Talk to the real world with Factori MCP - Get Started Now

Data Processing Agreement

Last Updated: 1st June, 2026

This Data Processing Agreement (“DPA”/ “Agreement”) applies to the extent Factori Technologies Pte Ltd. (“Factori”) Processes Personal Data in connection with the Services it provides to its customers (“Customer(s)”). This DPA controls with respect to the subject matter of data protection. 

1. Definitions-
  • Applicable Data Protection Laws” means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including, as applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), other U.S. state privacy laws (including Virginia, Colorado, Connecticut, Utah, and successor or additional state laws as they take effect), Brazil’s Lei Geral de Proteção de Dados (“LGPD”), and any other data protection law applicable to a Party’s Processing of Personal Data.

  • Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing” (and “Process”), and “Special Category Data” have the meanings given in the GDPR, and the equivalent terms under other Applicable Data Protection Laws (e.g., “Business,” “Service Provider,” “Third Party,” “Consumer,” and “Sensitive Personal Information” under the CCPA) are construed accordingly.

  • Processing Role” means the designation of the Parties’ relationship with respect to specific Personal Data, as set out in Annex 1: either (a) “Independent Controllers”, where each Party Processes Personal Data for its own purposes, or (b) “Controller – Processor”, where Factori Processes Personal Data solely on behalf of and under the instructions of Customer.

  • Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission (Commission Implementing Decision (EU) 2021/914), and the UK International Data Transfer Addendum, as applicable.
2. Processing Roles-

This DPA is deliberately structured to cover both models under which the Factori licenses data. The Processing Role applicable to a given dataset, feed, or engagement is fixed in Annex 1 (or the relevant Order Form). Where an Order Form does not specify a Processing Role, the Independent Controller model in Section 3 applies by default, as this reflects Factori’s typical role in aggregating and licensing data products for Customer’s own purposes.

3. Mode A: Independent Controller-to-Controller Terms-
This Section 3 applies to Personal Data Processed under the Independent Controller Processing Role

3.1 Independent Processing

Each Party will independently determine the purposes and means of its Processing of Personal Data disclosed to it and will comply with its obligations as a Controller under Applicable Data Protection Laws with respect to that Processing. Neither Party is acting as a Processor, Service Provider, or contractor on behalf of the other Party, and this does not create a joint controller relationship unless expressly stated in an Order Form.

3.2 Lawful Basis and Notice

Factori represents that it has established and will maintain a lawful basis (such as consent, legitimate interests, or another basis recognized under Applicable Data Protection Laws) for its collection, licensing, and disclosure to Customer, and that it maintains a public privacy notice describing such practices consistent with Applicable Data Protection Laws. Customer(s) represent that it will independently establish and maintain a lawful basis for its own Processing of the data received, and will provide any notices or honor any choices required under Applicable Data Protection Laws with respect to its own use.
3.3 Restrictions on Use

Customer will not, and will not permit any third party to: (a) attempt to re-identify any individual from data provided on a de-identified, pseudonymized, or aggregated basis, except as expressly permitted; (b) combine Data with other data sources in a manner that creates Special Category Data or its equivalent (e.g., data revealing precise location tied to a place of worship, healthcare facility, or similar sensitive location) without an independent lawful basis for doing so; or (c) use Data to make decisions that produce legal or similarly significant effects concerning an individual without independent compliance with Applicable Data Protection Laws governing automated decision-making.
3.4 No Onward Sale Without Flow-Down

Where Customer further discloses or relicenses Data to its own customers or partners, customer will impose use, security, and data-subject-rights obligations on such recipients that are no less protective than those set out in this Section 3, and will remain responsible for such recipients’ compliance to the extent required by Applicable Data Protection Laws.
3.5 Data Subject Rights

Each Party is independently responsible for responding to requests from individuals or regulators concerning its own Processing. Where one Party receives a request that concerns data originally sourced from the other Party’s dataset, it will promptly forward the request to the other Party and reasonably cooperate, at the requesting Party’s expense for material costs, to enable a timely response.
4. Mode B: Controller – Processor Terms

This Section 4 applies to Personal Data Processed under the Controller – Processor Processing Role, and reflects the requirements of GDPR Article 28(3) and equivalent U.S. state “service provider” / “processor” contract terms.
4.1 Instructions

Factori will Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by law to which Factori is subject, in which case Factori will inform Customer of that legal requirement before Processing, unless prohibited from doing so. 

4.2 Purpose Limitation

Factori will Process Personal Data solely for the purpose of providing the Services and will not: (a) sell or share Personal Data as those terms are defined under the CCPA; (b) retain, use, or disclose Personal Data for any purpose other than performing the Services, including any commercial purpose other than performing the Services; or (c) combine Personal Data received from or on behalf of Customer with Personal Data received from other sources, except as necessary to perform the Services on Customer’s behalf or as otherwise permitted by Applicable Data Protection Laws.
4.3 Confidentiality

Factori will ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.4 Security

Factori will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further described in Annex 2 (Technical and Organizational Measures).

4.5 Assistance with Data Subject Rights

Taking into account the nature of the Processing, Factori will assist Customer, insofar as possible and through appropriate technical and organizational measures, in fulfilling Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws. Factori will promptly notify Customer if it receives a Data Subject request relating to Customer’s data and will not respond to such request except on Customer’s documented instructions.

4.6 Data Protection Impact Assessments

Factori will provide reasonably requested information to assist Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required by Applicable Data Protection Laws and taking into account the nature of Processing and information available to Factori.

4.7 Personal Data Breach

Factori will notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, after confirming a Personal Data Breach affecting Personal Data Processed on Customer’s behalf. Such notification will include, to the extent then known, the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed to address the breach. Factori will cooperate with the Customer and take reasonable steps to mitigate and remediate the breach.

4.8 Deletion or Return

On termination or expiry of the Services, Factori will, at Customer’s election, delete or return all Personal Data Processed on Customer’s behalf, and delete existing copies, unless Applicable Data Protection Laws require continued storage, in which case Factori will isolate and protect the data from further Processing.
4.9 Audit Rights

Factori will make available to Customer information reasonably necessary to demonstrate compliance with this Section 4 and will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer, no more than once per year absent a Personal Data Breach or regulatory requirement, on reasonable notice and subject to confidentiality, and during normal business hours. Factori may satisfy this obligation by providing a recent third-party audit report (e.g., SOC 2 Type II) covering substantially similar controls.

4.10 U.S. State Law – Service Provider Terms

Where Factori Processes Personal Data as a “Service Provider,” “Processor,” or “Contractor” under the CCPA or other U.S. state privacy laws, Factori certifies that it understands these restrictions and will comply with them, including the restrictions in Section 4.2, and will not combine Personal Data received on Customer’s behalf with Personal Data received from other sources except as permitted under such laws.

5. International Data Transfers

Where Factori Processes Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland and transfers such Personal Data to a country not deemed to provide an adequate level of protection, the Parties will execute the applicable Standard Contractual Clauses (or, for UK transfers, the UK International Data Transfer Addendum to the EU SCCs), incorporated into this Agreement by reference and populated using the details in Annex 1. For transfers under the Independent Controller model (Section 3), Module One (Controller to Controller) applies; for transfers under the Processor model (Section 4), Module Two (Controller to Processor) applies. Where Factori further engages Sub-processors located outside the EEA/UK, Module Three (Processor to Sub-Processor) applies as between Factori and the relevant Sub-processor.

The Parties will cooperate in good faith to adopt any additional or alternative lawful transfer mechanism (including the EU-U.S. Data Privacy Framework, where Factori is self-certified) as may be required to maintain a valid transfer basis under Applicable Data Protection Laws.

6. Brazil (LGPD)

Where Personal Data of individuals located in Brazil is Processed under this Agreement, the Parties will comply with the LGPD, including with respect to lawful bases for Processing, data subject rights, international transfer requirements, and, where applicable, cooperation with the Autoridade Nacional de Proteção de Dados. The Processing Role designations and obligations in Sections 3 and 4 apply equally, construing “Controller” and “Operator” consistently with LGPD terminology.

7. Security Incident Cooperation

Each Party will maintain a documented information security program appropriate to the nature and sensitivity of the Personal Data it Processes. In addition to the notification obligations in Section 4.8, the Parties will reasonably cooperate to investigate, contain, and remediate any Security Incident affecting Personal Data shared under this Agreement, and will not make public statements attributing the incident to the other Party without prior consultation, except as required by law.

8. General
8.1. Amendments

Factori may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or Factori’s data processing practices, and will post the updated version on its website with a revised “Last updated” date. Material changes that reduce the protections afforded to Customer’s Personal Data will be notified to Customer in advance.

8.2. Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect, and the invalid provision will be deemed modified to the minimum extent necessary to make it enforceable.

Annex 1 — Details of Processing

To be completed per Order Form or engagement.

FieldDetails
Processing Role ☐ Independent Controllers (Mode A)
☐ Controller – Processor (Mode B)
Subject matter and duration [Provision of location intelligence / people data licensing services for the duration of the Principal Agreement]
Nature and purpose of Processing [e.g., aggregation, licensing, matching, enrichment, geocoding, analytics]
Categories of Data Subjects [e.g., app users, consumers, employees, website visitors]
Categories of Personal Data [e.g., device identifiers, GPS coordinates, IP address, name, contact details, demographic attributes]
Special Category Data (if any)[None / specify]
Frequency of transfer [e.g., continuous feed, daily batch, one-time export]
Data exporter / importer [Factori] / [Customer], or as reversed for Mode A licensing flows
Competent supervisory authority [To be determined based on data exporter’s location]
Annex 2 — Technical and Organizational Measures
  • Access control: role-based access, unique credentials, multi-factor authentication for administrative and production access.
  • Encryption: encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
  • Network security: firewalls, network segmentation, intrusion detection/prevention, and vulnerability scanning.
  • Pseudonymization / de-identification: hashing or tokenization of direct identifiers in licensed data products where feasible.
  • Logging and monitoring: centralized logging of access to Personal Data and automated alerting on anomalous activity.
  • Personnel security: confidentiality agreements, least-privilege access, and periodic security and privacy training.
  • Business continuity: regular backups, tested disaster recovery procedures, and defined recovery time/point objectives.
  • Vendor management: due diligence and contractual flow-down of security obligations to Sub-processors.
  • Incident response: a documented incident response plan with defined escalation and breach notification procedures.
  • Data minimization and retention: retention schedules and secure deletion procedures consistent with the purposes of Processing.