Fiskl AI official logo
Start for free
Sign in
Start for free
  • Home
  • Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

This Data Processing Addendum (the “DPA”) forms part of, and is incorporated into, the Customer Terms of Service or other written agreement between Fiskl Limited (“Fiskl”) and the Customer (“Customer”) (together, the “Agreement”). It governs Fiskl’s processing of personal data on behalf of the Customer in connection with the Fiskl Platforms.

This DPA is designed to satisfy: – Article 28 of the UK GDPR; – Article 28 of the EU GDPR; – equivalent processor-engagement requirements under other applicable data protection laws (LGPD, PIPEDA, POPIA, PDPA, UAE PDPL, Swiss FADP, and others as applicable).

Cross-border transfers are addressed in Section 7 and in Annex IV (EU SCCs and UK IDTA).

If you are a Customer that requires a counter-signed DPA for your records, request one at dpo@fiskl.com. The signed copy will mirror this published version.

1. Definitions

Definitions in the Customer Terms of Service apply to this DPA. The following additional definitions apply:

“Applicable Data Protection Law” means each law governing the processing of personal data that applies to a Party, including UK GDPR, EU GDPR, the UK Data Protection Act 2018, US state privacy laws, LGPD, PIPEDA, POPIA, PDPA, UAE PDPL, and equivalents.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Special Categories of Personal Data” have the meanings given in UK GDPR / EU GDPR and equivalents.

“Customer Personal Data” means Personal Data within Customer Data, processed by Fiskl as Processor on behalf of the Customer.

“EU SCCs” means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, in their then-current form.

“UK IDTA” means the UK International Data Transfer Agreement and the UK Addendum to the EU SCCs, issued by the UK Information Commissioner’s Office under section 119A of the UK Data Protection Act 2018.

“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with another entity, where “control” means ownership of more than 50% of voting interests or equivalent power to direct management.

“Controller Affiliate” means an Affiliate of the Customer that (a) is subject to Applicable Data Protection Law of the EEA, the UK, or Switzerland, (b) is permitted to use the Fiskl Platforms under the Agreement between the Customer and Fiskl, (c) has not signed its own Order Form and is not itself a “Customer” under the Agreement, and (d) is the Controller of Customer Personal Data processed by Fiskl.

“Fiskl Group” means Fiskl Limited and its Affiliates engaged in the Processing of Customer Personal Data.

“Sub-processor” means a third party engaged by Fiskl or any member of the Fiskl Group to process Customer Personal Data, as listed at https://fiskl.com/legal/fiskl-subprocessors/.

“Personal Data Breach” has the meaning given in UK GDPR / EU GDPR Article 4(12).

“Restricted Transfer” means a transfer of Personal Data from a jurisdiction whose laws restrict cross-border transfers to a country that does not benefit from an adequacy decision or equivalent recognition.

2. Roles and scope

2.1 Roles

For Customer Personal Data processed under the Agreement: – the Customer is the Controller (or, where the Customer itself is a processor for a third-party controller, the Customer is the Processor and Fiskl is the Sub-processor); – Fiskl is the Processor, processing Customer Personal Data only on the Customer’s documented instructions.

2.2 Other Information

This DPA does not apply to Personal Data for which Fiskl is the Controller (such as Account information of the Customer’s representatives, Usage data, and Aggregated Data), which is governed by the Privacy Policy.

2.3 Scope of processing

The subject matter, duration, nature, purpose, and categories of processing are described in Annex I.

2.4 Customer instructions

The Agreement, this DPA, and the Customer’s use of the Fiskl Platforms constitute the Customer’s documented instructions to Fiskl. Additional instructions may be given in writing (including by email to dpo@fiskl.com). Fiskl will inform the Customer if, in Fiskl’s reasonable opinion, an instruction infringes Applicable Data Protection Law, and may suspend the relevant processing pending resolution.

2.5 Controller Affiliates

By executing or accepting this DPA, the Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, on behalf of its Controller Affiliates. This establishes a separate DPA between Fiskl and each Controller Affiliate, on the same terms as this DPA. Each Controller Affiliate is bound by the obligations of this DPA but is not a party to the Agreement except through this DPA.

The Customer that is the contracting party to the Agreement is responsible for coordinating all communication with Fiskl under this DPA on behalf of its Controller Affiliates. Where Applicable Data Protection Law requires a Controller Affiliate to exercise rights or seek remedies directly, the Controller Affiliate may do so against Fiskl. In all other cases, the Customer exercises rights and remedies in a combined manner for all of its Controller Affiliates.

Where the Customer (or a Controller Affiliate) carries out an audit under Section 8.2, the Customer must combine, where reasonably possible, audit requests on behalf of multiple Controller Affiliates into a single audit to limit operational impact on Fiskl.

2.6 Fiskl Platforms security non-degradation

Fiskl will not materially decrease the overall security of the Fiskl Platforms during a Subscription term. Where Fiskl makes a change that affects the technical and organisational measures in Annex II, it will make available to Customers updated information about those measures.

3. Fiskl obligations

Fiskl will:

  • process Customer Personal Data only on the Customer’s documented instructions, including with regard to international transfers, except where required by law (in which case Fiskl will inform the Customer of that legal requirement before processing, unless prohibited);
  • ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations or are under appropriate statutory obligations of confidentiality;
  • implement and maintain the technical and organisational measures set out in Annex II;
  • engage Sub-processors only as permitted under Section 6;
  • taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer’s obligations to respond to Data Subject requests;
  • assist the Customer in ensuring compliance with the obligations under UK GDPR / EU GDPR Articles 32 to 36 (security, breach notification, data protection impact assessment, prior consultation), taking into account the nature of processing and the information available to Fiskl;
  • at the Customer’s choice, delete or return Customer Personal Data after the end of the provision of the Fiskl Platforms relating to processing, and delete existing copies, unless Applicable Data Protection Law requires storage;
  • make available to the Customer the information necessary to demonstrate compliance with the obligations in Article 28 GDPR and equivalents, and contribute to audits as set out in Section 8.

4. Customer obligations

The Customer:

  • is solely responsible for the accuracy, quality, and legality of Customer Personal Data and for the means by which it acquired and submitted it to the Fiskl Platforms;
  • warrants that it has all necessary rights, lawful bases, and (where required) consents to instruct Fiskl to process Customer Personal Data;
  • is responsible for providing required notices to its Data Subjects (including its customers, vendors, employees, and contractors whose data is included in Customer Personal Data) in accordance with Applicable Data Protection Law;
  • is responsible for the legal basis for Fiskl’s processing of Customer Personal Data for AI training and Data Products, where the Customer has not opted out under section 8.6 of the Customer Terms of Service. The Customer warrants that it is appropriate to invoke a legitimate interests basis (or other lawful basis) for that processing in respect of its Data Subjects.

5. Special categories of Personal Data

  • The Customer must not submit Customer Personal Data falling within UK GDPR / EU GDPR Article 9 (Special Categories of Personal Data) to the Fiskl Platforms unless the Customer has obtained explicit consent or has another lawful basis under Article 9, and has notified Fiskl in writing where ongoing processing of Special Categories is contemplated.
  • Special Categories of Personal Data are excluded by default from use in AI training and Data Products under section 8.6 of the Customer Terms of Service.
  • Where the Customer instructs Fiskl to process criminal-conviction or offence data under Article 10, equivalent restrictions apply.

6. Sub-processors

6.1 General authorisation

The Customer provides general authorisation for Fiskl to engage Sub-processors. The current list is at https://fiskl.com/legal/fiskl-subprocessors/.

6.2 Notification

Fiskl will notify the Customer of any intended addition or replacement of a Sub-processor by updating the Subprocessors page. Customers subscribed to Subprocessor change notifications will receive notice at least 30 days in advance, except in cases of emergency where shorter notice may be required.

6.3 Right to object

The Customer may object to a new Sub-processor on reasonable data protection grounds within the 30-day notice period, by emailing dpo@fiskl.com. The Parties will work in good faith to resolve the objection. If the objection cannot be resolved, the Customer may terminate the affected Subscription on the terms of Section 11 and receive a pro-rata refund of unused fees. Until termination, Fiskl may continue processing using the existing Sub-processor stack.

6.4 Sub-processor terms

Fiskl imposes data protection obligations on Sub-processors that are no less protective than those imposed on Fiskl by this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

6.5 Liability for Sub-processors

Fiskl remains liable to the Customer for the performance of Sub-processors’ obligations to the same extent as if Fiskl performed those obligations directly.

7. International data transfers

7.1 General

Fiskl and its Sub-processors may transfer Customer Personal Data internationally as described in Section 7 of the Privacy Policy and in Annex III of this DPA.

7.2 EEA transfers

Where Fiskl transfers Customer Personal Data from the EEA to a country that does not benefit from an EU adequacy decision, the EU SCCs Module 2 (Controller to Processor) or Module 3 (Processor to Sub-processor) are incorporated into this DPA by reference, with the elections set out in Annex IV.

7.3 UK transfers

Where Fiskl transfers Customer Personal Data from the UK to a country not benefiting from a UK adequacy regulation, the UK IDTA, or the UK Addendum to the EU SCCs, is incorporated into this DPA by reference, with the elections set out in Annex IV.

7.4 Swiss transfers

Where Fiskl transfers Customer Personal Data from Switzerland under the FADP, the EU SCCs are incorporated with FDPIC-recognised modifications.

7.5 Other transfers

Where Applicable Data Protection Law of a country other than the UK, EEA, or Switzerland requires a specific cross-border transfer mechanism, the Parties will execute, or be deemed to execute, the relevant standard contractual clauses, model clauses, or equivalent mechanism applicable in that country, using the elections in Annex IV by analogy.

7.6 Supplementary measures

Where required by supervisory authority guidance (such as the European Data Protection Board’s guidance following Schrems II), the Parties acknowledge the technical, organisational, and contractual measures set out in Annex II as supplementary safeguards.

7.7 Banking data residency

Where Customer Personal Data is sourced from a banking integration partner subject to local banking residency obligations (for example, UAE banking data sourced via WIO Bank), Fiskl will preserve the residency of that data in line with applicable banking regulator requirements, even where the Customer is established in a different jurisdiction.

8. Audit

8.1 Information rights

Fiskl will make available to the Customer, on reasonable request, information necessary to demonstrate compliance with this DPA and Article 28 GDPR equivalents, including: – the most recent third-party audit reports of Fiskl’s information security programme (such as SOC 2 Type II, ISO 27001 certification, or equivalent), where available; – responses to reasonable security questionnaires; – summaries of penetration testing results; – the current version of this DPA, the Privacy Policy, and the Subprocessors page.

8.2 Audit rights

Where the information made available under Section 8.1 is insufficient and Applicable Data Protection Law requires an audit right, the Customer (or an independent auditor mandated by the Customer) may conduct an audit. Audits are subject to the following: – not more than once per 12-month period, except where Applicable Data Protection Law requires more frequent audit, or where there has been a Personal Data Breach affecting the Customer; – on at least 30 days’ written notice; – during normal business hours; – at the Customer’s cost (unless the audit identifies a material non-compliance, in which case Fiskl bears the reasonable cost); – subject to confidentiality obligations and minimum disruption to the Fiskl Platforms; – not extending to commercially sensitive information of Fiskl unrelated to the Customer’s data; – the auditor must not be a Fiskl competitor.

8.3 Regulatory cooperation

Fiskl will cooperate with supervisory authorities of competent jurisdiction in the performance of their tasks.

9. Personal Data Breach

9.1 Notification to Customer

Fiskl will notify the Customer of a Personal Data Breach affecting Customer Personal Data without undue delay after becoming aware of it, and in any event within 48 hours where reasonably practicable.

9.2 Information provided

The notification will include, to the extent known: – the nature of the Personal Data Breach; – categories and approximate numbers of Data Subjects and records concerned; – likely consequences; – measures taken or proposed to address the breach and mitigate adverse effects.

9.3 Cooperation

Fiskl will cooperate with the Customer and provide such assistance as the Customer reasonably requests to enable the Customer to meet its own breach-notification obligations to supervisory authorities and Data Subjects.

9.4 Customer notification responsibility

The Customer is responsible for notifying its supervisory authority and affected Data Subjects where required by Applicable Data Protection Law.

10. Data Subject rights

Fiskl will, taking into account the nature of the processing, provide the Customer with:

  • functionality in the Fiskl Platforms that allows the Customer to access, rectify, restrict, erase, export, or otherwise act upon Customer Personal Data on instructions from Data Subjects;
  • reasonable assistance with Data Subject requests that cannot be fulfilled through Service functionality alone, on terms reflecting the actual cost of assistance;
  • prompt forwarding to the Customer of any Data Subject request received directly by Fiskl that should be handled by the Customer as Controller.

11. Term, termination, and return or deletion of data

11.1 Term

This DPA continues for the term of the Agreement and survives termination to the extent processing of Customer Personal Data continues.

11.2 Return or deletion on termination

On termination of the Agreement: – the Customer has 30 days from termination to export Customer Personal Data using the export tools provided in the Fiskl Platforms; – after this period, Fiskl will delete Customer Personal Data, unless Applicable Data Protection Law requires retention or unless the Atlas Terms Supplement provides for transfer of an Atlas-managed Customer’s Account ownership to the Customer; – at the Customer’s written request, Fiskl will provide a written certification of deletion confirming that Customer Personal Data has been deleted from production systems in accordance with this DPA. The certification will identify any data retained under legal-retention obligations and the period of such retention; – Aggregated Data and AI models trained using Customer Personal Data prior to termination are governed by section 8.7 of the Customer Terms of Service and are not subject to the deletion obligation in this section.

11.3 Survival

Sections concerning confidentiality, sub-processor liability, audit, breach handling for breaches that occurred prior to termination, and these termination provisions survive.

12. Liability and indemnities

The Parties’ liability under this DPA is subject to the limitations set out in the Customer Terms of Service. Nothing in this DPA limits or excludes either Party’s liability where Applicable Data Protection Law prohibits such limitation or exclusion.

13. Conflict and precedence

In the event of conflict between this DPA, the Customer Terms of Service, the Atlas Terms Supplement (where applicable), and an Order Form, the order of precedence is as set out in section 17.1 of the Customer Terms of Service. For matters concerning processing of Personal Data, this DPA prevails over inconsistent provisions in the Customer Terms of Service or the Atlas Terms Supplement, except where those instruments grant stronger protection to Data Subjects.

In the event of conflict between this DPA and the EU SCCs / UK IDTA where they apply, the EU SCCs / UK IDTA prevail.

14. Governing law and jurisdiction

The governing law and jurisdiction of this DPA are as set out in section 16 of the Customer Terms of Service, except that: – the EU SCCs are governed by the law of an EU Member State chosen in Annex IV; – the UK IDTA is governed by the laws of England and Wales.

Annex I — Description of processing

Annex I.A — Parties

  Controller Processor
Name The Customer Fiskl Limited
Address Customer’s billing address as held by Fiskl 6A Thirlmere Road, London, N10 2DN, United Kingdom
Contact Customer’s primary admin user dpo@fiskl.com
Activities relevant to data transferred Operation of the Customer’s business (accounting, invoicing, banking, financial management) Provision of the Fiskl Platforms
Role Controller (or Processor where the Customer is itself a Processor for a third-party Controller) Processor

Where the Customer is an Atlas firm acting on behalf of its end clients (and the end client is the Controller), the Atlas firm acts as Processor and Fiskl acts as Sub-processor in respect of that end client’s Customer Personal Data.

Annex I.B — Description of processing

Subject matter: Provision of the Fiskl Platforms to the Customer.

Duration: The term of the Agreement and the deletion period set out in Section 11.

Nature and purpose of processing: – Hosting and operating the Fiskl Platforms for the Customer; – Providing invoicing, expense management, banking integration, accounting, financial reporting, AI features (Fi), team management, integrations, and related functionality; – Providing the Atlas accountant portal where applicable; – Communicating with the Customer about the Fiskl Platforms; – Detecting and preventing fraud, abuse, and security incidents; – Complying with law.

Categories of Data Subjects: – Authorized Users of the Customer (employees, contractors, accountants, other invitees); – The Customer’s customers, clients, and end-users (information about whom appears in invoices, transactions, and account records); – The Customer’s vendors, suppliers, and other counterparties; – The Customer’s employees, contractors, and other personnel (including for time and mileage records); – Where applicable, the Customer’s Atlas firm contacts and clients.

Categories of Personal Data: – Identity and contact data (name, email, phone, address, business name); – Financial and transaction data (transactions, invoice amounts, payments, banking metadata); – Tax and registration identifiers (tax IDs, business registration numbers); – User account data (login credentials, role, permissions, MFA configuration — Atlas only); – Communications (support requests, AI conversation inputs and outputs, emails); – Usage and device data; – Documents and attachments uploaded by the Customer.

Special Categories of Personal Data: Not knowingly processed. The Customer is responsible for not submitting Special Categories without notifying Fiskl and ensuring a lawful basis under Article 9 (see Section 5).

Frequency of transfer: Continuous, for the term of the Agreement.

Annex I.C — Competent supervisory authority

For EEA matters, the supervisory authority of the EEA Member State in which the Customer (as Data Exporter) is established. For UK matters, the UK Information Commissioner’s Office. For other jurisdictions, the supervisory authority listed in section 9 of the Privacy Policy.

Annex II — Technical and Organisational Measures (TOMs)

Fiskl implements and maintains the technical and organisational measures set out below, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. Specific configurations evolve with the state of the art; current configurations are confirmed in the Trust Center and on request to trust@fiskl.com.

1. Encryption and key management

  • Data in transit: TLS 1.3 (with TLS 1.2 only as a deprecated fallback to legacy clients where unavoidable);
  • Data at rest: AES-256 across cloud infrastructure (production database, object storage, backups);
  • Key management: AWS Key Management Service (AWS KMS), with managed customer master keys, automatic key rotation in line with AWS KMS best practice, and access-controlled use within the production environment;
  • Backups: encrypted at rest using the same standards.

2. Identity, authentication, and access control

  • Multi-factor authentication (MFA) is required for all users with access to the Fiskl Platforms or to Fiskl’s production environment, including:
    • Atlas Firm Users (delivered through AWS Cognito);
    • Customer administrators on standard Fiskl accounts;
    • Authorized Users where MFA is enabled by the Customer;
    • Fiskl personnel accessing engineering, production, and administrative systems.
  • Password policy (Fiskl personnel and Customer-administrator accounts where applicable):
    • minimum length of 32 characters;
    • rotation cadence not exceeding 90 days for credentials with access to production systems;
    • prohibition on password reuse and common-password lists;
    • secret-management infrastructure for production credentials.
  • Role-based access control (RBAC) within the Fiskl Platforms, with permissions granted on the principle of least privilege.
  • Access reviews: conducted quarterly; signed off by the Chief Technology Officer (or successor role) and recorded in Fiskl’s ISMS records.
  • Production access is restricted to authorised personnel under documented procedures, with named-user logging and segregation between development, staging, and production environments.

3. Confidentiality, integrity, availability, resilience

  • Multi-region cloud infrastructure on Amazon Web Services (primary) and Google Cloud (where applicable);
  • Logical separation between Customers and between Customer environments;
  • Industry-standard architecture for confidentiality, integrity, and availability of Customer Personal Data;
  • Disaster recovery and business continuity plans documented and reviewed periodically, with restoration procedures tested.

4. Backups

Fiskl operates a three-tier backup architecture for Customer Personal Data:

  • Tier 1 — Multi-region replication. Live replication across multiple AWS regions and instances, providing continuity in the event of a region-level failure;
  • Tier 2 — Daily snapshots. At-least-daily point-in-time snapshots of production data, retained in line with Fiskl’s recovery objectives;
  • Tier 3 — Long-term cold archival. Backups copied to AWS Glacier (or equivalent cold-storage tier) for longer-term retention and resilience against operational data loss.

All backups are encrypted at rest using the same standards as the production environment, protected by the same access controls, and restoration procedures are tested periodically. Backup management uses AWS-native mechanisms with the access and audit logging set out in Section 6.

5. Network and application security

  • DDoS protection, web application firewall, and bot protection delivered through Cloudflare;
  • Penetration testing conducted by an independent third party at least annually, with material findings remediated under a documented schedule;
  • Vulnerability scanning of the application, dependencies, and infrastructure on a monthly automated cadence, supplemented by the annual independent third-party penetration test referenced above;
  • Secure development lifecycle (SDLC) including code review, dependency scanning, security testing in CI, and pre-release security review.

6. Logging and monitoring

  • Application access logs and security-relevant audit logs are retained for at least 90 days, with longer retention for specific categories of logs as required by law or by Fiskl’s internal investigation and audit needs;
  • Cloud-environment access and administrative actions are logged through cloud-provider audit mechanisms (AWS CloudTrail and equivalents);
  • Continuous monitoring with alerting on anomalous activity, with documented triage procedures.

7. Personnel

  • Background checks where lawful in the relevant jurisdiction;
  • Confidentiality obligations in employment and contractor contracts;
  • Mandatory information-security and data-protection training, refreshed at least annually;
  • Defined onboarding and offboarding procedures, including timely revocation of access on departure.

8. Sub-processor management

  • Documented vendor due diligence prior to engagement;
  • Written data-protection terms with each Sub-processor;
  • Periodic review of Sub-processors;
  • Current list at https://fiskl.com/legal/fiskl-subprocessors/.

9. Incident detection and response

  • Monitoring and alerting on production systems;
  • Documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review;
  • Personal Data Breach notification procedures aligned with Section 9 of this DPA.

10. AI processing measures

  • AI Providers contractually prohibited from training their general-purpose models on Customer Personal Data;
  • AI Providers contractually prohibited from retaining Customer Personal Data beyond the period necessary to deliver the contracted service;
  • Special Categories of Personal Data excluded by default from AI training and Data Products;
  • Customer opt-out available where required by Applicable Data Protection Law (or via dpo@fiskl.com pending in-Service control deployment).

11. Audit and compliance

  • Periodic internal compliance reviews and risk assessments;
  • SOC 2 Type II: targeted by end of Q4 2026, available to qualifying customers under non-disclosure once issued;
  • ISO 27001: pursued in parallel;
  • Other third-party attestations available on request as obtained.

12. Data minimisation and retention

  • Customer Personal Data is retained only for the period necessary to provide the Fiskl Platforms or as required by law;
  • Customer-controlled retention configuration is available within the Fiskl Platforms for certain data categories;
  • Aggregated Data is not Customer Personal Data and is governed by section 4.5 of the Customer Terms of Service.

Annex III — Sub-processors

Annex III is incorporated by reference from the Subprocessors page, which is the authoritative current list:

https://fiskl.com/legal/fiskl-subprocessors/

The Subprocessors page sets out the name, processing activities, location, and any relevant data residency notes for each Sub-processor.

Annex IV — EU SCCs and UK IDTA elections

This Annex sets out the elections required under the EU SCCs and UK IDTA where they apply to Restricted Transfers under this DPA.

Annex IV.A — EU SCCs Module elections

Item Election
Module applicable Module 2 (Controller to Processor) where the Customer is the Controller; Module 3 (Processor to Sub-processor) where the Customer is itself a Processor
Clause 7 (Docking clause) Optional clause not adopted
Clause 9(a) (Use of Sub-processors) Option 2: General written authorisation, with at least 30 days’ notice for changes
Clause 11 (Redress) Option not adopted (independent dispute resolution body not designated)
Clause 17 (Governing law) The law of the Republic of Ireland
Clause 18 (Choice of forum and jurisdiction) The courts of Ireland
Annex I.A (Parties) As set out in Annex I.A above
Annex I.B (Description of transfer) As set out in Annex I.B above
Annex I.C (Competent supervisory authority) As set out in Annex I.C above
Annex II (TOMs) As set out in Annex II above
Annex III (Sub-processors) As set out in Annex III above

Annex IV.B — UK IDTA / UK Addendum elections

The UK Addendum to the EU SCCs is used. Tables of the Addendum are completed as follows:

Table Election
Table 1 (Parties) As set out in Annex I.A above
Table 2 (Selected SCCs, Modules and selected clauses) EU SCCs as elected in Annex IV.A
Table 3 (Appendix Information) Annex I.B, Annex I.C, Annex II, Annex III above
Table 4 (Ending the Addendum when the Approved Addendum changes) Either party may end the Addendum where the ICO publishes an updated approved Addendum that materially changes obligations

Annex IV.C — Other jurisdictions

For Restricted Transfers governed by Applicable Data Protection Law of jurisdictions other than the EEA, UK, and Switzerland, the Parties will execute, or are deemed to have executed, the standard contractual clauses, model clauses, or equivalent mechanism applicable in the source jurisdiction, with the elections in this Annex IV applied by analogy.

Signature (where a counter-signed copy is required)

Where a Customer requires a counter-signed copy of this DPA, Fiskl will provide one on request. The counter-signed copy mirrors the published version effective on the date of signature.

For Fiskl Limited:
Name: ___________________________

Title: ___________________________

Date: ___________________________

Signature: ___________________________

For the Customer:

Name: ___________________________

Title: ___________________________

Customer Entity: ___________________________

Date: ___________________________

Signature: ___________________________

 

Effective: 15 March 2026

Quick Navigation

Terms & Policies