Contact

Fast has not appointed a Data Protection Officer as we do not meet the mandatory appointment thresholds under GDPR Article 37. However, for all data protection inquiries, questions about this DPA, or to request a signed copy of this agreement or the Standard Contractual Clauses, please contact our privacy team at privacy@fast.io.