1) Definitions

Unless otherwise defined in this DPA, capitalised terms have the meaning given in the Terms of Service.

• 1.1 "Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including the UK GDPR and the Data Protection Act 2018, and (where applicable) EU GDPR.
• 1.2 "Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA.
• 1.3 "Process" / "Processing" means any operation performed on Personal Data, such as collection, storage, use, disclosure, alteration, transmission, or deletion.
• 1.4 "Data Subject" means the individual to whom Personal Data relates.
• 1.5 "Customer Content" means data (including Personal Data) submitted, stored, sent, or received via the Services by or on behalf of Customer, including leads, contacts, messages, and files.
• 1.6 "Subprocessor" means any third party appointed by Fernly to Process Personal Data on Customer's behalf.
• 1.7 "Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Content (including Personal Data) in Fernly's systems.

2) Scope and Roles

• 2.1 Processor role. Fernly Processes Personal Data as Processor on behalf of Customer where Customer uploads, generates, imports, or otherwise uses Customer Content in the Services (for example: leads saved to a workspace, client portal data, outreach content, and related tracking in the workspace).
• 2.2 Independent controller role for platform operations. Fernly acts as an independent controller for Personal Data processed for its own legitimate business purposes such as account administration, billing, fraud prevention, security monitoring, and product analytics that are not Customer-specific instructions. Such processing is described in Fernly's Privacy Policy.
• 2.3 Lead sourcing and Customer responsibility. Where the Services enable discovery and delivery of business listing information (including where that information may include Personal Data, e.g., sole traders), Customer becomes the controller when it imports, stores, or uses such leads within its workspace and is responsible for determining the lawful basis and providing any required notices for its subsequent processing and outreach activities.
• 2.4 Term. This DPA applies from the effective date of Customer's subscription to the Services and continues until the Services are terminated or until all Customer Content is deleted/returned in accordance with this DPA.

3) Processing Instructions

3.1 Fernly shall Process Personal Data only on documented instructions from Customer, including as necessary to provide and operate the Services in accordance with the Terms of Service and Customer's configuration and use of the Services.

3.2 Customer instructs Fernly to Process Personal Data to:

• provide the Services and related support,
• secure, maintain, and improve the Services,
• perform backups and disaster recovery,
• carry out actions initiated by Customer users (e.g., importing/exporting, emailing, sharing portal access).

3.3 If Fernly believes a Customer instruction violates Applicable Data Protection Law, Fernly will notify Customer (unless prohibited by law) and may suspend the relevant Processing until Customer confirms or modifies its instructions.

4) Customer Obligations

Customer shall:

• 4.1 Ensure it has all necessary rights, consents, notices, and lawful bases to provide Personal Data to Fernly and to Process it using the Services.
• 4.2 Ensure its use of the Services (including outreach features) complies with applicable marketing, anti-spam, and electronic communications laws and regulations.
• 4.3 Maintain the confidentiality of its login credentials, manage user access appropriately, and ensure only authorised users access Customer Content.
• 4.4 Respond to Data Subject requests where Customer is controller; Customer may use Service tools (export/delete) to fulfil those requests.

5) Fernly Obligations (Processor)

Fernly shall:

• 5.1 Confidentiality. Ensure persons authorised to Process Personal Data are subject to appropriate confidentiality obligations.
• 5.2 Security. Implement and maintain appropriate technical and organisational measures ("TOMs") to protect Personal Data against Security Incidents, as described in Annex 2.
• 5.3 Assistance with Data Subject requests. Taking into account the nature of Processing, provide reasonable assistance to Customer to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection) as required by Applicable Data Protection Law, to the extent Customer cannot fulfil such requests through self-service functionality.
• 5.4 Assistance with compliance. Provide reasonable assistance to Customer with:
  • security obligations,
  • breach notifications to authorities and Data Subjects (where applicable),
  • DPIAs and prior consultation where required,

  to the extent the information is within Fernly's control and the assistance is proportionate. Fernly may charge reasonable fees for assistance beyond what is required by law or that is excessive/repetitive.

• 5.5 Records and compliance information. Make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and security requirements.
• 5.6 Subprocessors. Comply with Section 7 regarding Subprocessors.

6) Security Incident Notification

• 6.1 Fernly shall notify Customer without undue delay after becoming aware of a confirmed Security Incident affecting Customer Content.
• 6.2 Such notification will include, to the extent known and as it becomes available:
  • a description of the nature of the incident,
  • likely consequences and categories/approximate number of affected Data Subjects/records (where feasible),
  • measures taken or proposed to address the incident and mitigate harm,
  • a point of contact for follow-up.
• 6.3 Fernly will reasonably cooperate with Customer's efforts to investigate, mitigate, and remediate the incident.
• 6.4 This Section 6 does not apply to unsuccessful attempts or events that do not compromise the security, confidentiality, or integrity of Personal Data (e.g., pings, port scans, denied login attempts), unless such events result in unauthorised access.

7) Subprocessors

• 7.1 General authorisation. Customer authorises Fernly to engage Subprocessors to Process Personal Data on Customer's behalf.
• 7.2 List of Subprocessors. Fernly maintains an up-to-date list of Subprocessors at: fernly.io/subprocessors
• 7.3 Notice of changes. Fernly will provide notice at least 30 days before adding or replacing a Subprocessor where the change materially increases risk to Customer's Personal Data. Notice may be provided by updating the Subprocessor list and/or by email or in-app notice.
• 7.4 Objection. Customer may object to a new Subprocessor within the 30-day notice period by providing written notice explaining reasonable data protection grounds. If Customer objects, Fernly will use reasonable efforts to address the objection, including (where feasible) providing an alternative. If no reasonable alternative is available, Customer may terminate the affected portion of the Services without penalty by providing written notice prior to the change taking effect.
• 7.5 Flow-down terms. Fernly will ensure each Subprocessor is bound by written obligations no less protective than those in this DPA for the relevant Processing, including confidentiality, security, and (where applicable) transfer safeguards.
• 7.6 Liability for Subprocessors. Fernly remains responsible for the performance of its Subprocessors' obligations under this DPA.

8) International Transfers

• 8.1 Where Personal Data processed under this DPA is transferred outside the UK and/or EEA (as applicable), Fernly will ensure appropriate safeguards are in place in accordance with Applicable Data Protection Law.
• 8.2 Safeguards may include, as applicable:
  • EU Standard Contractual Clauses (EU SCCs),
  • the UK Addendum to the EU SCCs and/or the UK International Data Transfer Agreement (IDTA),
  • adequacy regulations/decisions,

  or other lawful mechanisms.

• 8.3 Details of relevant transfer mechanisms for Subprocessors will be made available upon reasonable request.

9) Return and Deletion of Personal Data

• 9.1 During term. Customer may access, export, and delete Customer Content using the Service features.
• 9.2 Upon termination. Upon termination or expiry of Customer's subscription:
  • Fernly will make Customer Content available for export for a reasonable period (if applicable under the Service plan and termination state), and
  • Fernly will delete Customer Content within 30 days, except as set out below.
• 9.3 Backups and residual data. Customer Content stored in backups or disaster recovery systems may be retained for a limited period consistent with Fernly's backup retention cycles, after which it will be deleted or rendered inaccessible in the ordinary course. Fernly may retain limited records (e.g., billing records, security logs) to the extent required by law or for legitimate security and fraud-prevention purposes.
• 9.4 Legal holds. Fernly may retain Customer Content as required by law or in connection with legal claims, audits, or regulatory requests, and will delete it when no longer required.

10) Audit Rights

• 10.1 Customer may audit Fernly's compliance with this DPA:
  • no more than once per 12-month period, unless required due to a confirmed Security Incident or instruction by a supervisory authority,
  • subject to reasonable scope, confidentiality, and security requirements.
• 10.2 Alternative audit materials. Fernly may satisfy audit requests by providing relevant documentation, summaries, and/or third-party audit reports, certifications, or independent assessments where available.
• 10.3 On-site audits. Where an on-site audit is necessary, it requires at least 30 days' written notice, must be conducted during business hours, must not unreasonably interfere with Fernly's operations, and must not compromise the confidentiality or security of other customers' data.
• 10.4 Customer bears its own costs and reasonable out-of-pocket costs incurred by Fernly for on-site audits, except where the audit identifies material non-compliance by Fernly with this DPA.

11) Liability

• 11.1 Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
• 11.2 Nothing in this DPA limits either party's liability where such limitation is prohibited by Applicable Data Protection Law.

12) Governing Law

This DPA is governed by the laws of England and Wales, and disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13) Contact

For DPA-related inquiries or to request a signed copy, contact: legal@fernly.io

Annex 1: Processing Details (UK GDPR / Article 28 Schedule)

Annex 2: Technical and Organisational Measures (TOMs)

Fernly maintains a security programme appropriate to the risks of Processing, which may include the following measures (implemented as applicable to Fernly's environment and Services):

Fernly may update TOMs over time provided that updates do not materially reduce the overall level of security.