Data processing agreement.

When FyreSpace Technologies processes personal data on your behalf as part of a delivered service, we operate as a data processor (or sub-processor) under a written Data Processing Agreement (DPA). The DPA supplements the master services agreement and governs the handling of personal data subject to the GDPR, UK GDPR, CCPA/CPRA, and similar privacy laws.

The DPA covers, at minimum:

• Categories of data, data subjects, and processing purposes.
• Confidentiality, access controls, and personnel obligations.
• Technical and organizational security measures aligned to ISO 27001 and SOC 2.
• Sub-processor list and notification of changes.
• Cross-border transfer mechanisms (Standard Contractual Clauses where required).
• Breach notification within 72 hours of awareness.
• Cooperation with data subject requests and regulator inquiries.
• Return or deletion of personal data on termination.

A current list of sub-processors used in delivering our services is available on request. We notify customers in advance of material changes to our sub-processor list and provide a reasonable window to object.

Where personal data is transferred outside the EEA, UK, or other jurisdictions requiring transfer mechanisms, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA) where applicable, supplemented by our security measures.

Email hello@fyrespace.com to request our standard DPA. Include your company name, jurisdiction, and a brief description of the data we'll process. We typically return a counter-signed DPA within two business days.