Data Processing Addendum

Capitalised terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679) and, where applicable, the UK GDPR / Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (“CCPA”), and equivalent laws of other jurisdictions.

“Personal Data” means data submitted by the Customer or generated by the Service that identifies or relates to an identified or identifiable natural person. “Sub-processor” means a third party engaged by FixVibe to process Personal Data on FixVibe's behalf — listed at /legal/privacy.

Each party is independently responsible for compliance with the Data Protection Laws applicable to it. The Customer is the Controller and FixVibe is the Processor of Personal Data processed under this Addendum. FixVibe will process Personal Data only on the documented instructions of the Customer (the Service's configuration constitutes such instructions), except where required by law to do otherwise.

FixVibe ensures personnel authorised to process Personal Data are bound by confidentiality obligations. Access to production data is restricted to a least-privilege subset of operations staff, logged via audit_logs, and reviewed periodically. FixVibe employees do not access Customer data except to investigate support tickets, respond to security incidents, or comply with legal process.

FixVibe implements appropriate technical and organisational measures consistent with GDPR Art. 32, including:

• encryption of Personal Data in transit (TLS 1.2+) and at rest (database disk-level + targeted column-level AES-256-GCM for authenticated-scan headers and OAuth tokens);
• force row-level security on every database table — application code cannot read or write across organisational boundaries even by mistake;
• per-user multi-factor authentication via the upstream OAuth provider (Google or GitHub) where the Customer chooses social sign-in;
• continuous static analysis + dependency vulnerability scanning of the FixVibe codebase itself;
• backups via the database provider with point-in-time recovery; tested annually;
• defined retention periods (see Privacy Policy) enforced by an automated daily cron, not a paper promise.

The Customer authorises FixVibe to engage the Sub-processors listed in the Privacy Policy for the purposes described there. FixVibe enters into a written contract with each Sub-processor that imposes data-protection obligations no less protective than those in this Addendum, and remains liable to the Customer for the Sub-processor's acts and omissions in respect of its processing of Personal Data.

FixVibe will notify the Customer (via in-app notice or email) of any intended addition or replacement of Sub-processors at least 30 days in advance, giving the Customer the opportunity to object. If the Customer objects on reasonable data-protection grounds, the Customer may terminate the Service with respect to the affected processing.

FixVibe processes Personal Data primarily in the United States. Where Personal Data is transferred from the EEA, UK, or Switzerland to a third country that has not received an adequacy decision, FixVibe relies on:

• the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), Module 2 (controller-to-processor), incorporated into this Addendum by reference;
• the UK's International Data Transfer Addendum to the EU SCCs (or the IDTA standalone), as published by the ICO;
• the supplementary technical and organisational measures described in Section 4.

The Customer authorises FixVibe to enter into the SCCs / IDTA with each onward Sub-processor on the Customer's behalf.

FixVibe will assist the Customer (taking into account the nature of the processing and the information available) to respond to data subject requests under Articles 15–22 GDPR. Most rights are self-serve from Account → Privacy; for residual requests, the Customer may email support@fixvibe.app with subject “Privacy request”. We respond within 30 days.

FixVibe will notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data breach affecting Customer Personal Data, providing such information as the Customer reasonably requires to comply with its own Article 33 / 34 obligations, including the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and the measures taken or proposed to address it.

FixVibe makes available to the Customer the information necessary to demonstrate compliance with this Addendum, including this document, the Privacy Policy, the Acceptable Use Policy, the Terms, and any third-party security reports we hold (we will share these under NDA on request). FixVibe will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, on reasonable advance notice and during business hours, no more than once per calendar year (except where a regulator requires otherwise or in the event of a Personal Data breach).

On termination of the Service, and at the Customer's choice, FixVibe will delete or return all Personal Data processed on the Customer's behalf within 30 days, except to the extent FixVibe is required by applicable law to retain it (e.g. tax / billing records). The self-serve account deletion flow at Account → Privacy triggers this immediately.

For the purposes of the CCPA, FixVibe is a “Service Provider” and the Customer is a “Business” with respect to any Personal Information processed under this Addendum. FixVibe will not:

• sell or share (as those terms are defined under the CCPA) Personal Information;
• retain, use, or disclose Personal Information for any purpose other than the specific business purpose of providing the Service, including outside of the direct business relationship between FixVibe and the Customer;
• combine Personal Information received from the Customer with Personal Information received from any other source, except as expressly permitted by the CCPA.

FixVibe certifies that it understands and will comply with these restrictions.

In the event of conflict between this Addendum and the Terms of Service, this Addendum prevails to the extent of the conflict. The SCCs / IDTA prevail over both where they apply.

For all data-protection matters, including the exercise of data subject rights and inquiries about Sub-processors, contact EGO HERO LLC:

• email: support@fixvibe.app (use subject line “DPA” for routing)
• postal: address available on request via the email above