Effective Date: June 11, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Fuser Technologies, Inc. ("Fuser") and the customer identified in the applicable order, subscription, or Terms of Service ("Customer") covering Customer's use of the Service (the "Agreement"). This DPA applies where and to the extent Fuser processes Personal Data on behalf of Customer in connection with the Service. Organizations on Team and Enterprise plans may execute this DPA by emailing legal@fuser.studio; for such customers it is incorporated into the Agreement upon execution.

1. Definitions

"Data Protection Laws" means all laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss FADP, and applicable US state privacy laws (including the CCPA/CPRA).
"Personal Data" means any information relating to an identified or identifiable natural person that Fuser processes on behalf of Customer in connection with the Service.
"Processing," "Controller," "Processor," "Data Subject," and "Supervisory Authority" have the meanings given in the GDPR; "Business," "Service Provider," "Sell," and "Share" have the meanings given in the CCPA.
"Sub-processor" means a third party engaged by Fuser to process Personal Data on Customer's behalf.
"SCCs" means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914, and "UK Addendum" means the UK Information Commissioner's International Data Transfer Addendum to the SCCs.

2. Roles & Scope

Customer is the Controller (or a Processor acting on behalf of a third-party Controller) and Fuser is the Processor of Personal Data processed through the Service on Customer's behalf. Fuser acts as an independent Controller for limited purposes described in the Privacy Policy (e.g., billing, account administration, service security and improvement); such processing is outside the scope of this DPA. The subject matter, duration, nature, and purpose of processing, and the categories of Personal Data and Data Subjects, are described in Annex A.

3. Customer Instructions

Fuser will process Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law (in which case Fuser will inform Customer before processing, unless the law prohibits it). The Agreement, this DPA, and Customer's use and configuration of the Service constitute Customer's complete documented instructions. Fuser will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

4. Confidentiality & Personnel

Fuser ensures that persons authorized to process Personal Data are bound by contractual or statutory obligations of confidentiality, and limits access to personnel who need it to perform under the Agreement.

5. No Training; No Sale

Fuser will not use Personal Data or Customer content to train AI models, and will not permit its Sub-processors to do so. Fuser will not Sell or Share Personal Data, will not retain, use, or disclose it for any purpose other than providing the Service (including any commercial purpose other than the business purposes specified in the Agreement), and will not combine it with personal information from other sources except as permitted for Service Providers under the CCPA. Fuser certifies that it understands and will comply with the restrictions in this Section.

6. Security

Fuser implements and maintains appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex B. Fuser may update these measures from time to time, provided the updates do not materially reduce the overall security of the Service.

7. Sub-processors

Customer provides general authorization for Fuser to engage the Sub-processors listed on the Sub-Processors page. Fuser will: (a) impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA; (b) remain liable for its Sub-processors' performance; (c) update the Sub-Processors page at least 14 days before a new Sub-processor processes Personal Data (or as soon as reasonably possible for emergency replacements) and notify subscribed customers; and (d) permit Customer to object on reasonable data-protection grounds within 14 days of notice. If the parties cannot resolve an objection in good faith, Customer may terminate the affected subscription and receive a pro-rata refund of prepaid fees.

AI model providers listed as "optional" on the Sub-Processors page process Personal Data only when Customer or its users invoke the corresponding model, and Customer controls such invocation.

8. Data Subject Requests

Taking into account the nature of the processing, Fuser will assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligation to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection). If Fuser receives a request directly from a Data Subject relating to Customer's data, Fuser will direct the Data Subject to Customer and will not respond substantively except as required by law.

9. Assistance & Notifications

Fuser will, taking into account the nature of processing and the information available to it, assist Customer in complying with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation under Articles 32–36 GDPR. Fuser will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer's Personal Data, and will provide information reasonably required for Customer to meet its own notification obligations, updated as it becomes available.

10. Audits

Fuser will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including responses to security questionnaires and summaries of third-party assessments. No more than once per year (except following a Personal Data breach or where required by a Supervisory Authority), Customer may conduct an audit, which Fuser may satisfy by providing such documentation; where Data Protection Laws require an on-site inspection, the parties will agree in advance on scope, timing, confidentiality, and reasonable costs.

11. International Transfers

Where Personal Data protected by the GDPR, UK GDPR, or Swiss FADP is transferred to Fuser in the United States or onward to a Sub-processor in a country without an adequacy decision, the parties rely on the SCCs, which are incorporated into this DPA as follows: Module Two (Controller → Processor) or Module Three (Processor → Processor) applies as appropriate; Clause 7 (docking) is included; Clause 9 Option 2 (general authorization, 14 days) applies; Clause 11 optional language is omitted; Clauses 17 and 18 select Irish law and the courts of Ireland; the Annexes to the SCCs are populated by Annex A and Annex B of this DPA. For UK transfers, the UK Addendum applies with the same information; for Swiss transfers, the SCCs apply as adapted by the FDPIC's requirements.

12. Return & Deletion

Upon termination or expiry of the Agreement, Fuser will, at Customer's choice, delete or return all Personal Data processed on Customer's behalf, and delete existing copies, unless applicable law requires retention. Customer may export content through the Service's export features at any time, and for 30 days following termination as described in the Terms of Service. Deletion from backups occurs in the ordinary course of backup rotation.

13. Liability & Order of Precedence

Each party's liability under this DPA is subject to the limitations of liability in the Agreement, except where prohibited by Data Protection Laws. In case of conflict, the order of precedence is: the SCCs (where they apply), this DPA, then the Agreement. This DPA is governed by the law governing the Agreement, except where the SCCs require otherwise.

Annex A — Description of Processing

Subject matter and duration: Processing of Personal Data submitted to the Service by or on behalf of Customer, for the duration of the Agreement plus the deletion period described in Section 12.

Nature and purpose: Hosting, storage, transmission, display, AI-assisted generation and transformation, collaboration, and related support — i.e., providing the Service described in the Agreement.

Categories of Data Subjects: Customer's authorized users (employees, contractors, collaborators); individuals appearing in or identifiable from content Customer submits to the Service.

Categories of Personal Data: Account and profile data of users (name, email, username); content and metadata Customer submits, which may contain Personal Data at Customer's discretion (including images, audio, and video of individuals); usage and device data tied to users.

Sensitive data: Not intended to be submitted; Customer is responsible for not submitting special-category data unless Customer has established a lawful basis.

Frequency: Continuous, for the duration of the Agreement.

Data exporter / importer (for SCC purposes): Customer (exporter, Controller or Processor) / Fuser Technologies, Inc. (importer, Processor). Contact: legal@fuser.studio. Competent supervisory authority: determined per Clause 13 SCCs.

Annex B — Technical & Organizational Measures

Encryption: TLS for data in transit; encryption at rest on Fuser's infrastructure providers.
Access control: Role-based access; access to customer content restricted to personnel with an operational need, under confidentiality obligations; administrative access protected by SSO/MFA.
Tenant isolation: Logical separation of customer data; project-level and organization-level permission models enforced server-side.
Infrastructure: Hosted on enterprise cloud providers (see Sub-Processors) with independent security programs and certifications.
Monitoring: Centralized logging, error tracking, and anomaly monitoring; audit trails for administrative actions.
Resilience: Automated backups with rotation; disaster-recovery procedures on multi-region cloud infrastructure.
Development: Code review for changes; version-controlled legal and configuration changes; dependency and vulnerability management.
Incident response: Documented procedures for triage, containment, notification (Section 9), and post-incident review.
Personnel: Confidentiality obligations for all staff; security awareness as part of onboarding.
Sub-processor management: Contractual flow-down of data-protection obligations; periodic review of the Sub-processor list.