Fontana LogoFontana
Alexis Wallace Lavigne

Legal Center

How we process data on behalf of our customers. This agreement ensures compliance with data protection regulations.

Legal Documents

Privacy PolicyTerms of ServiceCookie PolicyAcceptable UseData ProcessingAccessibility

Data Processing Agreement

Last updated: December 29, 2025

This Data Processing Agreement (“DPA”) governs how Fontana processes personal data on behalf of our customers in accordance with applicable data protection laws.

1. Definitions

For the purposes of this DPA:

  • “Controller” means the entity that determines the purposes and means of processing personal data
  • “Processor” means the entity that processes personal data on behalf of the controller
  • “Personal Data” means any information relating to an identified or identifiable natural person
  • “Processing” means any operation performed on personal data
  • “Data Protection Laws” means applicable data protection and privacy laws

2. Roles and Responsibilities

In the context of this DPA:

  • You (the customer) act as the Controller of personal data
  • Fontana acts as the Processor of personal data on your behalf
  • We process personal data only as instructed by you and in accordance with this DPA
  • You remain responsible for the lawfulness of the processing and the accuracy of the data

3. Processing Activities

Fontana processes personal data for the following purposes:

  • Providing and maintaining our data processing services
  • Data mapping and normalization as requested by you
  • Quality assurance and service improvement
  • Technical support and troubleshooting
  • Compliance with legal obligations

4. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and updates
  • Employee training on data protection
  • Incident response procedures
  • Data backup and recovery processes

5. Subprocessors

We may engage subprocessors to assist in providing our services. We ensure that all subprocessors:

  • Provide adequate data protection guarantees
  • Are bound by contractual obligations no less protective than this DPA
  • Process personal data only as instructed by us
  • Implement appropriate security measures

We will notify you of any changes to our subprocessors and give you the opportunity to object.

6. Data Subject Rights

We will assist you in responding to data subject requests, including:

  • Right of access to personal data
  • Right to rectification of inaccurate data
  • Right to erasure (“right to be forgotten”)
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing

We will promptly notify you of any data subject requests we receive and will not respond directly unless authorized by you.

7. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify you without undue delay after becoming aware of the breach
  • Provide you with relevant information about the breach
  • Assist you in meeting your notification obligations
  • Take reasonable steps to mitigate the effects of the breach
  • Document all breaches and our response to them

8. Data Retention and Deletion

We will retain personal data only for as long as necessary to:

  • Provide our services to you
  • Comply with legal obligations
  • Resolve disputes and enforce agreements

Upon termination of our services or at your request, we will delete or return all personal data in our possession, unless retention is required by law.

9. Audit Rights

You have the right to audit our compliance with this DPA by:

  • Requesting information about our data processing activities
  • Conducting on-site audits with reasonable notice
  • Reviewing our security certifications and assessments
  • Requesting third-party audits or certifications

We will cooperate with reasonable audit requests and provide necessary information and access.

10. International Transfers

If we transfer personal data outside the European Economic Area (EEA), we ensure that:

  • The transfer is based on an adequacy decision by the European Commission
  • Appropriate safeguards are in place (e.g., Standard Contractual Clauses)
  • The transfer is necessary for the performance of our contract with you
  • We have obtained your explicit consent for the transfer

11. Liability and Indemnification

Each party will be liable for its own violations of data protection laws. We will indemnify you for any fines or penalties imposed on you due to our breach of this DPA, subject to the limitations in our Terms of Service.

12. Termination

This DPA will terminate automatically upon termination of our services agreement with you. Upon termination:

  • We will cease processing personal data on your behalf
  • We will delete or return all personal data in our possession
  • We will provide you with a certificate of deletion
  • Our obligations regarding confidentiality will survive termination

13. Governing Law and Jurisdiction

This DPA is governed by the same law as our Terms of Service. Any disputes arising from this DPA will be resolved in accordance with the dispute resolution provisions of our Terms of Service.

14. Contact Information

For questions about this DPA or data processing activities, please contact us:

Data Protection Officer: dpo@fontana-ai.com

Legal Team: legal@fontana-ai.com