Legal

Data Processing Agreement

GDPR, CCPA, and FADP compliant data processing terms

Effective March 25, 2026 · Version 3.0

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between Third Axis, LLC d/b/a Foveate (“Processor” or “Foveate”) and the entity identified below (“Controller” or “Client”) for the provision of the Foveate platform services.

This DPA reflects the parties' commitment to comply with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act (“CCPA”), the Swiss Federal Act on Data Protection (“FADP”), and other applicable privacy regulations.

Controller[Client Legal Name, Address, Contact Email]
ProcessorThird Axis, LLC d/b/a Foveate, 32 Mulberry, New York, 10013 · legal@foveate.com

Data Protection Officer: Ian Petrarca (legal@foveate.com)

2. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person processed by Foveate on behalf of the Controller in connection with the Services.
  • “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
  • “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
  • “Subprocessor” means any third party engaged by Foveate to process Personal Data on behalf of the Controller.
  • “Services” means the Foveate platform and related services provided under the main agreement.
  • “Security Incident” means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Scope and Purpose of Processing

3.1 Subject Matter

Foveate processes Personal Data to provide the Services, which include hosting, displaying, and tracking interactive presentations created by the Controller.

3.2 Duration

Processing continues for the duration of the main services agreement plus any retention period required by law or specified in Section 10 of this DPA.

3.3 Nature and Purpose

The purpose of processing is to:

  • Host and deliver presentation content uploaded by the Controller.
  • Authenticate and manage user access to the Controller's workspace.
  • Provide analytics on viewer engagement with presentations.
  • Enable collaboration features among the Controller's team members.
  • Process payments and maintain billing records.

3.4 Categories of Data Subjects

  • Controller's employees and team members with Foveate accounts.
  • Viewers who access presentations shared by the Controller.
  • Individuals depicted in or referenced by presentation content.

3.5 Categories of Personal Data

CategoryExamples
Account dataName, email address, organization name, profile photo
Usage dataLogin timestamps, feature usage, IP addresses
Viewer analyticsView timestamps, duration, approximate location (city-level), device type
Content dataAny personal data contained within presentations uploaded by Controller
Billing dataBilling contact name, address, payment method (via Stripe)

4. Controller Obligations

The Controller warrants and agrees that:

  • It has a lawful basis for Processing Personal Data and has provided any required notices to Data Subjects.
  • All instructions to Foveate regarding Processing will comply with applicable data protection laws.
  • It will not upload or process Special Category Data (e.g., health, biometric, racial/ethnic origin) unless explicitly agreed in writing.
  • It will maintain appropriate security measures on its own systems and ensure authorized users comply with confidentiality obligations.

5. Processor Obligations

Foveate agrees to:

  • Process Personal Data only on documented instructions from the Controller, unless required by law.
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures as described in Section 6.
  • Assist the Controller in responding to Data Subject requests as described in Section 7.
  • Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations.
  • Delete or return all Personal Data upon termination as described in Section 10.
  • Make available information necessary to demonstrate compliance and allow for audits as described in Section 11.

6. Security Measures

Foveate maintains the following technical and organizational measures to protect Personal Data:

6.1 Infrastructure Security

  • Cloud platform: Google Cloud Platform with SOC 2, ISO 27001, and FedRAMP certifications.
  • Encryption in transit: TLS 1.2+ for all data transmission.
  • Encryption at rest: AES-256 for all stored data.
  • Network protection: Firewalls, DDoS mitigation, and intrusion detection.

6.2 Access Controls

  • Authentication: Multi-factor authentication required for all administrative access.
  • Authorization: Role-based access control with least-privilege principles.
  • Access logging: Comprehensive audit logs of all data access.

6.3 Operational Security

  • Vulnerability management: Regular scanning and timely patching of identified vulnerabilities.
  • Incident response: Documented procedures per our Data Breach Management Policy.
  • Business continuity: Automated backups and disaster recovery procedures.
  • Personnel: Background checks and security training for all personnel with data access.

7. Data Subject Rights

Foveate will assist the Controller in responding to Data Subject requests to exercise their rights under applicable law, including:

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Foveate will notify the Controller within 5 business days of receiving any Data Subject request and will not respond directly unless authorized by the Controller or required by law.

The Controller may use Foveate's administrative tools to fulfill many requests directly (e.g., data export, account deletion).

8. Subprocessors

8.1 Authorization

The Controller provides general authorization for Foveate to engage Subprocessors to perform specific processing activities. Foveate will:

  • Maintain a current list of Subprocessors, available on our Subprocessors page.
  • Notify the Controller at least 14 days before adding or replacing a Subprocessor.
  • Enter into written agreements with Subprocessors imposing data protection obligations equivalent to this DPA.

8.2 Objection

If the Controller objects to a new Subprocessor on reasonable data protection grounds, the parties will work in good faith to resolve the concern. If no resolution is reached within 30 days, the Controller may terminate the affected Services without penalty.

8.3 Current Subprocessors

SubprocessorPurposeLocation
Google Cloud PlatformInfrastructure hosting, database, storageUS / EU (configurable)
Firebase (Google)Authentication, real-time databaseUS / EU
Cloud FirestoreDatabase storage and retrievalUS / EU
StripePayment processingUS
MuxVideo processing and deliveryUS
Fal.aiAI inference and model executionUS

See the full Subprocessor List for complete details.

The authoritative subprocessor list is maintained at foveate.com/legal/subprocessors and updated with 14 days' prior notice per Section 8.1.

9. International Transfers

Personal Data may be transferred to countries outside the European Economic Area (“EEA”) or Switzerland. Foveate ensures that such transfers are protected by:

  • Adequacy decisions: Transfers to countries recognized as providing adequate protection.
  • Standard Contractual Clauses: EU-approved SCCs are incorporated by reference and govern transfers to the US and other non-adequate countries.
  • Supplementary measures: Encryption, access controls, and other technical measures to protect data in transit and at rest.

For Swiss data transfers, the parties agree that the SCCs apply with the modifications specified by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Transfer Impact Assessments: We conduct TIAs for each US-based subprocessor evaluating the legal framework, government access risks, and supplementary technical measures (AES-256 encryption, RBAC, access logging) protecting transferred data. TIA documentation is available upon request.

9A. CCPA Service Provider Provisions

To the extent Foveate processes personal information of California consumers on behalf of the Controller, Foveate acts as a “service provider” under CCPA §1798.140(ag) and agrees to:

  • Not sell or share personal information received from the Controller.
  • Not retain, use, or disclose personal information outside the direct business relationship with the Controller.
  • Not combine personal information received from the Controller with personal information collected from other sources, except as permitted by CCPA.
  • Comply with applicable CCPA obligations and provide the same level of privacy protection as required by the CCPA.
  • Notify the Controller if Foveate determines it can no longer meet its CCPA obligations.
  • Require all subprocessors that access personal information of California consumers to agree in writing to the same restrictions and obligations.

10. Data Retention and Deletion

Upon termination of the Services agreement:

  • Controller may export their data using Foveate's export tools for up to 30 days after termination.
  • Foveate will delete all Personal Data within 90 days of termination, except where retention is required by law.
  • Upon written request, Foveate will provide written certification of deletion.

Backup copies may be retained in accordance with Foveate's backup retention schedule but will not be actively processed and will be deleted according to the normal backup rotation.

Data CategoryRetention After TerminationBasis
Client content (presentations, media)30 days (export window)Contract
Account information30 daysContract
Viewer analytics30 daysLegitimate interest
Billing and transaction records7 yearsTax/legal obligation (IRC §6501)
Audit and access logs1 yearSecurity
Backups90 days (rolling deletion)Business continuity
Communication records2 yearsLegitimate interest

The 7-year billing record retention is an exception to the general 90-day deletion timeline and is required for tax compliance. All other data categories are deleted within the timeframes specified above.

11. Audits

Foveate will make available to the Controller information necessary to demonstrate compliance with this DPA. Upon reasonable notice and no more than once per year, the Controller may:

  • Request completion of a security questionnaire.
  • Request copies of relevant certifications, audit reports (e.g., SOC 2), or penetration test summaries.
  • Conduct or commission an audit of Foveate's processing activities, at Controller's expense, subject to reasonable confidentiality obligations.

12. Security Incidents

In the event of a Security Incident affecting Personal Data processed on behalf of the Controller, Foveate will:

  • Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the incident.
  • Provide information about the nature of the incident, categories and approximate number of affected records, likely consequences, and measures taken or proposed.
  • Cooperate with the Controller's investigation and any required notifications to supervisory authorities or Data Subjects.
  • Document the incident and remediation in accordance with our Data Breach Management Policy.

The 48-hour notification window is a contractual commitment that is stricter than the GDPR Art. 33 72-hour regulatory deadline, meaning compliance with this DPA automatically satisfies the GDPR timeline for supervisory authority notification.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability in the main services agreement, except that neither party limits its liability for:

  • Breaches of confidentiality obligations.
  • Willful misconduct or gross negligence.
  • Liability that cannot be limited under applicable law.

14. Term

This DPA is effective as of the date of the main services agreement and continues until all Personal Data is deleted or returned in accordance with Section 10.

15. Governing Law

This DPA is governed by the laws specified in the main services agreement. For matters relating to GDPR compliance, the laws of the EU Member State where the Controller is established shall apply to the extent required by GDPR.

16. Amendments

Foveate may update this DPA to reflect changes in applicable law or our processing activities. Material changes will be communicated with at least 30 days' notice. Continued use of the Services after the effective date of changes constitutes acceptance.

17. EU AI Act Transparency (Article 50)

In accordance with Article 50 of the EU AI Act (Regulation (EU) 2024/1689), Foveate provides the following transparency disclosures regarding AI systems used within the Service:

  • AI system classification: Foveate's AI features (presentation generation, content suggestions, rendering assistance) do not process sensitive data as defined under GDPR Article 9 and are not classified as high-risk AI systems under Annex III of the EU AI Act.
  • AI interaction disclosure: Users are clearly informed when they are interacting with an AI system. AI-generated content is identified as such within the Service interface. Users retain full editorial control over all AI outputs.
  • Content labeling: AI-generated or AI-manipulated content (images, text, presentation elements) is labeled to ensure users can distinguish between human-created and AI-generated content before sharing with third parties.
  • Technical documentation: Foveate maintains documentation of AI processing activities, including the purpose, scope, and limitations of AI features, available to enterprise customers upon request.
  • Human oversight: All AI features are user-initiated and require human review before outputs are finalized or shared. No AI system within Foveate makes autonomous decisions with legal or similarly significant effects on individuals.

Foveate monitors evolving EU AI Act obligations and will update these disclosures as regulatory guidance and implementing measures are published.

Annex A: Standard Contractual Clauses (EU Commission Implementing Decision 2021/914)

The following sets out the completed EU Standard Contractual Clauses (Module Two: Controller to Processor) adopted by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021. These SCCs form an integral part of this DPA and are legally binding.

Section I: General Provisions

Clause 1 — Purpose and Scope

The purpose of these Standard Contractual Clauses is to ensure compliance with Article 46(2)(c) of Regulation (EU) 2016/679 for the transfer of personal data to a third country.

The parties are: the Controller identified in Section 1 of this DPA (the “data exporter”) and Third Axis, LLC d/b/a Foveate (the “data importer”).

Clause 2 — Effect and Invariability

These Clauses set out appropriate safeguards including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and 46(2)(c) of Regulation (EU) 2016/679. These Clauses shall not be modified except to add or update information in the Annexes. This does not prevent the parties from including the SCCs in a wider contract or adding other clauses, provided they do not contradict the SCCs.

Clause 3 — Third-Party Beneficiaries

Data subjects may invoke and enforce these Clauses as third-party beneficiaries, including Clause 1, Clause 2, Clause 3, Clause 6, Clause 7, Clause 8, Clause 9, Clause 12, Clause 13, Clause 15.1(c)(d)(e), Clause 16(e), Clause 17, and Clause 18.

Clause 4 — Interpretation

These Clauses shall be interpreted in the light of the provisions of Regulation (EU) 2016/679. The Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in the GDPR.

Clause 5 — Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the parties, these Clauses shall prevail.

Clause 6 — Description of Transfer(s)

The details of the transfer, including the categories of personal data, the purposes of processing, the categories of data subjects, and the frequency of transfer, are set out in Annex B to these Clauses.

Clause 7 — Docking Clause

[INCLUDED] An entity that is not a party to these Clauses may accede to them at any time with the agreement of all parties, by completing the Annexes and signing Annex D.

Section II: Obligations of the Parties

Clause 8 — Data Protection Safeguards (Module Two: Controller to Processor)

The data importer shall process personal data only on documented instructions from the data exporter as set out in Section 5 of this DPA, unless required by EU or Member State law. The data importer shall immediately inform the data exporter if it is unable to follow those instructions. The data importer shall:

  • 8.1 Instructions: Process personal data only on documented instructions from the data exporter, including with regard to transfers, unless required to do so by Union or Member State law. In such a case, the data importer shall inform the data exporter of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
  • 8.2 Purpose limitation: Process personal data only for the specific purpose(s) of the transfer as set out in Annex B.
  • 8.3 Transparency: Make available to data subjects a copy of these Clauses upon request. Where necessary to protect business secrets, the data importer may redact the text before sharing, but shall provide a meaningful summary.
  • 8.4 Accuracy: Ensure the accuracy of the data and keep it up to date. Inform the data exporter without undue delay if the data importer becomes aware that the data is inaccurate or outdated.
  • 8.5 Duration and erasure: Process the data for no longer than the duration specified in Annex B. After the end of the provision of processing services, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return all personal data and delete existing copies, unless EU or Member State law requires storage.
  • 8.6 Security: Implement the technical and organizational measures specified in Annex C and Section 6 of this DPA to ensure the security of the data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
  • 8.7 Sensitive data: Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, or data concerning a person's sex life or sexual orientation (Article 9 GDPR), the data importer shall apply specific restrictions and additional safeguards. Foveate does not knowingly process such data and requires prior written agreement before any such data is transferred.
  • 8.8 Onward transfers: The data importer shall only disclose personal data to a third party on documented instructions from the data exporter. Onward transfers to subprocessors are governed by Clause 9.
  • 8.9 Documentation and compliance: The data importer shall be able to demonstrate compliance with these Clauses and shall deal promptly and adequately with inquiries from the data exporter about processing.

Clause 9 — Use of Sub-processors

[Option 2: General Written Authorization] The data importer has the data exporter's general authorization for the engagement of sub-processors from an agreed list (see Subprocessor List). The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 14 days in advance, giving the data exporter sufficient time to object. The data importer shall impose on the sub-processor, by way of contract, the same data protection obligations as set out in these Clauses.

Clause 10 — Data Subject Rights

The data importer shall deal with any data subject requests it receives directly and shall promptly notify the data exporter and assist in responding to any requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). See Section 7 of this DPA for detailed procedures.

Clause 11 — Redress

[Optional redress clause: NOT INCLUDED] Data subjects may lodge complaints directly with the data importer and, where applicable, with the supervisory authority of the data exporter's establishment.

Clause 12 — Liability

Each party shall be liable to the data subject(s) for any material or non-material damages it causes by any breach of these Clauses. Where more than one party is responsible for any damage caused to the data subject, all responsible parties shall be jointly and severally liable. The data subject may bring a claim against each or both parties.

Clause 13 — Supervision

The supervisory authority responsible for ensuring compliance by the data exporter with Regulation (EU) 2016/679 shall act as the competent supervisory authority. Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR (Art. 3(2)), the supervisory authority of the Member State in which the data exporter's representative is established shall act as the competent supervisory authority. The data importer agrees to submit to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses.

Section III: Local Laws and Obligations in Case of Access by Public Authorities

Clause 14 — Local Laws and Practices Affecting Compliance

The parties warrant that they have no reason to believe that the laws and practices in the United States applicable to the data importer's processing of personal data, including any requirements to disclose data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. Foveate has assessed the US legal framework including the EU-US Data Privacy Framework, FISA Section 702, and Executive Order 14086, and has determined that the supplementary technical measures (AES-256 encryption, RBAC, access logging) provide effective safeguards for transferred data.

Clause 15 — Obligations in Case of Access by Public Authorities

15.1 Notification: The data importer shall promptly notify the data exporter if it receives a legally binding request from a public authority for disclosure of personal data transferred under these Clauses, or becomes aware of any direct access by public authorities. If prohibited from notifying the data exporter, the data importer shall use best efforts to obtain a waiver of the prohibition.

15.2 Review of legality and data minimization: The data importer shall review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and shall challenge it if it concludes there are reasonable grounds that the request is unlawful. The data importer shall provide the minimum amount of information permissible when responding to a request, based on a reasonable interpretation of the request.

Section IV: Final Provisions

Clause 16 — Non-Compliance and Termination

The data exporter shall notify the data importer if it is in breach of these Clauses. The data importer shall promptly remedy the breach within a reasonable timeframe. Where the breach is not remedied, the data exporter may suspend or terminate the transfer. Upon termination, the data importer shall promptly return or delete the personal data transferred and certify this to the data exporter.

Clause 17 — Governing Law

[Option 1] These Clauses shall be governed by the law of the EU Member State in which the data exporter is established.

Clause 18 — Choice of Forum and Jurisdiction

(b) Any dispute arising from these Clauses shall be resolved by the courts of the EU Member State in which the data exporter is established.

Annex B: Description of Transfer

Data exporterThe Controller identified in Section 1 of this DPA
Data importerThird Axis, LLC d/b/a Foveate, 32 Mulberry, New York, 10013
Categories of data subjectsController's employees and team members; viewers of shared presentations; individuals referenced in presentation content
Categories of personal dataAccount data (name, email, organization), usage data (login timestamps, IP addresses), viewer analytics (view duration, approximate location), content data, billing data
Sensitive dataNone. Special category data (Art. 9 GDPR) is not knowingly processed without prior written agreement.
Frequency of transferContinuous, for the duration of the Services agreement
Nature and purpose of processingHosting and delivering presentations, authenticating users, providing viewer analytics, enabling collaboration, processing payments, powering AI features
Retention periodAs specified in Section 10 of this DPA
Competent supervisory authorityThe supervisory authority of the EU Member State in which the data exporter is established

Annex C: Technical and Organizational Measures

The data importer implements the following technical and organizational measures to ensure the security of personal data (as detailed in Section 6 of this DPA):

  • Encryption in transit: TLS 1.2+ for all data transmission
  • Encryption at rest: AES-256 for all stored data on Google Cloud Platform
  • Access controls: Multi-factor authentication for all administrative access; role-based access control with least-privilege principles
  • Audit logging: Comprehensive audit logs of all data access, retained for 1 year
  • Network security: Firewalls, DDoS mitigation, intrusion detection on Google Cloud
  • Vulnerability management: Regular scanning and timely patching
  • Incident response: Documented procedures with 48-hour notification commitment
  • Business continuity: Automated backups with 90-day rolling retention and disaster recovery procedures
  • Personnel: Background checks, confidentiality obligations, and security training for all personnel with data access
  • Certifications: Google Cloud Platform: SOC 2 Type II, ISO 27001, FedRAMP; Stripe: SOC 2 Type II, PCI DSS Level 1

For questions about this DPA, contact legal@foveate.com.