Data Processing Agreement (DPA)
Last updated: 26 June 2025
This Data Processing Agreement (“DPA”) forms part of the Service Agreement or other written or electronic agreement between Fecusio and the Customer for the purchase of online services from Fecusio (“Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data.
Executing a DPA does not change any of our practices concerning the protection of your privacy and your data. Everyone using our service gets the same high standards of privacy and security.
1. Parties
-
Customer / Data Controller
The organisation or company that subscribes to the Services, and whose details shall be provided to Fecusio upon subscribing. -
Fecusio / Data Processor
Overcode, a company incorporated in Serbia, with company registration number 67879724, with its registered office at Jovana Cvijića 10, 21101 Novi Sad, Serbia.
Each also a “Party” and together the “Parties”.
2. Background and Scope
2.1 The Parties have entered into an agreement by virtue of which the Data Processor will provide feature flagging services to the Data Controller through a dedicated online platform (“Agreement”).
2.2 Under the Agreement, the Data Processor may have access to and/or otherwise process Personal Data on behalf of the Data Controller.
2.3 This DPA replaces any previous data processing agreements between the Parties in connection with the Agreement.
2.4 Except for the changes made by this DPA, the Agreement remains unchanged and in full force. In case of conflict, the DPA prevails.
3. Definitions
3.1 Terms defined as per GDPR: “Personal Data”, “Data Controller”, “Data Processor”, “Data Subject”, “Processing”.
Other terms:
- Privacy Policy: Fecusio’s legal and binding statement on handling Personal Data – app.fecusio.com/legal/privacy-policy.
- Services: Feature flagging services via Fecusio’s online platform.
- Third Country: A non-EU/EEA country or one not deemed adequate by the EU.
3.2 Capitalized terms not defined herein retain the meaning given in the Agreement.
4. Role of the Parties
4.1 Processing is detailed in Appendix 1.
4.2 The Data Processor only processes data per the Data Controller’s instructions.
4.3 Instructions may derive from this DPA, the Agreement, or Privacy Policy.
4.4 If an instruction appears unlawful, the Data Processor shall notify the Data Controller.
4.5 Both Parties must comply with all relevant data protection laws, including GDPR.
5. Obligations of the Data Processor
5.1 Comply with GDPR and security standards as in the Privacy Policy.
5.2 Only process Personal Data necessary for the Agreement.
5.3 Implement suitable technical and organizational safeguards.
5.4 Ensure confidentiality and training of personnel and sub-processors.
5.5 Notify the Data Controller promptly (within 36 hours) of:
- Data breaches;
- Legal requests;
- Data subject or regulatory authority inquiries.
5.6 No disclosure of Personal Data to third parties unless instructed or legally required.
5.7 Assist the Data Controller with:
- Regulatory consultations;
- Demonstrating compliance;
- Investigations by authorities.
6. Obligations of the Data Controller
6.1 Must not provide sensitive Personal Data.
6.2 Must ensure lawful transfer and processing of Personal Data by the Data Processor.
7. Exercise of Data Subject’s Rights
7.1 Data Processor enables Data Controller to fulfill Chapter 3 of the GDPR.
7.2 Data Processor will assist with:
- Access, rectification, erasure;
- Data portability;
- DPIAs.
Where possible, the Data Controller may use built-in features to access the data directly.
8. Transfers to a Third Country
8.1 Transfer allowed with prior consent, except where approved by this DPA (see Article 9).
8.2 Transfers must be covered by appropriate safeguards (e.g., SCCs or similar frameworks).
9. Sub-processors
9.1 Data Processor may engage sub-processors. Current list available upon request.
9.2 Customer may object to new sub-processors within 5 days, on reasonable grounds.
9.3 Data Processor shall:
- Limit access to necessary data;
- Impose equivalent data protection obligations;
- Remain liable for sub-processors.
10. Audit
10.1 One audit per year allowed, performed by an independent non-competitor.
10.2 Requires 20 days’ notice and must not disrupt business operations.
10.3 Data Processor shall assist and provide necessary documentation.
10.4 Right to audit sub-processors as well.
10.5 Costs covered by Data Processor if material non-compliance is found.
11. Warranties
11.1 Data Processor warrants:
- GDPR compliance;
- Adequate technical and organizational measures;
- Necessary expertise and reliability.
12. Liability
12.1 Liability is governed by this DPA and Article 82 of the GDPR.
12.2 Data Processor will indemnify Data Controller for claims arising from its failure to comply.
12.3 Data Controller may claim damages if Data Processor processes data contrary to the DPA or instructions.
13. Term and Termination
13.1 Valid from date of signature and lasts as long as data is processed under the Agreement.
13.2 Either Party may terminate if the other breaches and fails to cure within 30 days.
13.3 Upon termination:
- Data must be returned or destroyed;
- Data may only be retained if legally required.
14. Miscellaneous
14.1 Amendments require written agreement.
14.2 No implied waivers; all waivers must be explicit and in writing.
14.3 Unenforceable provisions will be limited or removed, remaining DPA stays in effect.
15. Governing Law and Dispute Resolution
15.1 Governed by Serbian law.
15.2 Exclusive jurisdiction: Novi Sad, Serbia.
Appendix 1: Detail of Processing of Personal Data
Subject Matter and Duration
Processing required for providing Fecusio’s services. Duration per Article 13.
Nature and Purpose
Access and Processing of Personal Data for platform functionality, e.g. managing feature flags, identities, releasing features.
Types of Personal Data
- Identification & contact info (email, name, IP address)
- Identities data provided by users (can include personal data)
Categories of Data Subjects
- Customers and Users of the Services
- Identities stored in the Platform
Locations of Processing
Hetzner, Falkenstein, Germany (eu-central)
Technical and Organizational Measures
Available on request: support@fecusio.com