Legal

Data Processing Agreement

Version 1.0 — Effective 19 April 2026

1. Overview and applicability

This Data Processing Agreement (“DPA”) forms part of the Terms of Servicebetween you (the “Customer” or “Controller”) and Fuze (the “Processor”) and applies where Customer Data processed through the Fuze platform includes personal data within the meaning of Regulation (EU) 2016/679 (“GDPR”).

By accepting the Terms of Service, or by signing an Order Form that references this DPA, you agree to the terms of this DPA. For Enterprise customers who require a counter-signed DPA, download the PDF below, sign, and return it to privacy@fuze-ai.tech.

2. Roles of the parties

You act as data controller for any personal data you submit to the Fuze platform, including agent trace data, event payloads, and end-user interaction records. You determine the purposes and means of that processing.

Fuze acts as data processor, processing personal data only on your documented instructions and for the limited purposes set out in this DPA and the Terms of Service. Fuze does not sell personal data, and does not use Customer Data for its own purposes other than as required to provide and improve the Services as described.

3. Subject matter and nature of processing

Fuze processes personal data on your behalf for the following purposes:

  • Storing and indexing AI agent trace records, including any personal data contained in those records, for retrieval and display via the Fuze dashboard.
  • Processing event data to generate compliance evidence, risk metrics, and audit reports under the EU AI Act and related frameworks.
  • Applying configured retention schedules and executing deletion operations on your instruction or pursuant to your configuration.
  • Providing data subject rights assistance as described in section 8.

The categories of data subjects and categories of personal data processed depend on what you transmit. Typical categories include: end users of your AI-powered products (names, identifiers, interaction content); your own staff or developers (account credentials, audit trail records). You are responsible for accurately documenting these categories for your own records of processing activities (GDPR Art. 30).

4. Fuze processor obligations

In its capacity as processor, Fuze commits to:

  • Process personal data only on your documented instructions, including those set out in this DPA and the Terms of Service, unless required to do so by EU or Member State law (in which case Fuze will inform you unless prohibited by law).
  • Ensure that staff authorised to process personal data are subject to appropriate confidentiality obligations.
  • Implement and maintain the technical and organisational security measures described in section 7 and on the Security page.
  • Respect the conditions for engaging sub-processors set out in section 5.
  • Assist you in fulfilling your obligations to respond to data subject rights requests, as described in section 8.
  • Notify you of personal data breaches as described in section 9.
  • Return or delete personal data upon termination as described in section 10.
  • Make available to you the information necessary to demonstrate compliance with GDPR Art. 28, and cooperate with audits as described in section 11.

5. Sub-processors

You grant a general authorisation for Fuze to engage sub-processors. The current authorised sub-processor list is maintained at /subprocessors. We will provide at least 30 days' prior notice of any intended change (addition or replacement) to the sub-processor list by updating that page and notifying subscribers who have registered at subscribe@fuze-ai.tech.

You may object to a new sub-processor on reasonable data protection grounds within 15 days of notice. If we cannot accommodate the objection, you may terminate the Agreement on written notice without penalty.

Fuze imposes data protection obligations on each sub-processor at least as protective as those in this DPA and remains liable to you for any failure by a sub-processor to meet those obligations.

6. International data transfers and Standard Contractual Clauses

Fuze's primary data storage is in the EU (Google Cloud europe-west1). However, several sub-processors involved in authentication and database management are US-domiciled companies. This creates transfers of personal data to third countries within the meaning of GDPR Chapter V.

Fuze relies on the following transfer mechanism for such transfers:

  • Standard Contractual Clauses (SCCs)under European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, specifically the Controller-to-Processor (Module 2) and Processor-to-Processor (Module 3) clauses as applicable, incorporated into Fuze's agreements with each US-domiciled sub-processor.

Where Module 3 (Processor-to-Sub-Processor) SCCs are used, they are incorporated by reference into this DPA and Fuze acts as the “data exporter” and the relevant sub-processor acts as the “data importer”. By entering into this DPA, you acknowledge and consent to those transfers on the basis of the SCCs and the supplementary measures described on the Security page.

Fuze discloses that US-domiciled sub-processors (Supabase Inc., Google LLC for Firebase) operate under the US CLOUD Act (18 U.S.C. § 2523) and may be compelled to disclose data to US authorities even where that data is physically stored in EU regions. We have documented this risk and the available mitigations in our Transfer Impact Assessment, a summary of which is included in the downloadable DPA PDF.

7. Security measures

The technical and organisational measures Fuze maintains to protect personal data are described on the Security page. These measures include: TLS 1.2+ encryption in transit; AES-256 encryption at rest; least-privilege access controls; audit logging; vulnerability management; and a formal incident response process.

Fuze may update these measures over time provided that any update does not materially reduce the overall level of protection.

8. Data subject rights assistance

Fuze provides technical mechanisms within the platform to assist you in responding to data subject rights requests under GDPR Articles 15-22, including:

  • Data export (Art. 15, Art. 20): bulk export of all trace and account data associated with your organisation.
  • Erasure (Art. 17): targeted deletion of records by run ID, session, or full organisational deletion.
  • Restriction (Art. 18): ability to flag records as restricted from processing pending resolution of a disputed accuracy claim.

Where a data subject contacts Fuze directly regarding your Customer Data, we will redirect them to you unless we are independently obligated to respond.

9. Breach notification

In the event of a personal data breach affecting Customer Data, Fuze will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification will be sent to the email address associated with your account and will include, to the extent available at that time: a description of the nature of the breach; the categories and approximate number of data subjects affected; the likely consequences; and the measures taken or proposed to address the breach.

10. Return and deletion of data

Upon termination of the Agreement, Fuze will make Customer Data available for export for 30 days following the effective date of termination. After that period, Fuze will securely delete Customer Data from all systems, including any backups, unless retention is required by applicable law. Upon request, Fuze will provide written confirmation of deletion.

11. Audit rights

Upon reasonable written request (minimum 30 days' notice), Fuze will provide you with documentation and information reasonably necessary to verify Fuze's compliance with this DPA. For Enterprise customers, on-site audits may be arranged no more than once per year, subject to reasonable confidentiality obligations and subject to the parties agreeing on scope and cost-sharing.

Fuze may satisfy an audit request by providing a summary of a relevant third-party audit or certification where available.

12. Term and termination

This DPA is coterminous with the Terms of Service. Termination of the Terms of Service terminates this DPA. Obligations under this DPA that by their nature survive termination (in particular section 10) will continue to apply.

13. Download the DPA

The complete Fuze Data Processing Agreement, including the full text of applicable Standard Contractual Clauses (Module 2 and Module 3) and a summary Transfer Impact Assessment, is available for download:

Download Fuze-DPA-v1.pdf

After signing, return the completed PDF to privacy@fuze-ai.tech. We will countersign and return a copy within 5 business days.

Questions about this DPA should be directed to privacy@fuze-ai.tech.