Data Processing Agreement

This Data Processing Agreement (the "DPA") sets out the standard terms on which Finray Technologies Ltd ("Finray", "we", "us", "our") processes Personal Data on behalf of a client (the "Controller") in connection with a Finray platform engagement. It is incorporated by reference into the executed order form or master services agreement between Finray and the Controller and applies to the extent Finray acts as a Processor of Personal Data within the meaning of GDPR Article 4(8).

1. Definitions

Capitalised terms not defined here have the meaning given in the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") or the executed order form. Where Finray engages a sub-processor, that sub-processor is a "Sub-processor" within the meaning of GDPR Article 28(2).

2. Subject matter, duration, and scope of processing

The subject matter, duration, nature, and purpose of processing — together with the categories of Personal Data and Data Subjects — are set out in the executed order form. Processing is carried out for the sole purpose of enabling the Controller to operate the Finray platform service identified in that order form, and ends on termination of that engagement (subject to the post-termination provisions in clause 9).

3. Processor obligations

Finray will:

• process Personal Data only on documented instructions from the Controller, except where required by Union or Member State law;
• ensure that personnel authorised to process Personal Data are bound by confidentiality obligations of equivalent stringency to those in the master agreement;
• implement appropriate technical and organisational measures consistent with GDPR Article 32, including those described in clause 5 below;
• assist the Controller in fulfilling its obligations to respond to Data Subject rights requests, security-incident notifications, Data Protection Impact Assessments, and prior consultations with supervisory authorities, taking into account the nature of processing and information available;
• at the choice of the Controller, delete or return all Personal Data after the end of the provision of the services and delete existing copies, save where applicable law requires retention.

4. Sub-processors

The Controller authorises Finray to engage Sub-processors for the provision of the services. The list of Sub-processors in effect as at the date of the executed order form is provided to the Controller on request and is updated from time to time. Where Finray intends to add or replace a Sub-processor that has access to Personal Data, the Controller will be notified at least 30 days in advance and may object on reasonable data-protection grounds; if such objection cannot be resolved, the Controller may terminate the affected service for convenience without liability.

Finray remains liable to the Controller for the acts and omissions of its Sub-processors as if they were Finray's own.

5. Security of processing

Finray applies the security measures described in section 8 of our Privacy Policy, which include AES-256 encryption at rest, encrypted backups stored within the Republic of Cyprus, IP allow-listing, MFA-delete on log and backup buckets, KMS-managed encryption keys, encrypted VPN links for traffic in transit, and ISO 27001-aligned access-control practices. The applicable measures for a specific engagement are summarised in the executed order form.

6. Personal data breach notification

Where Finray becomes aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller, Finray will notify the Controller without undue delay and in any event within 48 hours of becoming aware. The notification will provide, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

7. International data transfers

Personal Data is processed within the European Economic Area unless otherwise specified in the executed order form. Where a transfer of Personal Data outside the EEA is necessary, that transfer will be governed by an appropriate transfer mechanism under GDPR Chapter V, including the Standard Contractual Clauses adopted by the European Commission, supplemented where required by additional safeguards identified through a transfer impact assessment.

8. Audits and inspections

Finray will make available to the Controller, on reasonable request and no more than once per calendar year (save where required following a Personal Data Breach or by a supervisory authority), evidence of its compliance with this DPA. Such evidence may include the most recent independent third-party audit report (e.g. ISO 27001 surveillance audit summary), security questionnaires, and written responses. On-site audits by the Controller, or an auditor appointed by the Controller and reasonably acceptable to Finray, are subject to reasonable advance notice, confidentiality terms, and Finray's standard professional-fees reimbursement.

9. Term, return, and deletion

This DPA remains in effect for the duration of the underlying services engagement. On termination or expiry, Finray will, at the Controller's written election, delete or return all Personal Data processed under this DPA, and delete existing copies, save to the extent retention is required by applicable law. Where retention is required, Finray will continue to apply this DPA's protections to the retained data.

10. Liability and conflicts

The liability of the parties under this DPA is governed by the limitations and exclusions set out in the underlying master agreement or order form. In the event of conflict between this DPA and the underlying agreement on a data-protection matter, this DPA prevails to the extent of the conflict.

11. Contact

Questions about this DPA, or requests for the current Sub-processor list, may be directed to info@finray.tech.