A data processing agreement is a legally binding contract that states the rights and obligations of FigShelf.com (acting as a data processor) and your company (acting as a data controller) concerning the protection of personal data. It complements FigShelf.com’s Terms and Conditions and applies to personal data processing activities subject to GDPR.

In accordance with GDPR Article 28, Section 3, our data processing agreement includes assurances that:

• FigShelf.com agrees to process personal data only based on written instructions from your company. This ensures that all processing activities are under your directive, complying fully with your privacy policies and objectives.

• Confidentiality Commitments: Every individual at FigShelf.com who comes into contact with personal data is bound by strict confidentiality obligations. This includes employees, contractors, and any third parties engaged in processing activities, ensuring that your data remains secure and private.

• Technical and Organizational Measures: FigShelf.com employs appropriate technical and organizational measures to protect the security of your data. These measures are designed to prevent unauthorized or unlawful processing, accidental loss, destruction, or damage.

• Subprocessing Controls: FigShelf.com will not subcontract any of its processing operations performed on behalf of your company unless it is instructed in writing by your company to do so. If subcontracting is necessary, a separate Data Processing Agreement (DPA) will be established with the subprocessor to ensure they meet the same data protection standards as FigShelf.com pursuant to Sections 2 and 4 of Article 28 of the GDPR.

• Support in Upholding Data Subject Rights: FigShelf.com will assist your company in upholding the rights of data subjects under the GDPR. This includes support in handling requests for data access, correction, deletion, and portability as well as responding to data subjects’ inquiries concerning their personal data.

• Compliance Support: FigShelf.com will support your company in maintaining compliance with GDPR requirements, particularly those related to the security of processing (Article 32) and the necessity of consulting with the data protection authority before undertaking processing that is likely to result in a high risk to data subjects’ rights and freedoms (Article 36).

This document ensures that both parties understand their responsibilities and obligations in managing and protecting personal data, in compliance with GDPR and other relevant laws.

---