Fame Data Processing Agreement

At Fame, we believe trust is built on clarity—especially when it comes to how your data is handled. The Fame Data Processing Agreement outlines the standards, responsibilities, and safeguards that guide how we manage, secure, and protect the information you share with us. It supports our commitment to delivering services that are not only effective, but responsible and transparent.

Our goal is to make every part of this agreement easy to understand—no unnecessary legal complexity, no hidden requirements. Transparency is a core value at Fame, and you deserve to know exactly how your data is processed, secured, and supported throughout our partnership.

Data Processing Agreement

Last updated: January 30, 2026

This Data Processing Agreement (“DPA”) is subject to and forms part of the Agreement and governs Fame’s and its Affiliates’ Processing of Personal Data.

1. Purpose and Scope

This DPA governs how the Processor handles personal data while delivering API based services to the Controller. The Processor may process personal data strictly as necessary to provide the services described in the Agreement and for no other purpose.

Data Processing Roles

Fame as a Data Processor: When Fame processes personal data as a Data Processor, it is acting as a Data Processor on behalf of User, the Data Controller.

Fame as a Data Controller: When Fame processes personal data as a Data Controller it:

• has the sole and exclusive authority to determine the purposes and means of Processing Personal Data it receives from or through User; and
• may engage an Affiliate to act as (a) a Joint Controller to provide Authorized Services; and (b) a Data Processor to provide services other than Authorized Services.

2. Obligations of the Processor

The Processor agrees to:

a) Process Data Only as Instructed: Process personal data solely based on documented, written instructions from the Controller, including those outlined in the Agreement.

b) Maintain Confidentiality: Ensure all personnel authorized to process personal data are bound by confidentiality obligations.

c) Implement Robust Security Measures: Maintain appropriate technical and organizational safeguards to protect personal data against unauthorized access, unlawful processing, accidental loss, destruction, or damage.

d) Use Sub Processors Responsibly

• Not engage any sub processor without the Controller’s prior written authorization.
• Notify the Controller of any intended changes regarding sub processor additions or replacements.

e) Support Data Subject Rights: Assist the Controller—through appropriate technical and organizational measures—in fulfilling its responsibilities to respond to data subject requests (e.g., access, correction, deletion).

f) Notify of Security Incidents Promptly: Inform the Controller without undue delay after discovering any personal data breach.

g) Handle Data Securely Upon Termination: Upon termination of the services, either delete or return all personal data to the Controller and erase existing copies unless retention is legally required.

3. Data Processing Example

Subject Matter: Processing carried out through the Processor’s API services.

Duration: For the full term of the Agreement.

Nature & Purpose: e.g., Handling API requests to deliver data analytics, connectivity, integrations, or similar functions.

Types of Personal Data: e.g., IP addresses, user identifiers, email addresses, API key metadata.

Categories of Data Subjects: e.g., Users of the Controller’s application or platform.

4. User's Obligations when acting as a Data Controller.

a) Instructions. User must only provide Instructions to Fame that are lawful;

b) Compliance with DP Law: User must comply with and perform User's obligations under DP Law, including with regard to Data Subject rights, data security and confidentiality, and ensure User has an appropriate legal basis for the Processing of Personal Data as described in the Agreement, including this DPA; and

c) Disclosures: User must provide all necessary notices (including by making available a Privacy Policy) to, and obtain all necessary rights, permissions and consents from, Data Subjects (including Customers), to enable Fame to lawfully Process any Personal Data provided by User as described in the Agreement, including this DPA. User is solely responsible for the content of notices it provides to its Customers.

5. Fame’s Obligations when acting as a Data Controller.

Fame must comply with and perform its obligations under DP Law when Processing Personal Data, including making available a Privacy Policy that explains how and for what purposes Fame collects, uses, retains, discloses and safeguards Personal Data.

4. Audit Rights

The Processor agrees to provide all necessary information to demonstrate compliance with this DPA and to permit audits or inspections initiated by the Controller or its designated auditor.

5. Disclaimer of Liability.

Notwithstanding anything to the contrary in the Agreement, including this DPA, Fame and its Affiliates will not be liable for any claim made by a Data Subject arising from or related to Fame’s or any of its Affiliates’ acts or omissions, to the extent that Fame was acting in accordance with User's Instructions.

6. Data transfers.

Cross-border Data Transfers by User.

User acknowledges that in order for Fame to provide the Services, User transfers Personal Data to Fame Marketing in the United States. If the transfer comprises Personal Data that requires a Data Transfer Mechanism, the Data Transfers Addendum, which is incorporated into this DPA, will apply.

Cross-border Data Transfers by Fame.

Fame and its Affiliates may transfer Personal Data on a global basis as necessary to provide the Services. In particular, Personal Data may be transferred to Fame in the United States and to Fame’s Affiliates and Sub-processors in other jurisdictions.

7. Conflict.

To the extent of any conflict between the provisions of this DPA and any provision of the:

a) Agreement regarding Personal Data Processing, the provisions of this DPA will prevail; and

b) Data Transfers Addendum, the provisions of the Data Transfers Addendum will prevail.

8. Definitions.

Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

“Agreement” has the meaning given in the Fame services agreement between User and Fame located at www.youneedfame.com/legal, or as otherwise agreed by the parties.

“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which may include, as applicable, a “Business” as defined under the CCPA.

“Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller, which may include, as applicable, a “Service Provider” as defined under the CCPA.

“Data Security Measures” means technical and organizational measures that are intended to secure Personal Data to a level of security appropriate for the risk of the Processing.

“Data Subject” means an identified or identifiable natural person to which Personal Data relates.

“Data Transfer Mechanism” means a transfer mechanism that enables the lawful cross-border transfer of Personal Data under DP Law, which includes transfer mechanisms that are required under DP Law in the EEA, Switzerland and the UK, such as the Data Privacy Framework, the EEA SCCs, the UK International Data Transfer Addendum and any data transfer mechanism available under DP Law that is incorporated into this DPA.

“DP Law” means Law that applies to Personal Data Processing under the Agreement and this DPA, including international, federal, state, provincial and local Law relating in any way to privacy, data protection or data security.

“GDPR” means General Data Protection Regulation (EU) 2016/679.

“Instructions” means any communication or documentation, including that which may be provided through a Fame API, or Fame Dashboard, or written agreements between User and Fame through which the Data Controller instructs a Data Processor to perform specific Processing of Personal Data for that Data Controller.

“Joint Controller” means a Data Controller that jointly determines the purposes and means of Processing Personal Data with one or more Data Controllers.

“Personal Data” means any information relating to an identifiable natural person that is Processed in connection with the Services, and includes “personal data” as defined under the GDPR and “personal information” as defined under the CCPA.

“Privacy Policy” means any or all of a publicly posted privacy policy, privacy notice, data policy, cookies policy, cookies notice or other similar public policy or public notice that addresses a party’s Personal Data practices and commitments.

“Process” means to perform any operation or set of operations on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying, as described under DP Law. "Processed" and "Processing" have corresponding meanings.

“Sensitive Data” means, to the extent this data is treated distinctly as a special category of Personal Data under DP Law: (a) Personal Data that is genetic data, biometric data, data concerning health, a natural person's sex life or sexual orientation; (b) data about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (c) geolocation data; or (d) sensitive personal information as defined under the CCPA.

“Sub-processor” means an entity a Data Processor engages to Process Personal Data on that Data Processor’s behalf in connection with the Services.

“Supervisory Authority” means an independent public authority which is (i) established by a European Union member state pursuant to Article 51 of the GDPR; or (ii) the public authority governing data protection that has supervisory authority and jurisdiction over User.