Data Processing Agreement
Fimo

Data Processing Agreement

Effective as of January 21, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service ("Terms") entered into by the Customer under an Order Form (the “Agreement”) between Strapi, Inc. (“Strapi,” “we,” “us,”) and the Customer (“you”).

This DPA applies where and to the extent that we are acting as a processor of Customer Personal Data on your behalf under the Terms.

WHEREAS

(A) You act as a Data Controller.

(B) You wish to subcontract certain Services, which imply the processing of personal data, to us.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

Capitalized terms used in this DPA shall have the meaning assigned to them in the Terms. In addition to the definitions under the Terms, the below terms shall have the following meaning:

  1. Customer” means the Customer defined in the Agreement.
  2. Customer Personal Data” means any Personal Data Processed by a Contracted Processor on your behalf pursuant to or in connection with the Terms.
  3. Contracted Processor” means a Subprocessor.
  4. Data Protection Laws” means all applicable laws relating to the Processing of Personal Data and privacy that may exist in any relevant jurisdiction, including EU Data Protection Laws.
  5. DPA” means this Data Processing Agreement and the appendices attached hereto (as amended from time to time in accordance herewith).
  6. EEA” means the European Economic Area.
  7. EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
  8. GDPR” means EU General Data Protection Regulation 2016/679.
  9. Data Transfer” means (a) a transfer of Customer Personal Data from you to a Contracted Processor; or (b) an onward transfer of Customer Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).
  10. Subprocessor” means any person appointed by or on our behalf to process Personal Data on your behalf in connection with the Terms.
  11. The terms “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Customer Personal Data

  1. You shall:
    1. ensure that any and all information or data, including without limitation Customer Personal Data, is collected, processed, transferred, and used in full compliance with Data Protection Laws;
    2. be solely responsible for ensuring that you have obtained all necessary authorizations and consents from any Data Subjects to Process Customer Personal Data and in particular any consents needed to meet the cookie requirements in the ePrivacy Directive 2002/58/EC and any associated national legislation;
    3. Instruct us to process Customer Personal Data.
  2. We shall:
    1. comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
    2. not Process Customer Personal Data other than on your relevant documented instructions unless required to do otherwise by applicable law. In such a case, we shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. You acknowledge that as part of the processing instructions, we may aggregate, anonymize, extract and combine or otherwise deidentify information resulting from your use of the licensed materials and services for product improvement, benchmarking, and the development of new products;
  3. Compliance: Both Parties shall comply with all applicable Data Protection Laws in the performance of this DPA.

3. Our Personnel

We shall take reasonable steps to ensure the reliability of any personnel who may have access to the Customer Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

  1. In connection with the processing of personal data hereunder we shall provide for and maintain appropriate administrative, physical, technical and organizational security measures for such processing, which are intended to protect personal data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and to ensure a level of security appropriate to the particular risks involved in the processing, as outlined on our Security Page: https://trust.strapi.io/.

5. Subprocessing

  1. We shall inform you of any intended changes concerning the addition or replacement of other processors through updating the sub-processor list available at https://www.notion.so/strapi/2cd8f35980748062a46efcc46113795d?v=2cd8f3598074805691df000cfc566676 (the "Sub-processor List"). This list is updated at least annually.
  2. We may continue to use those Subprocessors already engaged by us as of the date of this DPA.
  3. In the event that you do not wish to consent to the use of a new Subprocessor, you may notify us within twenty (20) business days of us notifying you, that you do not consent on reasonable grounds relating to the protection of Personal Data by contacting legal@fimo.io.
  4. In such cases, you and us shall work together in good faith to find a mutually acceptable resolution to address such objections. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, you may, as your sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to us and receive a refund of any prepaid fees under the Agreement.
  5. Where we engage another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in this DPA shall be imposed on that other processor by way of a contract.

6. Data Subject Rights

  1. Taking into account the nature of the Processing, we shall assist you by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligations, as reasonably understood by you, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
  2. We shall:
    1. notify you if we receive a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
    2. ensure that we do not respond to that request except on your documented instructions or as required by Applicable Laws to which we are subject.

7. Data Breach Notification

  1. We shall notify you without undue delay after confirming a data breach that constitutes a Personal Data Breach under this DPA and/or Applicable Data Protection Laws, in connection with the processing of Customer Personal Data under this DPA.
    1. We shall investigate the personal data breach and take reasonable measures to identify its root cause(s), where such breach is caused by us or a Sub-processor;
    2. As information is collected or otherwise becomes available, to the extent legally permitted, we shall provide you with a description of the Personal Data Breach, the type of data to which the Personal Data Breach relates, and other information you may reasonably request concerning the affected data subject(s) where such information is available to us; and,
    3. We will provide you with reports as follow-up to the notice, on a timely basis, and as reasonably requested by you.
  2. Our notification of or response to a Personal Data Breach shall not be construed as our acknowledgement of any fault or liability with respect to the Personal Data Breach.
  3. If you determine to notify any governmental entity, Data Subject(s), the public or others of a Personal Data Breach, to the extent such notice directly or indirectly refers to or identifies us, where permitted by Applicable Data Protection Laws, you agree to:
    1. Notify us in writing in advance; and
    2. In good faith, consult with us and consider any clarifications or corrections we may reasonably recommend or request to any such notification, which: (i) relate to our involvement in or relevance to such Personal Data Breach; and (ii) are consistent with Applicable Data Protection Laws.
    3. We may delay notice to you if a competent law-enforcement agency determines that immediate disclosure would impede a criminal investigation, provided we notify you as soon as the restriction is lifted.
    4. The obligations set out above will not apply, to the extent that the personal data breach is caused by you, your Affiliate or anyone acting on your behalf, save that we will inform you of the personal data breach and provide information we discover up to the stage it identifies the breach is caused by you, your Affiliate or anyone acting on your behalf. We may charge you for any assistance that you may request when a personal data breach is attributable to or caused by you.

8. Deletion or return of Customer Personal Data

  1. Following a written request from you, we shall promptly and in any event within 30 business days of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer Personal Data unless applicable laws require storage of such Customer Personal Data.

9. Data Transfer

  1. You acknowledge that we will process the Personal Data outside of the Protected Area, including in the USA.
  2. If personal data processed under the Terms is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.

10. General Terms

  1. Confidentiality. Each Party must keep the Agreement and information it receives about the other Party and its business in connection with the Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.
  2. Notices. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out as the contact in the Terms at such other address as notified from time to time by the Parties changing address.
  3. Amendments. Any amendments to this DPA shall be in writing and signed by duly authorized representatives of both Parties.

11. Governing Law and Jurisdiction

  1. The This DPA, and any non-contractual obligations arising out of or in connection with it, shall be governed by and construed in accordance with the laws of the Terms.

12. Miscellaneous

  1. In the event of inconsistencies between the provisions of DPA and the Terms, the provisions of DPA shall prevail.
  2. If any provision of DPA is held invalid or unenforceable, the remaining provisions will remain in full force, and the Parties shall replace the invalid provision with a valid one that most closely reflects the Parties' original intent.
  3. The Parties agree that DPA constitutes the entire understanding between the Parties with respect to the subject matter hereof and supersedes all prior agreements or understandings, whether written or oral.

ANNEX I - Description of Processing

A. Processing Activities:

Subject matter of the processing
The personal data shall be processed in order to allow us to provide the Services.

Nature and purpose of the processing
EU Personal Data will be subject to those Processing operations described in the Terms.

Duration
For the duration of the Terms.

Categories of data subjects
Your representatives; representatives of partners; Services users and Services visitors, including without limitation recipients of files uploaded into the Services; and individuals referenced in files uploaded into the Services.

Categories of personal data processed
EU Personal Data relating to the category of data subjects described above. The EU Personal Data depends on the particular Services but could include: Name, email address, IP address, employer, address, telephone number, occupation, and position, and any EU Personal Data provided by you and Services users and Services visitors (including without limitation recipients of files uploaded into the Services) in connection with the Services, including Customer Personal Data contained within files uploaded into the Services.

Sensitive categories of personal data processed (if applicable):
The contents of the Personal Data are varied and under the data exporter’s control, but may, from time to time, depending on the particular Services, include sensitive data under the relevant Data Protection Laws.

B. List of Parties:

Data exporter:

  • Name: Your name, as defined in the Terms (on behalf of itself and Permitted Affiliates)
  • Address: Your address, as set out in the Order Form
  • Contact person's name, position and contact details: your contact details, as set out in the Order Form and/or as set out in your Fimo account
  • Signature and the date of signature: the date on which the Terms are accepted by the data exporter, including by electronic or click-through acceptance
  • Activities relevant to the data transferred under these Clauses: Processing of Customer Personal Data in connection with your use of the Services under the Terms of Service
  • Role: Controller

Data importer:

  • Name: Strapi, Inc.
  • Address: 548 Market St, PMB 60577, San Francisco, California 94104 USA
  • Contact person's name, position and contact details: Aurélien Georget, DPA, legal@fimo.io
  • Activities relevant to the data transferred under these Clauses: Processing of Customer Personal Data in connection with your use of the Services under the Terms of Service or the agreement entered into between the Controller and Processor.
  • Role: Processor

C. Description of Transfer

Categories of data subjects whose personal data is transferred:
See ‘A. Processing Activities’ above

Categories of personal data transferred:
See ‘A. Processing Activities’ above

Sensitive data transferred (if applicable) and applied restrictions or safeguards:
N/A; If sensitive data are transferred, see Annex C, Part B for applicable restrictions and safeguards

Frequency of transfer (e.g. whether on a one-off or continuous basis) (EU Standard Contractual Clauses only):
On a continuous basis.

Nature of the processing/ processing operations:
See ‘A. Processing Activities’ above.

Purpose(s) of the data transfer and further processing (EU Standard Contractual Clauses only):
See ‘A. Processing Activities’ above.

Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period (EU Standard Contractual Clauses only):
See ‘A. Processing Activities’ above.

The subject matter, nature and duration of the processing (EU Standard Contractual Clauses only):
See ‘A. Processing Activities’ above.