This Data Processing Agreement (“DPA”/ “Agreement”) applies to the extent Factori Technologies Pte Ltd. (“Factori”) Processes Personal Data in connection with the Services it provides to its customers (“Customer(s)”). This DPA controls with respect to the subject matter of data protection.
This DPA is deliberately structured to cover both models under which the Factori licenses data. The Processing Role applicable to a given dataset, feed, or engagement is fixed in Annex 1 (or the relevant Order Form). Where an Order Form does not specify a Processing Role, the Independent Controller model in Section 3 applies by default, as this reflects Factori’s typical role in aggregating and licensing data products for Customer’s own purposes.
3.1 Independent Processing
Each Party will independently determine the purposes and means of its Processing of Personal Data disclosed to it and will comply with its obligations as a Controller under Applicable Data Protection Laws with respect to that Processing. Neither Party is acting as a Processor, Service Provider, or contractor on behalf of the other Party, and this does not create a joint controller relationship unless expressly stated in an Order Form.
Factori will Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by law to which Factori is subject, in which case Factori will inform Customer of that legal requirement before Processing, unless prohibited from doing so.
Factori will ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Factori will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further described in Annex 2 (Technical and Organizational Measures).
4.5 Assistance with Data Subject Rights
Taking into account the nature of the Processing, Factori will assist Customer, insofar as possible and through appropriate technical and organizational measures, in fulfilling Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws. Factori will promptly notify Customer if it receives a Data Subject request relating to Customer’s data and will not respond to such request except on Customer’s documented instructions.
Factori will provide reasonably requested information to assist Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required by Applicable Data Protection Laws and taking into account the nature of Processing and information available to Factori.
4.7 Personal Data Breach
Factori will notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, after confirming a Personal Data Breach affecting Personal Data Processed on Customer’s behalf. Such notification will include, to the extent then known, the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed to address the breach. Factori will cooperate with the Customer and take reasonable steps to mitigate and remediate the breach.
Factori will make available to Customer information reasonably necessary to demonstrate compliance with this Section 4 and will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer, no more than once per year absent a Personal Data Breach or regulatory requirement, on reasonable notice and subject to confidentiality, and during normal business hours. Factori may satisfy this obligation by providing a recent third-party audit report (e.g., SOC 2 Type II) covering substantially similar controls.
Where Factori Processes Personal Data as a “Service Provider,” “Processor,” or “Contractor” under the CCPA or other U.S. state privacy laws, Factori certifies that it understands these restrictions and will comply with them, including the restrictions in Section 4.2, and will not combine Personal Data received on Customer’s behalf with Personal Data received from other sources except as permitted under such laws.
Where Factori Processes Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland and transfers such Personal Data to a country not deemed to provide an adequate level of protection, the Parties will execute the applicable Standard Contractual Clauses (or, for UK transfers, the UK International Data Transfer Addendum to the EU SCCs), incorporated into this Agreement by reference and populated using the details in Annex 1. For transfers under the Independent Controller model (Section 3), Module One (Controller to Controller) applies; for transfers under the Processor model (Section 4), Module Two (Controller to Processor) applies. Where Factori further engages Sub-processors located outside the EEA/UK, Module Three (Processor to Sub-Processor) applies as between Factori and the relevant Sub-processor.
The Parties will cooperate in good faith to adopt any additional or alternative lawful transfer mechanism (including the EU-U.S. Data Privacy Framework, where Factori is self-certified) as may be required to maintain a valid transfer basis under Applicable Data Protection Laws.
Where Personal Data of individuals located in Brazil is Processed under this Agreement, the Parties will comply with the LGPD, including with respect to lawful bases for Processing, data subject rights, international transfer requirements, and, where applicable, cooperation with the Autoridade Nacional de Proteção de Dados. The Processing Role designations and obligations in Sections 3 and 4 apply equally, construing “Controller” and “Operator” consistently with LGPD terminology.
Each Party will maintain a documented information security program appropriate to the nature and sensitivity of the Personal Data it Processes. In addition to the notification obligations in Section 4.8, the Parties will reasonably cooperate to investigate, contain, and remediate any Security Incident affecting Personal Data shared under this Agreement, and will not make public statements attributing the incident to the other Party without prior consultation, except as required by law.
Factori may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or Factori’s data processing practices, and will post the updated version on its website with a revised “Last updated” date. Material changes that reduce the protections afforded to Customer’s Personal Data will be notified to Customer in advance.
If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect, and the invalid provision will be deemed modified to the minimum extent necessary to make it enforceable.
To be completed per Order Form or engagement.
| Field | Details |
|---|---|
| Processing Role |
☐ Independent Controllers (Mode A) ☐ Controller – Processor (Mode B) |
| Subject matter and duration | [Provision of location intelligence / people data licensing services for the duration of the Principal Agreement] |
| Nature and purpose of Processing | [e.g., aggregation, licensing, matching, enrichment, geocoding, analytics] |
| Categories of Data Subjects | [e.g., app users, consumers, employees, website visitors] |
| Categories of Personal Data | [e.g., device identifiers, GPS coordinates, IP address, name, contact details, demographic attributes] |
| Special Category Data (if any) | [None / specify] |
| Frequency of transfer | [e.g., continuous feed, daily batch, one-time export] |
| Data exporter / importer | [Factori] / [Customer], or as reversed for Mode A licensing flows |
| Competent supervisory authority | [To be determined based on data exporter’s location] |
© 2026 Factori. All rights reserved.