Data Processing Agreement
Last updated: 15 March 2026
This Data Processing Agreement ("DPA") forms part of the agreement between FiorLab Limited, a company registered in Ireland (CRO 813471) ("Processor"), and the customer organisation ("Controller") for the provision of the FiorLab supplier risk intelligence platform (the "Service"), pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
To execute this DPA for your organisation, please contact legal@fiorlab.com with your company details.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person processed through the Service. "Processing" has the meaning given in Article 4(2) GDPR. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Scope and Purpose of Processing
| Element | Detail |
|---|---|
| Subject Matter | Provision of supplier risk intelligence and assessment services |
| Duration | For the term of the service agreement plus data retention period |
| Nature and Purpose | Storage, analysis, scoring, and reporting of supplier assessment data to support procurement risk management |
| Types of Personal Data | Names, email addresses, job titles, company affiliation, supplier financial and compliance metrics, and (where applicable) GxP pharmaceutical supplier qualification and compliance data |
| Categories of Data Subjects | Buyer employees, supplier employees, supplier company representatives |
3. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law.
- Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, access controls, and audit logging.
- Not engage another processor without prior specific or general written authorisation of the Controller. Where general authorisation is given, the Processor shall inform the Controller of any intended changes.
- Assist the Controller in responding to requests from data subjects exercising their rights under GDPR.
- Assist the Controller in ensuring compliance with Articles 32-36 GDPR (security, breach notification, data protection impact assessments).
- At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits.
4. Sub-processors
The Controller provides general authorisation for the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (Firebase) | Data storage, authentication, database | EU (europe-west1) |
| Vercel Inc. | Application hosting and CDN | EU edge nodes |
| Resend Inc. | Transactional email delivery | United States* |
| Netlify Inc. | Marketing website hosting | Global CDN |
*Email delivery via Resend involves transfer to the US. This is covered by Standard Contractual Clauses (SCCs) between FiorLab and Resend.
The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors, giving the Controller the opportunity to object.
5. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach. The notification shall include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
6. International Transfers
The Processor shall not transfer Personal Data outside the EEA unless appropriate safeguards are in place in accordance with Chapter V GDPR. Where transfers to third countries occur (e.g., email delivery via Resend), Standard Contractual Clauses as approved by the European Commission (Decision 2021/914) shall apply.
7. Technical and Organisational Measures
The Processor implements the following measures:
- Encryption: TLS 1.2+ in transit, AES-256 at rest (provided by Google Cloud).
- Access Control: Role-based access control (RBAC) with buyer, supplier, and admin roles. Firebase Authentication with email verification.
- Audit Logging: All assessment, contract, and data modification actions logged with actor identity, timestamp, and action details. Logs retained for 7 years.
- Data Isolation: Multi-tenant architecture with Firestore security rules ensuring buyers can only access suppliers in their registry.
- Backup: Automated daily backups via Google Cloud with 30-day retention.
- Incident Response: Documented incident response procedure with designated security contact (security@fiorlab.com).
8. Audits
The Controller may audit the Processor's compliance with this DPA once per year, with 30 days' written notice. The Processor shall cooperate with audits and make relevant records available. Where the Controller appoints a third-party auditor, the auditor must execute a confidentiality agreement acceptable to the Processor.
9. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such limitation is not permitted under applicable law.
10. Term and Termination
This DPA shall remain in effect for the duration of the service agreement. The obligations regarding confidentiality and data return/deletion survive termination. Upon termination, the Processor shall, at the Controller's election, return or securely delete all Personal Data within 90 days.
11. Contact
For questions about this DPA or to execute a signed copy:
FiorLab Limited — Data Protection
CRO Number: pending
Email: legal@fiorlab.com
Dublin, Ireland