Last updated: April 14, 2026
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Fondly Terms of Service between Fondly, Inc. ("Processor") and the customer identified in the Fondly account ("Controller"). It governs the processing of Personal Data that Fondly processes on the Controller's behalf.
By using Fondly and accepting the Terms, you accept this DPA on behalf of the Controller. If you need a signed countersigned copy for your records, email tony@getfondly.co.
1. Definitions
- Personal Data means any information relating to an identified or identifiable natural person processed by Fondly on behalf of the Controller.
- Applicable Data Protection Law means GDPR, UK GDPR, CCPA/CPRA, and any other data-protection laws applicable to the Controller's use of Fondly.
- Terms not defined here have the meaning given in the Fondly Terms of Service or in Applicable Data Protection Law.
2. Scope and roles
The Controller is the data controller of the Personal Data processed through Fondly. Fondly acts as the data processor and processes Personal Data only on the Controller's documented instructions: the Fondly Terms and the product features being the primary documented instructions.
3. Subject matter, nature, and duration
| Item | Details |
|---|---|
| Subject matter | Providing the Fondly review-reply service as described in the Terms. |
| Nature of processing | Ingesting, storing, transforming (via AI drafting), and transmitting review and reply data. |
| Purpose | To enable the Controller to respond to Google Business Profile reviews in their voice. |
| Duration | For as long as the Controller uses Fondly, plus up to 30 days for export, plus retention required by law. |
| Categories of data subjects | The Controller's customers who leave reviews; the Controller's employees who use Fondly; the Controller itself. |
| Categories of Personal Data | Review text, reviewer display names (as shown publicly on Google), ratings, timestamps; Controller account data (name, email, role); business profile metadata. |
4. Fondly's obligations
- Process Personal Data only on the Controller's instructions and as necessary to provide the service.
- Ensure personnel with access to Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures to secure Personal Data (see Section 8).
- Assist the Controller in responding to data-subject requests, including requests to access, correct, delete, or port data.
- Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Controller's data.
- On termination, delete or return Personal Data at the Controller's choice, subject to retention required by law.
- Make available information necessary to demonstrate compliance with this DPA and allow reasonable audits, which may be satisfied by current SOC 2 or equivalent reports of Fondly's sub-processors where available.
5. Sub-processors
The Controller authorizes Fondly to engage the sub-processors listed below. Fondly will notify the Controller by email of any intended addition or replacement at least 30 days before the change. The Controller may object on reasonable grounds, in which case the parties will discuss a resolution in good faith.
| Sub-processor | Service | Location |
|---|---|---|
| Vercel, Inc. | Application hosting | USA |
| Supabase, Inc. | Database, file storage | USA |
| Clerk Technologies, Inc. | Authentication | USA |
| Stripe, Inc. | Payment processing | USA |
| Anthropic, PBC | AI drafting (Claude) | USA |
| Resend Technologies, Inc. | Transactional email delivery | USA |
| Functional Software, Inc. (Sentry) | Error monitoring | USA |
| Google LLC | Business Profile API | USA |
Fondly remains responsible for the acts and omissions of its sub-processors as if they were Fondly's own.
6. International data transfers
Where Personal Data is transferred outside the EEA, UK, or Switzerland to a country not recognized as providing adequate protection, Fondly relies on the Standard Contractual Clauses (2021/914) or the UK Addendum, as applicable. The SCCs are incorporated into this DPA by reference and are deemed completed with the parties identified in the Terms, Module 2 (Controller-to-Processor).
7. Data subject rights and controller instructions
Fondly will, taking into account the nature of processing, provide reasonable assistance to the Controller in fulfilling data-subject requests. Where a data subject contacts Fondly directly, Fondly will promptly forward the request to the Controller.
8. Security measures
- TLS 1.2+ encryption of data in transit; AES-256 encryption at rest (provided by sub-processors).
- Least-privilege access to production systems; MFA required for all production accounts.
- Secret management via platform-native secret stores (Vercel env vars, Supabase vault).
- Automatic logging and monitoring of authentication and admin events.
- Regular review of vendor security posture.
- Written incident response procedure; breach notification within 72 hours of confirmation.
- Personnel background checks and confidentiality obligations.
9. Return or deletion of data
On termination of the Controller's account, Fondly will, at the Controller's option, either delete or return Personal Data within 30 days, except where applicable law requires further retention. Backups containing Personal Data are deleted according to Fondly's rolling backup schedule (maximum 90 days).
10. Liability and conflicts
Each party's liability under this DPA is subject to the limitations set out in the Fondly Terms of Service. In case of a conflict between this DPA and the Terms, this DPA controls for matters relating to the processing of Personal Data.
11. Changes
Fondly may update this DPA to reflect changes in law or in the service. Material changes will be notified to the Controller by email at least 30 days before taking effect.
12. Contact
Data-protection questions: tony@getfondly.co
Fondly, Inc., San Jose, California, USA