Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between FIHI LABS UG (haftungsbeschränkt), c/o Omer Nasir Khan, Stavangerstraße 2, 10439 Berlin, Germany ("DMnesia", "Processor"), and the customer organization that has accepted the Agreement ("Customer", "Controller"). It governs the processing of Personal Data by DMnesia on behalf of the Customer in accordance with Article 28 of Regulation (EU) 2016/679 ("GDPR") and equivalent UK GDPR provisions.

1. Scope and Roles

1.1 Customer is the Controller; DMnesia is the Processor. Where the Customer is itself a Processor for an upstream Controller, DMnesia acts as a Sub-processor.

1.2 DMnesia processes Personal Data only on documented instructions from the Customer, including the instructions embodied in the Agreement, the Customer's configuration of the Service, and the Customer's use of the API.

2. Subject Matter and Duration

Subject matter: Provision of the DMnesia Chrome extension, Team Portal, and developer API for organising LinkedIn outreach.

Duration: For the term of the Agreement, plus the retention periods set out in §10.

Nature and purpose: Storage of contact and lead records, message templates, and follow-up reminders; sending transactional emails; aggregating organization-level analytics.

3. Categories of Data Subjects and Personal Data

Category of data subject	Categories of personal data
Customer's authorised users (employees, contractors)	Name, email address, Google account ID (UID), authentication tokens, IP address (transient).
Customer's tracked LinkedIn contacts and leads	Public LinkedIn profile data: name, headline, company, location, profile photo URL, LinkedIn profile URL, message snippets the Customer has typed or received.
Customer's billing contact	Name, billing email, payment method metadata (handled directly by Stripe; DMnesia does not store card numbers).

DMnesia does not knowingly process Special Categories of Personal Data (Art. 9 GDPR). Customer agrees not to upload such data through the Service.

4. Obligations of the Processor

DMnesia shall:

• process Personal Data only as instructed in writing by the Customer (including this DPA);
• ensure that personnel authorised to process Personal Data are bound by confidentiality obligations;
• implement and maintain the technical and organisational measures set out in §7 (TOMs);
• assist the Customer, by appropriate technical and organisational measures, in complying with data subject rights requests (§8);
• assist the Customer with security incident notification, data protection impact assessments, and prior consultations with supervisory authorities (Art. 32–36 GDPR);
• at the Customer's choice, return or delete Personal Data on termination of the Agreement (§10);
• make available all information necessary to demonstrate compliance with Art. 28 GDPR.

5. Sub-processors

5.1 Customer grants DMnesia general authorisation to engage the Sub-processors listed below. DMnesia will notify the Customer of intended additions or replacements at least 30 days in advance, by email and by updating this page. Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith on a remedy.

Sub-processor	Service	Location of processing
Google Cloud Platform / Firebase (Google Ireland Limited)	Authentication, Firestore database, Cloud Functions hosting	United States (us-central1) — covered by the EU–US Data Privacy Framework.
Stripe Payments Europe Ltd.	Subscription billing, payment processing	European Union / United States (DPF).
Resend, Inc.	Transactional email delivery	United States (DPF).
Upstash, Inc.	Rate-limit counters and API-key cache (Redis)	European Union (Frankfurt).
Functional Software, Inc. d/b/a Sentry	Error monitoring and crash reporting	European Union (Germany region de.sentry.io).
Netlify, Inc.	Marketing site, Team Portal, Admin UI hosting	Global CDN with origin in the United States (DPF).
BetterStack (Better Stack s.r.o.)	Uptime monitoring and incident alerting	European Union.

5.2 DMnesia imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, including obligations to implement appropriate TOMs and to assist with data subject rights.

6. International Transfers

Where Personal Data is transferred outside the EEA / UK / Switzerland, the transfer is governed by either (a) an adequacy decision (including the EU–US Data Privacy Framework where the recipient is certified), or (b) the European Commission's Standard Contractual Clauses (Module 3, Processor-to-Processor) and the UK International Data Transfer Addendum where applicable.

7. Technical and Organisational Measures (TOMs)

DMnesia implements measures appropriate to the risk in accordance with Art. 32 GDPR, including:

• Encryption in transit: all client traffic is served over HTTPS / TLS 1.2+; Firestore connections are TLS-encrypted by default.
• Encryption at rest: all Customer data is stored encrypted at rest by Google Cloud Storage and Firestore.
• Access control: production Firestore is gated by per-document security rules; admin actions require dedicated authentication; API keys are stored as SHA-256 hashes only.
• Least privilege: only authorised personnel can access production secrets, which are stored in Google Secret Manager with version-pinned access.
• Audit logging: sensitive operations (Stripe webhook events, refunds, admin actions) are written to immutable audit collections.
• Resilience: failed Stripe webhooks are written to a dead-letter collection for inspection and replay; uptime is monitored externally.
• Secure software development: dependencies are pinned and updated regularly; vendor bundles are version-tracked.
• Incident response: errors are reported through Sentry; security incidents are triaged within 24 hours.

8. Assistance with Data Subject Rights

DMnesia shall, taking into account the nature of the processing, assist the Customer with appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection, automated decision-making).

Customer may export tracked contacts via the Team Portal at any time, and may delete contacts via the API DELETE /contacts/:id and DELETE /leads/:id endpoints, or by contacting DMnesia support.

9. Personal Data Breach Notification

DMnesia shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notice shall include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

10. Return and Deletion

10.1 Upon termination of the Agreement, DMnesia will delete all Customer Personal Data within 90 days, unless retention is required by Union or Member State law (e.g., financial records under § 257 HGB and § 147 AO).

10.2 The Customer may, prior to such deletion, export their data via the Team Portal or the developer API.

10.3 Backups containing Customer Personal Data follow the standard rotation cycle of the underlying Sub-processor and will be overwritten in the ordinary course; isolated retrieval from backups is not provided.

11. Audit Rights

DMnesia shall make available to the Customer all information necessary to demonstrate compliance with Art. 28 GDPR. Where a Customer reasonably requests an audit, DMnesia will respond promptly with up-to-date documentation, including this DPA, the list of Sub-processors, and a description of the TOMs. On-site audits may be conducted during business hours with at least 30 days' notice and at the Customer's expense, subject to confidentiality safeguards.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits the rights of data subjects under the GDPR.

13. Order of Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

14. Governing Law

This DPA is governed by the laws of the Federal Republic of Germany, to the exclusion of the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction is Berlin, insofar as legally permissible.

15. Acceptance and Signed Copies

This DPA is automatically incorporated into the Agreement and binding on the parties as of the Customer's first paid Organization-tier subscription. A signed counterpart (PDF) is available on request — email support@dmnesia.com with your organization name and the signing party's contact details, and we will return a counter-signed PDF within 5 business days.

For questions about this DPA, contact support@dmnesia.com.