Data Processing Agreement

1. Roles and scope

For personal data submitted by Customer to the Service (“Customer Personal Data”), the Customer is the Controller and KONNECTE is the Processor acting on documented instructions from the Customer. Where KONNECTE processes data as a Controller (e.g. account administration, billing, security logs), processing is governed by our Privacy Policy.

2. Subject-matter and duration

KONNECTE processes Customer Personal Data solely to provide the Service under the Terms. The duration of processing is the term of the Customer's subscription plus any retention period mandated by law.

3. Categories of data and data subjects

Data subjects:Customer's authorised users, their employees and business contacts, and any individuals referenced in Customer-uploaded content.

Categories of data: identification and contact data, professional data, workspace content, usage telemetry.

4. Sub-processors

Customer authorises KONNECTE to engage sub-processors, including hosting providers, AI-inference providers, payment processors, and email-delivery providers, subject to written contracts imposing data protection obligations no less stringent than those in this DPA. The current list is available on request at privacy@fiscaleyes.com. We will give Customer at least 15 days' prior notice of new or replacement sub-processors; if Customer reasonably objects on data protection grounds and no solution can be agreed, Customer's sole remedy is termination of the affected part of the Service under the Terms.

5. International transfers

Where KONNECTE transfers Customer Personal Data out of the UK or EEA, it will rely on recognised transfer mechanisms — Standard Contractual Clauses, the UK International Data Transfer Addendum or applicable adequacy decisions — and perform transfer impact assessments when required.

6. Security measures

KONNECTE implements and maintains appropriate technical and organisational measures, including: AES-256 encryption at rest, TLS 1.2+ in transit, role-based access, multi-factor authentication, audit logging, vulnerability management, least-privilege principles and SOC 2 Type II aligned controls.

7. Personnel and confidentiality

KONNECTE personnel with access to Customer Personal Data are bound by written confidentiality obligations and are trained on data protection at least annually.

8. Data-subject requests

KONNECTE will, taking into account the nature of the processing, reasonably assist Customer to fulfil its obligation to respond to requests from data subjects exercising their rights under applicable data-protection law. Where a request is addressed directly to KONNECTE, KONNECTE will promptly forward it to Customer unless prohibited by law.

9. Security incidents

KONNECTE will notify Customer without undue delay and, where feasible, within 72 hours of becoming aware of a personal-data breach affecting Customer Personal Data, providing available information about the nature, likely consequences and mitigation of the incident.

10. Audits

KONNECTE will make available to Customer the information necessary to demonstrate compliance with this DPA, including independent audit reports. Customer may, on reasonable written notice and subject to confidentiality, request additional information or conduct an audit once per year, limited to the facilities, systems and documentation relevant to the processing of Customer Personal Data.

11. Deletion and return

Upon termination of the Service, KONNECTE will delete or return Customer Personal Data within 90 days, except to the extent retention is required by law. Customer can export workspace content via the Service's export functionality before deletion.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.

13. Governing law

This DPA is governed by the laws of England and Wales. Disputes are subject to the exclusive jurisdiction of the courts of London, England, save as required by mandatory EU supervisory-authority rules.