Legal

Foil Data Processing Addendum

Foil data processing addendum for customer personal data processed through the services.

Version V1 · Effective March 27, 2026 · Last updated March 27, 2026

This Foil Data Processing Addendum (“DPA”) forms part of the agreement between ABXY, Inc., a Delaware corporation (“Foil”) and Customer governing Customer’s use of the Services (the “Agreement”). This DPA applies only to the extent Foil processes Customer Personal Data on behalf of Customer in connection with the Services. If there is a conflict between this DPA and the Agreement with respect to data-protection subject matter, this DPA controls.

This DPA is effective as of the effective date of the Agreement.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

Applicable Data Protection Law” means any law or regulation applicable to Foil’s processing of Customer Personal Data under the Agreement, including, where applicable, the GDPR, UK GDPR, Swiss data-protection law, the CCPA, and other U.S. state privacy laws.

Customer Personal Data” means Personal Data contained in Customer Data that Foil processes on behalf of Customer in connection with the Services.

Personal Data” means “personal data,” “personal information,” or similar terms as defined under Applicable Data Protection Law.

Process” or “Processing” means any operation performed on Personal Data, whether or not by automated means.

Security Incident” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, excluding unsuccessful attempts or events that do not compromise the confidentiality, integrity, or availability of Customer Personal Data.

Standard Contractual Clauses” or “SCCs” means, as applicable, the standard contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914, together with any mandatory successor clauses.

Subprocessor” means any third party authorized by Foil to process Customer Personal Data in connection with the Services.

2. Scope and Roles

This DPA applies where and only to the extent that Foil processes Customer Personal Data in the course of providing the Services and such processing is subject to Applicable Data Protection Law.

As between the parties:

  1. Customer acts as a controller, business, or equivalent with respect to Customer Personal Data, or as a processor/service provider on behalf of its own controller, as applicable; and
  2. Foil acts as a processor, service provider, or contractor (as applicable) with respect to Customer Personal Data governed by this DPA.

The parties acknowledge that Foil may separately process certain data as a controller or business for its own account, such as account-administration data, billing data, support and communications data, website and documentation data, and certain service usage, security, and deidentified data, as described in the Agreement and Privacy Policy. Such processing is not governed by this DPA except to the extent required by Applicable Data Protection Law.

3. Documented Instructions and Authorized Processing

The Agreement, this DPA, Customer’s configuration and use of the Services, and any mutually agreed written instructions or support communications relating to the Services constitute Customer’s documented instructions to Foil for processing Customer Personal Data.

Foil may process Customer Personal Data only:

  1. to provide, host, secure, monitor, support, maintain, troubleshoot, and improve the Services;
  2. to receive, record, organize, store, encrypt, transmit, analyze, score, fingerprint, correlate, investigate, validate, display, export, and otherwise process Customer Personal Data necessary to provide the Services and related outputs requested by Customer;
  3. to detect, prevent, investigate, mitigate, and respond to fraud, abuse, manipulation, account compromise, malicious or deceptive activity, payment abuse, security incidents, and threats to the Services or third parties;
  4. to generate and return derived risk, reputation, recurrence, cluster, network, device, identity, and similar indicators, including cross-customer or network-level indicators, solely for security, fraud, abuse, integrity, research, and service-improvement purposes, provided that Foil does not disclose another customer’s identity, another customer’s confidential information, or another customer’s raw underlying data except as permitted by law;
  5. to develop, test, tune, validate, and improve Foil’s signatures, heuristics, rules, models, fingerprints, analytics, detections, and service efficacy, including abuse research and efficacy testing, to the extent permitted by Applicable Data Protection Law and the Agreement; and
  6. as otherwise required by law, in which case Foil will, to the extent legally permitted, inform Customer before such processing.

Foil will promptly inform Customer if Foil becomes aware that Customer’s documented instructions violate Applicable Data Protection Law. Foil is not required to continue processing under instructions that Foil reasonably believes are unlawful.

4. Confidentiality and Personnel

Foil will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations and receive access to Customer Personal Data only on a need-to-know basis.

5. U.S. State Privacy Law Terms

To the extent U.S. state privacy laws apply to Foil’s processing of Customer Personal Data:

  1. Foil will process Customer Personal Data as a service provider or contractor (or equivalent) on Customer’s behalf for the business purposes and documented instructions set out in the Agreement and this DPA;
  2. Foil will not sell Customer Personal Data or share Customer Personal Data for cross-context behavioral advertising;
  3. Foil will not retain, use, or disclose Customer Personal Data outside of the direct business relationship between the parties except as permitted by Applicable Data Protection Law, the Agreement, or this DPA;
  4. Customer authorizes Foil to process Customer Personal Data to detect security incidents and protect against malicious, deceptive, fraudulent, or illegal activity, to maintain and improve the Services, to conduct internal research and analytics related to the Services, and to create deidentified data, in each case to the extent permitted by Applicable Data Protection Law and the Agreement;
  5. Foil certifies that it understands the restrictions in this Section and will comply with them; and
  6. if required by Applicable Data Protection Law, Foil will allow Customer to take reasonable and appropriate steps designed to ensure that Foil’s use of Customer Personal Data is consistent with Customer’s obligations under such laws, subject to the audit and information-rights framework in Section 11.

6. Customer Obligations

Customer is responsible for:

  1. ensuring it has all rights, consents, notices, permissions, and lawful bases necessary to provide Customer Personal Data to Foil and to instruct Foil to process it under the Agreement and this DPA;
  2. complying with its own obligations under Applicable Data Protection Law;
  3. responding to requests from individuals and regulators relating to Customer Personal Data, except to the extent Foil is required to assist under this DPA; and
  4. not submitting special categories of Personal Data, data relating to criminal convictions or offenses, sensitive personal information, biometric identifiers or templates, children’s data, Social Security numbers, financial account credentials, or similar highly sensitive data unless the parties expressly agree in writing that the Services support such data and any required supplemental terms are in place.

7. Security Measures and Security Incidents

Foil will implement and maintain reasonable technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the nature of the Services and the risks of the processing. A current summary of those measures is set out in Schedule 2.

Foil may update the security measures from time to time to reflect technical progress, Service changes, or security developments, provided that Foil does not materially diminish the overall level of protection for Customer Personal Data.

Foil will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data. To the extent reasonably available, the notification will describe the nature of the Security Incident, the categories of data affected, the measures taken or proposed to address it, and information reasonably necessary for Customer to meet any notification obligations under Applicable Data Protection Law. Foil’s notice or response does not constitute an admission of fault or liability.

8. Subprocessors

Customer grants Foil a general authorization to engage Subprocessors in connection with the Services.

Foil will impose data-protection obligations on Subprocessors that are no less protective, in all material respects, than the obligations Foil undertakes in this DPA, to the extent applicable to the nature of the services provided by the Subprocessor. Foil remains responsible for its Subprocessors’ processing of Customer Personal Data to the extent required by Applicable Data Protection Law.

Foil may make available publicly, in its Privacy Policy, in its documentation, or upon request, a description of the categories of Subprocessors it uses for the Services. Foil is not required to publish a public, name-by-name Subprocessor list, but Foil will provide additional information reasonably necessary to assess a bona fide data-protection objection, subject to confidentiality, security, and vendor-protection restrictions.

Where Foil adds or materially changes a Subprocessor category that is reasonably likely to affect the processing of Customer Personal Data, Foil will use commercially reasonable efforts to provide notice by email, dashboard notice, website posting, or similar means at least fifteen (15) days before the change becomes effective, except where a shorter period is necessary for security, legal, or urgent operational reasons.

If Customer reasonably objects to a new Subprocessor on legitimate data-protection grounds, Customer must notify Foil in writing within ten (10) days after the notice described above. The parties will work in good faith to address the objection through commercially reasonable means. If the parties cannot resolve the objection, Foil may elect either to avoid using the objected-to Subprocessor for Customer Personal Data or to terminate the affected portion of the Services and refund any unused prepaid fees allocable to the affected portion of the then-current paid term.

9. Assistance with Rights Requests and Assessments

Taking into account the nature of the processing and the information available to Foil, Foil will provide reasonable assistance to Customer as reasonably necessary for Customer to respond to requests from individuals exercising rights under Applicable Data Protection Law, or to conduct any required data protection impact assessment, transfer assessment, or regulatory consultation relating to the Services.

Foil may satisfy this obligation through self-service functionality, documentation, responses to questionnaires, or other reasonable means. Unless prohibited by law, Customer will reimburse Foil for materially burdensome assistance requested under this Section to the extent the request exceeds what is reasonably required by Applicable Data Protection Law or is caused by Customer’s configuration, misuse, or legal position rather than Foil’s noncompliance.

If Foil receives a rights request or regulator inquiry directly relating to Customer Personal Data processed on Customer’s behalf, Foil may:

  1. direct the requester or regulator to Customer;
  2. notify Customer; and/or
  3. respond as required by law or in accordance with Customer’s documented instructions.

10. International Transfers

To the extent the transfer of Customer Personal Data from Customer to Foil requires an approved transfer mechanism under Applicable Data Protection Law, the parties agree as follows:

  1. the SCCs are incorporated by reference into this DPA and apply as follows:
    • Module Two (Controller to Processor) applies where Customer is a controller and Foil is a processor;
    • Module Three (Processor to Processor) applies where Customer is a processor and Foil is a subprocessor;
  2. for Clause 7, the optional docking clause applies;
  3. for Clause 9, Option 2 applies and the notice period for Subprocessor changes is as set out in Section 8 of this DPA;
  4. for Clause 11, the optional language does not apply;
  5. for Clause 17, the governing law is the law of Ireland;
  6. for Clause 18(b), disputes will be resolved in the courts of Ireland;
  7. Annex I and Annex II of the SCCs are deemed completed with the information in Schedule 1 and Schedule 2 to this DPA; and
  8. if Customer transfers Customer Personal Data subject to UK GDPR, the UK International Data Transfer Addendum (or any mandatory successor mechanism) is incorporated by reference and the SCCs as modified by that addendum will apply.

For transfers subject to Swiss data-protection law, references in the SCCs to the GDPR will be interpreted to include Swiss law to the extent required, references to “Member State” include Switzerland, and the competent supervisory authority and courts will be determined in accordance with the SCCs and applicable Swiss requirements.

11. Demonstrating Compliance; Audits

On reasonable written request, and not more than once annually except following a Security Incident or where required by law, Foil will make available information reasonably necessary to demonstrate compliance with this DPA, such as completed security questionnaires, policy summaries, relevant excerpts from independent assessments, or similar documentation that Foil makes available to similarly situated customers.

If the information made available under the preceding paragraph is insufficient to satisfy Customer’s audit rights required by Applicable Data Protection Law, the parties will work in good faith to arrange a limited, reasonable, and proportionate audit or assessment, subject to:

  1. reasonable prior written notice;
  2. confidentiality obligations;
  3. the audit being conducted during normal business hours and in a manner that does not unreasonably disrupt Foil’s business or compromise the security of Foil or other customers;
  4. use of an independent auditor reasonably acceptable to Foil, if Foil so requires; and
  5. Customer bearing its own costs and Foil’s reasonable internal costs, except to the extent the audit reveals a material breach of this DPA by Foil.

12. Return and Deletion

During the term of the Agreement, Customer may access, retrieve, or export certain Customer Personal Data through the Services to the extent such functionality is made available by Foil.

Upon termination or expiration of the Services, and subject to the functionality of the Services and any documented product limits, Customer may request export of Customer Personal Data within thirty (30) days after termination. After that period, Foil may delete or render inaccessible Customer Personal Data in the ordinary course.

Notwithstanding the foregoing, Foil may retain Customer Personal Data to the extent required by law, to maintain backup and archival systems, to preserve billing, payment, dispute, fraud-prevention, abuse-prevention, or security records, or as otherwise permitted by Applicable Data Protection Law and the Agreement, provided that any retained Customer Personal Data remains protected under this DPA and is processed only for the limited purposes for which retention is permitted.

Foil may retain deidentified data, aggregated data, and Foil Data that do not identify Customer or a specific individual, subject to Applicable Data Protection Law.

13. Liability

To the maximum extent permitted by Applicable Data Protection Law, each party’s liability arising out of or relating to this DPA is subject to the exclusions and limitations of liability in the Agreement, and references in the Agreement to liability arising out of or relating to the Agreement include liability arising out of or relating to this DPA.

14. Changes to this DPA

Foil may update this DPA to reflect changes in law, regulation, transfer mechanisms, Service functionality, security practices, or Subprocessor arrangements. Unless a change is required sooner by law or to address an urgent security issue, Foil will use commercially reasonable efforts to provide at least thirty (30) days’ notice before a materially adverse change to this DPA becomes effective. If Customer reasonably objects to a materially adverse change on legitimate data-protection grounds and the parties cannot resolve the objection in good faith, Customer may terminate the affected Services before the change takes effect.

15. Miscellaneous

Except as expressly modified by this DPA, the Agreement remains in full force and effect. This DPA will remain in effect until the later of:

  1. the expiration or termination of the Agreement; and
  2. Foil’s deletion or return of Customer Personal Data in accordance with Section 12.

Schedule 1, Details of Processing

Subject matter of the processing
Provision of Foil’s anti-abuse, fraud, automation-detection, identity-verification, device-intelligence, investigation, analytics, and related Services to Customer.

Duration of the processing
For the duration of the Agreement and for any limited post-termination period during which Foil retains Customer Personal Data in accordance with the Agreement and this DPA.

Categories of data subjects

  • End users who interact with Customer’s websites, apps, or services protected by Foil.
  • Customer’s employees, contractors, administrators, and other authorized users of the Services.
  • Customer’s support contacts, billing contacts, and other representatives to the extent their Personal Data is included in Customer Data.

Categories of Personal Data

  • Account, organization, and administrator information included in Customer Data.
  • Browser, device, application, and environment information.
  • Request, session, network, IP, and approximate location information.
  • Interaction, event, and form-interaction metadata.
  • Identifiers, fingerprinting, linkage, recurrence, and recognition signals.
  • Risk scores, classifications, labels, logs, session details, support content, investigation outputs, and other information Customer submits to or receives through the Services.

Sensitive data
Customer is instructed not to submit special categories of Personal Data, data relating to criminal convictions or offenses, biometric identifiers or templates, children’s data, Social Security numbers, precise geolocation, or other similarly sensitive data unless the parties expressly agree in writing that the relevant Services support such data and any required supplemental terms are in place.

Nature and purpose of the processing
Collection, receipt, recording, organization, structuring, storage, hosting, encryption, transmission, analysis, scoring, fingerprinting, correlation, investigation, support, export, deletion, and other processing necessary to provide, secure, maintain, support, and improve the Services, detect and prevent fraud and abuse, and comply with law.

Schedule 2, Security Measures Summary

Foil’s security measures are designed, taking into account the nature of the Services and the risks of the processing, to include measures such as the following:

  1. Access Controls and Authentication
    • Role-based or need-to-know access to production systems and customer environments.
    • Authentication controls for internal administrative access.
    • Session-management and account-security controls for dashboard access.
  2. Transmission and Storage Protections
    • Encryption in transit for customer-facing Service communications where appropriate.
    • Protections for stored data and secrets appropriate to the sensitivity of the relevant systems and data.
    • Separation of public and secret credentials and related key-management controls.
  3. Application and Service Security
    • Logging, monitoring, alerting, and investigation practices designed to detect misuse, unauthorized access, service abuse, or anomalous activity.
    • Key, session, traffic, and environment controls appropriate to the Services.
    • Measures designed to preserve service integrity and defend against tampering, replay, abuse, and similar threats.
  4. Organizational Measures
    • Confidentiality obligations for personnel and contractors with access to Customer Personal Data.
    • Internal policies and procedures addressing security and incident response.
    • Vendor and Subprocessor review processes appropriate to the relevant services provided.
  5. Availability and Resilience
    • Backup, redundancy, recovery, or continuity measures appropriate to the relevant systems and data.
    • Change-management and operational practices designed to support service resilience.
  6. Data Lifecycle Controls
    • Processes for retention, deletion, and archival handling appropriate to the Services and applicable legal obligations.
    • Segregation or isolation measures designed to protect retained backup or archival data from unnecessary further processing.