This Data Processing Agreement ("DPA") is entered into between the customer entity that has agreed to the FatArrow Terms of Service ("Client" or "Controller") and FatArrow, operated by Kwame Mensah, a UK-based sole trader ("FatArrow" or "Processor"). This DPA forms part of the agreement between the Client and FatArrow and governs the processing of Personal Data by FatArrow on behalf of the Client.
FatArrow processes Personal Data on behalf of the Client solely for the purpose of providing the FatArrow data intelligence platform, including:
Depending on the integrations the Client enables, Personal Data processed may include customer names, email addresses, contact details, transaction and financial records, employee data, marketing engagement data, and website behavioural data. Data Subjects may include the Client's customers, employees, suppliers, and other individuals whose data is contained within the Client's connected platforms.
FatArrow, as Data Processor, shall:
The Client instructs FatArrow to process Personal Data for the purposes described in Clause 02. FatArrow shall not process Personal Data for any other purpose. FatArrow shall promptly inform the Client if, in its opinion, an instruction infringes UK GDPR or other applicable UK data protection law. FatArrow shall not disclose Personal Data to any third party except as required by this DPA, as instructed by the Client, or as required by UK law.
The Client instructs FatArrow to process Personal Data for the purposes described in Clause 02. FatArrow shall not process Personal Data for any other purpose and shall not disclose Personal Data to any third party except as required by this DPA or UK law.
The Client provides general authorisation for FatArrow to engage Sub-processors necessary for the operation of the platform. Sub-processors are used for purposes including database hosting and authentication, payment processing, transactional email delivery, AI-powered insight generation, application hosting and deployment, workflow automation, and live chat support.
All Sub-processors are carefully vetted and are contractually required to implement appropriate technical and organisational measures to protect Personal Data. Where Sub-processors are located outside the UK, appropriate transfer mechanisms (including UK adequacy decisions or Standard Contractual Clauses) are in place.
A full and current Sub-processor list (including each entity's name, location, purpose, and applicable data transfer mechanism) is available upon request. To request this list, please contact us at admin@fatarrow.io.
FatArrow shall notify the Client of any intended changes to Sub-processors at least 14 days before the change takes effect. The Client may object to such changes within 14 days of notification.
FatArrow implements the following technical and organisational security measures:
In the event of a Personal Data breach, FatArrow shall:
Breach notifications shall include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed.
FatArrow shall assist the Client in responding to Data Subject requests under UK GDPR, including requests to access, correct, delete, or export Personal Data. FatArrow shall forward any Data Subject requests received directly to the Client within 5 business days. Clients may request deletion of all their data by contacting support@fatarrow.io. FatArrow will delete all associated Personal Data within 30 days of cancellation or on request.
Where Personal Data is transferred to Sub-processors located outside the UK or EU (as listed in Clause 06), FatArrow ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms as recognised under UK data protection law.
FatArrow shall make available to the Client all information reasonably necessary to demonstrate compliance with this DPA. The Client may request an audit of FatArrow's data processing activities no more than once per year, with reasonable notice. Audit costs shall be borne by the Client unless the audit reveals material non-compliance.
Upon termination of the Client's subscription, FatArrow shall, at the Client's election, return or delete all Personal Data within 30 days. Deletion shall include all copies held by FatArrow and, where possible, by Sub-processors.
This DPA remains in effect for the duration of the Client's subscription to FatArrow and terminates automatically upon cancellation or expiry of the subscription, subject to Clause 12.
Each party's liability under this DPA is subject to the limitations and exclusions set out in the FatArrow Terms of Service. Nothing in this DPA excludes or limits liability for death, personal injury, fraud, or any other liability that cannot be limited by law.
This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
For data protection queries, contact us at support@fatarrow.io. We're a small team and we'll respond personally.