ORIJIN LTD B.V.

    FOMOCHAT

    Data Processing Agreement

    This Data Processing Agreement ("DPA") forms part of the Terms of Use (the "Agreement") between FomoChat Labs Inc. ("Processor") and the service subscriber ("Controller"). Processor and Controller are together the "Parties."

    This DPA applies to Processor's Processing of Personal Data on behalf of Controller in connection with the Services.

    1. Definitions

    "Controller" means the entity that determines the purposes and means of Processing Personal Data.

    "Processor" means the entity that Processes Personal Data on behalf of the Controller.

    "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the GDPR.

    "Data Subject" means an identified or identifiable natural person.

    "GDPR" means Regulation (EU) 2016/679.

    "Personal Data" means any information relating to a Data Subject that is Processed under the Agreement.

    "Processing" means any operation performed on Personal Data, whether or not by automatic means.

    "Security Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Processor.

    "Sub-processor" means any entity engaged by Processor to Process Personal Data on behalf of Controller.

    2. Processing of Personal Data

    2.1 Instructions

    Processor shall Process Personal Data provided by Controller only in accordance with (a) Data Protection Laws and (b) Controller's documented instructions under the Agreement and this DPA.

    If Processor believes Controller's instructions conflict with Data Protection Laws, Processor shall inform Controller.

    2.2 Legal Requirements

    Processor may Process Personal Data where required by law. Processor shall inform Controller of the legal requirement before Processing unless prohibited by law.

    2.3 Scope and Priority

    This DPA applies where Processor Processes Personal Data on behalf of Controller. If there is a conflict between this DPA and the Agreement, this DPA controls with respect to privacy and data protection.

    An overview of Processing is provided in Appendix 1.

    3. Confidentiality

    Processor shall treat Personal Data as strictly confidential and shall ensure that its personnel and approved Sub-processors are bound by appropriate confidentiality obligations.

    4. Security

    4.1 Security Measures

    Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

    • ensuring Personal Data is accessible only by authorized personnel;
    • ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
    • the ability to restore availability and access to Personal Data in a timely manner after an incident;
    • regularly testing and evaluating the effectiveness of security measures;
    • identifying vulnerabilities and risks related to Processing.

    4.2 Audits

    On request, Processor shall provide reasonable information to demonstrate compliance with this DPA.

    Controller may audit Processor's compliance with this DPA (including through a qualified third party under confidentiality obligations) no more than once per 12-month period, with at least 30 days' prior written notice, and during normal business hours. Audits must not unreasonably interfere with Processor's operations and must be limited to information relevant to Controller's Processing.

    5. Contracting with Sub-processors

    5.1 Authorization

    Controller authorizes Processor to engage Sub-processors to Process Personal Data for:

    1. hosting and infrastructure;
    2. product features, integrations, analytics, communications, and AI processing; and
    3. support and service delivery.

    5.2 Flow-Down Obligations

    Processor shall ensure Sub-processors are bound by data protection obligations that are no less protective than those in this DPA and remains responsible for Sub-processors' performance.

    5.3 Sub-processor List and Objections

    Controller may request an up-to-date list of Sub-processors by emailing support@fomochat.com.

    Processor will provide Controller the opportunity to object on reasonable grounds relating to data protection to a new Sub-processor within 30 days of notice. The Parties will work in good faith to resolve the objection. If they cannot, Processor may, at its sole discretion, either not appoint the new Sub-processor or allow Controller to suspend or terminate the subscription in accordance with the Agreement (without liability to either Party, but without prejudice to fees incurred prior to suspension or termination).

    6. Assistance to Controller

    6.1 Data Subject Requests

    Processor shall assist Controller, taking into account the nature of Processing, by appropriate technical and organizational measures to help Controller respond to Data Subject rights requests.

    6.2 Regulatory Communications

    Processor shall assist Controller with reasonable requests related to supervisory authority inquiries, audits, or complaints concerning Processing under the Agreement. If Processor receives such an inquiry directly, Processor shall promptly inform Controller.

    6.3 DPIAs

    If Processor believes its Processing is likely to result in a high risk to Data Subjects' rights and freedoms, Processor shall promptly inform Controller and provide reasonable assistance to help Controller conduct a data protection impact assessment and consult a supervisory authority if required.

    6.4 Compliance Information

    Processor shall make available information reasonably necessary to demonstrate compliance with Processor's obligations under Data Protection Laws.

    7. Security Breach Management

    7.1 Notification

    Processor shall notify Controller without undue delay after becoming aware of a Security Breach and, where feasible, within 72 hours.

    Processor shall provide reasonable assistance to enable Controller to comply with breach notification obligations under Data Protection Laws.

    Processor shall take reasonable steps to remediate and mitigate the effects of the Security Breach and keep Controller reasonably informed.

    7.2 Incident Procedures

    Processor shall maintain written procedures to respond to Security Breaches.

    7.3 Content of Notice

    Breach notices will be delivered to Controller by email and will include, to the extent available:

    • a description of the nature of the Security Breach;
    • categories and approximate number of Data Subjects and records affected;
    • contact point for more information;
    • likely consequences; and
    • measures taken or proposed to address the breach.

    8. Deletion or Return of Personal Data

    Upon termination of the Agreement, or upon Controller's request, Processor shall delete or return Personal Data in accordance with the Agreement and applicable law. Processor may retain Personal Data where required by law or for legitimate purposes such as fraud prevention, security, and compliance, subject to appropriate safeguards.

    Processor shall take reasonable steps to ensure Sub-processors delete Personal Data in line with this DPA.

    9. International Transfers

    Processor may Process Personal Data in countries outside the EEA. Where Data Protection Laws restrict transfers, Processor will implement appropriate safeguards, such as Standard Contractual Clauses, to ensure lawful transfers.

    If a transfer mechanism becomes invalid, the Parties will cooperate in good faith to implement an alternative lawful mechanism.

    10. Duration and Termination

    Termination or expiration of this DPA does not discharge Processor's confidentiality obligations.

    Processor shall Process Personal Data until termination of the Agreement unless Controller instructs otherwise, or until Personal Data is deleted or returned as described in Section 8.

    Appendix 1 — Processing Details

    Categories of Data Subjects

    • Controller's account administrators and authorized users
    • End users / visitors who view or interact with Controller's embedded FomoChat widget
    • Prospects and website visitors (where Processor acts as Controller under its Privacy Notice)

    Types of Personal Data Processed

    Depending on Controller's configuration and use of the Services, Personal Data may include:

    • Name, email address, and other contact details
    • Account credentials (hashed passwords or equivalent authentication data)
    • Billing contact information and subscription metadata (payment card data is handled by payment processor)
    • IP address, device and browser information, timestamps
    • Widget usage and analytics data
    • End user chat inputs and messages
    • AI-generated messages and responses shown in the widget
    • Cookie and similar identifier data

    Nature and Purpose of Processing

    • Provide, operate, and secure the Services
    • Configure and display embedded widgets
    • Generate chat content and AI responses as requested by the Services
    • Provide customer support
    • Monitor, prevent abuse, and enforce limits
    • Maintain logs and audit trails for security and reliability

    Duration of Processing

    For the term of the Agreement, and thereafter as needed for retention and deletion per Section 8.

    Security Safeguards

    Processor implements measures consistent with Section 4, including:

    • access controls and least-privilege access;
    • encryption in transit and, where appropriate, at rest;
    • vulnerability management and security monitoring;
    • incident response procedures;
    • regular review of security controls.

    Appendix 2 — Data Transfer Mechanisms

    Where required for cross-border transfers of Personal Data, Processor and relevant Sub-processors implement at least one lawful transfer mechanism, such as:

    • Standard Contractual Clauses; and/or
    • other lawful transfer mechanisms recognized under applicable Data Protection Laws.