Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Fast.io Terms of Service (the "Agreement") between Fast Technologies ("Fast", "we", "us", or "our") and you ("Customer", "you", or "your"), and governs the processing of personal data by Fast on behalf of the Customer. This DPA applies to the extent that Fast processes personal data subject to applicable data protection laws, including the European Union General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable privacy regulations. This DPA applies to every Customer on whose behalf Fast processes Personal Data, on all plans. By accessing or using the Services, the Customer accepts this DPA, and no physical or electronic signature is required to make this DPA legally binding.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Fast on behalf of the Customer through the Services.
• "Data Controller" means the Customer, who determines the purposes and means of processing Personal Data.
• "Data Processor" means Fast, who processes Personal Data on behalf of the Data Controller.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by Fast to process Personal Data on behalf of the Customer.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Services" means the Fast platform, APIs, MCP servers, desktop applications, and any other products or services provided by Fast.

2. Scope and Purpose of Processing

Fast processes Personal Data solely for the purpose of providing the Services as described in the Agreement, including:

• File storage, synchronization, and sharing services
• Desktop application synchronization (macOS, Windows, Linux)
• Programmatic access via APIs and MCP servers
• Agent Account operations and automated workflows
• Account management and authentication
• Customer support and communication
• Service improvement, analytics, and abuse prevention
• Billing and subscription management

The types of Personal Data processed may include: names, email addresses, IP addresses, device identifiers, file metadata, usage logs, and any Personal Data contained within Content uploaded by the Customer or its users. Data Subjects may include: Customer employees, contractors, customers, and any individuals whose data is stored or processed through the Services.

3. Obligations of Fast as Data Processor

Fast agrees to:

• Process Personal Data only on documented instructions from the Customer, unless required by applicable law
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures as described in Section 5
• Assist the Customer in responding to Data Subject requests to exercise their rights under applicable law
• Assist the Customer in ensuring compliance with security, breach notification, and data protection impact assessment obligations
• Delete or return Personal Data upon termination of the Agreement, unless retention is required by law
• Make available information necessary to demonstrate compliance with this DPA
• Notify the Customer promptly if Fast believes an instruction violates applicable data protection law
• Maintain records of processing activities as required by Article 30 of the GDPR

4. Obligations of the Customer as Data Controller

The Customer agrees to:

• Ensure that the processing of Personal Data through the Services has a valid legal basis
• Provide clear and documented instructions to Fast regarding the processing of Personal Data
• Ensure that Data Subjects have been informed of and have consented to the processing of their data where required
• Comply with all applicable data protection laws in the collection and use of Personal Data
• Maintain appropriate security measures for any devices, Agent Accounts, or programmatic access used to interact with the Services
• Notify Fast promptly of any changes to processing instructions or any Data Subject requests received directly

5. Security Measures

Fast operates its own SOC 2 Type II and ISO 27001 compliant datacenters in addition to utilizing third-party cloud infrastructure. Fast implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• SOC 2 Type II and ISO 27001 certified infrastructure
• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256
• Access controls and authentication mechanisms, including support for two-factor authentication
• Regular security assessments and vulnerability testing
• Employee security training and confidentiality agreements
• Intrusion detection and monitoring systems
• Secure software development practices
• Physical security measures for data center facilities
• Business continuity and disaster recovery procedures
• API rate limiting and automated abuse detection for programmatic access and Agent Accounts

6. Sub-processors

The Customer authorizes Fast to engage Sub-processors to assist in providing the Services. Fast maintains a current list of Sub-processors at fast.io/legal/subprocessors, which is incorporated into and forms part of this DPA. Fast ensures that Sub-processors are bound by data protection obligations no less protective than those in this DPA, and Fast remains liable to the Customer for the performance of each Sub-processor's data protection obligations as required by Article 28(4) of the GDPR.

Important: Fast does not transmit Customer files or file metadata to third-party Sub-processors, except as follows: (a) Customer Content is stored on Fast-operated infrastructure and Google Cloud Platform, and is carried in transit over Cloudflare's content-delivery and edge network (which may process connection data such as URLs, headers, and object identifiers to route and secure traffic); (b) when the Customer uses AI Services features, relevant Content may be transmitted to Google Vertex AI, Google Gemini AI, and/or Anthropic for processing; and (c) when the Customer uses file conversion features, relevant Content may be transmitted to CloudConvert (Lunaweb GmbH) for processing. Other Sub-processors (such as analytics, payment, and monitoring services) receive only operational data necessary for their specific function and are not provided access to Customer files; limited file metadata may, however, incidentally appear in operational logs, error reports, or support communications. Fast may engage additional processors for similar operational purposes, provided they meet the same data protection standards.

Fast reserves the right to add or change Sub-processors as the Services evolve. Fast will update the Sub-processor list at fast.io/legal/subprocessors and will notify affected Customers by email at least 30 days before a new Sub-processor begins processing Personal Data. The Customer may object to the appointment of a new Sub-processor on reasonable data protection grounds by providing written notice within the 30-day period. Fast will work with the Customer in good faith to address the objection; if the objection cannot be resolved and Fast elects to proceed with the Sub-processor, the Customer may, as its remedy, discontinue use of and terminate the affected Services and receive a pro-rata refund of any prepaid fees for the terminated portion of the then-current subscription term. This does not limit any non-waivable statutory right or remedy available to the Customer or a Data Subject under applicable data protection law, including under the Standard Contractual Clauses.

Customer-Connected Services: The Services allow the Customer to connect, or to direct Fast to connect to, third-party services and tools chosen by the Customer— including MCP (Model Context Protocol) servers, integrations, connectors, and other external tools. When the Customer enables such a connection, the Customer instructs and authorizes Fast to transmit the relevant Content and Personal Data to that third-party service so that it can perform the function the Customer requested. These customer-connected services are not Fast Sub-processors; they operate under the Customer's own relationship with, and the terms of, the relevant third party. The Customer is solely responsible for these connections, including the data protection practices of the connected service and having a lawful basis for the transfer, and the Customer controls and may disable them at any time.

7. Data Subject Rights

Fast will assist the Customer in responding to requests from Data Subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, data portability, and objection. If Fast receives a request directly from a Data Subject, Fast will promptly notify the Customer unless prohibited by law. The Customer is responsible for responding to such requests, and Fast will provide reasonable assistance as needed.

8. Data Breach Notification

Fast will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach. Fast will cooperate with the Customer and provide reasonable assistance in investigating and remediating the breach.

9. Audit Rights

Upon reasonable written request and subject to confidentiality obligations, Fast will make available to the Customer information necessary to demonstrate compliance with this DPA. The Customer may conduct an audit, or engage a third-party auditor, no more than once per year, with at least 30 days' advance notice. Audits shall be conducted during normal business hours and in a manner that minimizes disruption to Fast's operations. The Customer shall bear the costs of any audit unless the audit reveals material non-compliance by Fast.

10. International Data Transfers

Fast stores and processes data primarily in the United States. For transfers of Personal Data from the European Economic Area (EEA) to the United States or other countries not recognized as providing adequate data protection, Fast relies on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision 2021/914). For transfers from the United Kingdom, Fast relies on the UK Addendum to the EU SCCs or the UK International Data Transfer Agreement (IDTA) as appropriate. For transfers from Switzerland, Fast relies on the Swiss-approved SCCs or equivalent mechanisms. Where applicable, the Standard Contractual Clauses apply automatically to the transfers described above, with no signature required. Customers requiring custom, manually executed copies of this DPA and the SCCs — including completion of the SCC Annexes with company-specific details — must maintain an eligible Business-tier subscription; upon such a request from a Business-plan customer, Fast will execute the applicable Standard Contractual Clauses with the Customer.

11. Desktop Applications and Programmatic Access

This DPA applies to all methods of accessing the Services, including through our desktop applications for macOS, Windows, and Linux, as well as programmatic access via APIs, MCP (Model Context Protocol) servers, SDKs, and Agent Accounts. The Customer acknowledges that:

• Desktop applications store authentication credentials and cache data locally on user devices; the Customer is responsible for the security of those devices
• Programmatic access and Agent Accounts may process Personal Data automatically; the Customer remains the Data Controller for all such processing
• Fast monitors programmatic access for security and abuse prevention, which may involve automated analysis of access patterns
• Agent Account activity is attributable to the Customer, and the Customer is responsible for ensuring agents comply with applicable data protection law

12. Term and Termination

This DPA remains in effect for the duration of Fast's processing of Personal Data on behalf of the Customer. Upon termination of the Agreement, Fast will, at the Customer's choice, delete or return all Personal Data within 90 days, unless retention is required by applicable law. Fast may retain anonymized or aggregated data that does not identify individuals. Provisions of this DPA that by their nature should survive termination (including confidentiality, limitation of liability, and indemnification) will survive.

13. Modifications

Fast may update this DPA from time to time to reflect changes in data protection law or our practices. Significant changes will be communicated to the Customer via email or through a prominent notice on our website at least 30 days before they become effective. Continued use of the Services after the effective date constitutes acceptance of the updated DPA.

14. Governing Law and Disputes

This DPA is governed by, and disputes arising out of or relating to it are resolved under, the governing-law and dispute-resolution provisions of the Fast.io Terms of Service — currently the substantive law of the State of Texas and final, binding arbitration seated in Houston, Harris County, Texas. However, where the Standard Contractual Clauses, the UK Addendum to the EU SCCs, or the Swiss-approved SCCs apply, the governing-law and jurisdiction provisions of those clauses control for the relevant data transfers and for the rights of Data Subjects. Nothing in this DPA or the Terms of Service limits or waives any non-waivable statutory right or remedy a Data Subject has under applicable data protection law, including the right to lodge a complaint with a supervisory authority or to bring proceedings in the Data Subject's country of habitual residence.

15. CCPA/CPRA Service Provider Terms

To the extent Fast processes Personal Information subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), Fast acts as a "service provider" and not as a "third party," and Fast:

• will not sell or share Personal Information, as those terms are defined under the CCPA;
• will not retain, use, or disclose Personal Information for any purpose other than the business purpose of providing the Services specified in the Agreement, or as otherwise permitted by the CCPA;
• will not retain, use, or disclose Personal Information outside the direct business relationship between Fast and the Customer;
• will not combine Personal Information received from the Customer with personal information from other sources, except as permitted by the CCPA;
• will provide the same level of privacy protection as is required of businesses under the CCPA;
• will notify the Customer if Fast determines it can no longer meet its obligations under the CCPA; and
• grants the Customer the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

Fast certifies that it understands and will comply with these restrictions. Sub-processors that Fast engages to process Personal Information are bound by equivalent service-provider or contractor obligations.

16. Privacy Contact

Fast has not appointed a Data Protection Officer as we do not meet the mandatory appointment thresholds under GDPR Article 37. However, for all data protection inquiries or questions about this DPA, please contact our privacy team at privacy@fast.io. Signed copies of this DPA and the Standard Contractual Clauses are available to customers on the Business plan; Enterprise customers should refer to their Enterprise Agreement.

Appendix A — Standard Contractual Clauses (Annexes)

Where the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) apply to transfers of Personal Data under this DPA, the following completes their Annexes by reference. The UK Addendum and the Swiss-approved SCCs apply the same information with the jurisdiction-specific substitutions described in Section 10.

• Annex I.A — List of Parties. Data exporter: the Customer (and its authorized affiliates and users), acting as controller. Data importer: Fast Technologies, acting as processor. Acceptance of the Agreement and this DPA constitutes signature; the parties' activity and billing contacts are those associated with the Customer's account, and Fast's contact is privacy@fast.io.
• Annex I.B — Description of Transfer. The categories of Data Subjects and Personal Data, and the nature, purpose, and duration of processing, are as described in Section 2 (Scope and Purpose of Processing) and Section 12 (Term and Termination). Transfers are continuous for the duration of the Services. Sub-processors are listed at fast.io/legal/subprocessors.
• Annex I.C — Competent Supervisory Authority. The supervisory authority of the EU/EEA member state in which the data exporter (or its EU representative) is established, or as otherwise determined under Clause 13 of the SCCs.
• Annex II — Technical and Organizational Measures. The measures described in Section 5 (Security Measures) apply as the technical and organizational measures under the SCCs.
• Annex III — List of Sub-processors. The Customer authorizes the Sub-processors listed at fast.io/legal/subprocessors, as updated in accordance with Section 6.