Data Processing Addendum
Last updated May 1, 2026
MB One Corp (registration code 307480747)
Laisves pr. 60-1107, Vilnius, LT-05120, Lithuania
Contact: team@faindo.com
This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer", the controller) and MB One Corp ("Faindo", the processor) and governs the processing of personal data by Faindo on behalf of the Customer in connection with the Faindo platform.
Where Faindo processes personal data contained in Customer-provided inputs (e.g. named individuals referenced in prompts) on the Customer's behalf, Faindo acts as a processor and the Customer acts as the controller within the meaning of the GDPR.
1. Roles and scope
1.1 The Customer is the controller of any personal data it provides to the Service, including personal data embedded in brand names, prompts, or other inputs.
1.2 Faindo is the processor of that data and will process it only on documented instructions from the Customer, including those set out in this DPA and the main service agreement.
1.3 Details of the subject matter, duration, nature, and purpose of processing are set out in Annex I below.
2. Customer instructions
2.1 The Customer instructs Faindo to process personal data for the purpose of providing the Faindo platform as described in the service agreement.
2.2 Faindo will not process personal data for any other purpose without prior written authorisation from the Customer, except where required by applicable law, in which case Faindo will inform the Customer of that legal requirement before processing (unless prohibited by law).
3. Categories of data and data subjects
As described in Annex I. The primary categories of data subjects are: Customer employees and authorised users of the platform. Personal data within Customer-provided prompts may include names or identifiers of third parties referenced in buyer questions; Customer is responsible for ensuring such references comply with applicable data protection law.
4. Confidentiality of personnel
Faindo ensures that persons authorised to process personal data are subject to a binding confidentiality obligation and are only permitted to process personal data on a need-to-know basis.
5. Security measures
Faindo implements the technical and organisational security measures described in Annex II. These measures are designed to provide a level of security appropriate to the risk of the processing.
6. Subprocessors
6.1 The Customer grants Faindo general written authorisation to engage the subprocessors listed in Annex III.
6.2 Faindo will give the Customer at least 30 days' prior written notice (by email to the Customer's registered account address) before engaging a new subprocessor or making a material change to an existing subprocessor. The Customer may object to such change within 30 days of receiving notice; if the parties cannot resolve the objection, the Customer may terminate the service agreement on written notice.
6.3 Faindo ensures that subprocessors are bound by data processing agreements that impose data protection obligations equivalent to those in this DPA.
7. Data subject rights
Where Faindo receives a request directly from a data subject exercising their rights (access, rectification, erasure, portability, objection, restriction), Faindo will promptly forward the request to the Customer and will assist the Customer in responding to the request to the extent reasonably possible, taking into account the nature of the processing.
8. Personal data breach notification
8.1 Faindo will notify the Customer of a personal data breach affecting Customer data without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
8.2 The notification will include: (a) a description of the nature of the breach; (b) the categories and approximate number of data subjects affected; (c) the categories and approximate volume of personal data records concerned; (d) the likely consequences of the breach; (e) measures taken or proposed to address the breach.
8.3 If the information cannot all be provided at once, Faindo may provide it in phases.
9. International transfers
9.1 Faindo will only transfer personal data outside the EEA where appropriate safeguards exist, including:
- Standard Contractual Clauses (SCCs) under Commission Decision 2021/914 (Module 2: controller-to-processor), incorporated by reference into this DPA.
- An adequacy decision by the European Commission.
9.2 On request, Faindo will provide copies of the applicable SCCs and a list of third-country subprocessors.
10. Audit rights
10.1 Faindo will make available to the Customer all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by the Customer or its designated auditor.
10.2 Audits will be conducted no more than once per year unless required by a supervisory authority, on reasonable written notice (at least 14 days), and in a manner that minimises disruption to Faindo's operations. The Customer bears the costs of any third-party auditor it engages.
10.3 Where available, Faindo may provide summary audit reports, SOC 2-style attestations, or equivalent certifications in lieu of or in addition to direct audit access.
11. Deletion and return of data
11.1 Upon termination or expiry of the service agreement, Faindo will, at the Customer's choice, delete or return all personal data (including copies held by subprocessors) within 30 days of the Customer's written request.
11.2 Faindo may retain personal data beyond this period only to the extent required by applicable law, in which case Faindo will notify the Customer and continue to protect it in accordance with this DPA.
12. Liability and governing law
12.1 The liability of each party under this DPA is subject to the limitations set out in the main service agreement.
12.2 This DPA is governed by the laws of the Republic of Lithuania. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the main service agreement.
Annex I — Subject matter and details of processing
| Field | Detail |
|---|---|
| Subject matter | Provision of the Faindo AI buying-conversation intelligence platform |
| Duration | For the term of the service agreement |
| Nature of processing | Storage, retrieval, analysis, and display of data inputs and AI model outputs |
| Purpose | Providing the features of the Faindo platform as contracted |
| Categories of personal data | Names and email addresses of authorised users; personal data optionally embedded in Customer-provided prompts (at Customer's discretion) |
| Categories of data subjects | Customer employees and authorised users; third parties named in Customer prompts |
Annex II — Technical and organisational security measures
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2 or higher on all connections |
| Encryption at rest | Provided by MongoDB Atlas and Cloudflare Workers (AES-256 or equivalent) |
| Access control | Least-privilege principle; production access restricted to authorised personnel; access audited |
| Authentication | Multi-factor authentication required for internal systems access |
| Logging and monitoring | Application and infrastructure logs retained for security monitoring; alerts on anomalous access patterns |
| Vulnerability management | Dependency scanning in CI/CD; responsible disclosure programme via team@faindo.com |
| Incident response | Defined internal process; 72-hour notification obligation for breaches affecting Customer data |
| Subprocessor assessment | Subprocessors reviewed for adequate security and contractual commitments before engagement |
Annex III — Approved subprocessors
| Subprocessor | Processing purpose | Location |
|---|---|---|
| Google LLC (Firebase) | Authentication and identity management | USA |
| MongoDB, Inc. (Atlas) | Primary database | USA (multi-region) |
| Cloudflare, Inc. | Edge hosting, CDN, TLS termination | USA (global edge) |
| Calendly, LLC | Demo scheduling | USA |
| PostHog, Inc. | Product analytics (consent-gated; user data only) | USA/EU |
| Google LLC (Google Analytics) | Web analytics (consent-gated) | USA |
| Meta Platforms, Inc. (Meta Pixel) | Marketing attribution (consent-gated) | USA |
| OpenAI, LLC | AI model queries | USA |
| Anthropic, PBC | AI model queries | USA |
| Google LLC (Gemini/Vertex AI) | AI model queries | USA |
| Perplexity AI, Inc. | AI model queries | USA |
| xAI Corp (Grok) | AI model queries | USA |
Changes to this list are notified per Section 6.2. The most current version is published at faindo.com/dpa.