FullSession – Data Processing Addendum (DPA)

Designed to satisfy GDPR Art. 28 and CCPA/CPRA service provider requirements.

SCCs
Version: 1.0 Effective date: Jurisdictions: EU/EEA, UK, Switzerland, US (CCPA/CPRA)
This DPA forms part of the Agreement between FullSession, Inc. (“Processor“/”Service Provider“) and the Customer identified on the applicable Order Form (“Controller“/”Business“). Capitalized terms not defined here have the meanings in the Agreement.

1. Scope & Roles

(a) Roles. For GDPR, Customer is Controller and Provider is Processor. For CCPA/CPRA, Provider is Service Provider.

(b) Customer Personal Data. The subject matter, duration, nature and purpose of processing, types of personal data, and categories of data subjects are described in Annex I.

2. Processing on Instructions

Provider will process Customer Personal Data only on documented, lawful instructions from Customer, including as set forth in the Agreement and this DPA, unless required by law. If Provider is legally required to process, it will inform Customer unless prohibited by law.

3. Confidentiality

Provider will ensure personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.

4. Security Measures

Provider will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data as described in Annex II (Security Measures), taking into account the nature, scope, context, and purposes of processing.

5. Sub‑processors

Customer authorizes Provider to engage Amazon Web Services, Inc. (AWS) as a sub-processor for hosting and related infrastructure services for the purposes described in Annex I. Provider will impose data protection obligations on AWS substantially similar to those in this DPA and will remain responsible for AWS’s performance. Provider will give Customer advance notice of material sub-processor changes via email or website and allow objections for reasonable grounds related to data protection.

6. International Transfers; SCCs

Where Provider or its Sub‑processors transfer Customer Personal Data outside the EEA, UK, or Switzerland to a country lacking an adequacy decision, the parties will rely on (as applicable) the EU Standard Contractual Clauses (EU SCCs) (Commission Implementing Decision (EU) 2021/914, Module 2 (Controller → Processor)), and for the UK, the UK IDTA/Addendum, and for Switzerland the FDPIC‑adapted terms, as set forth in Annex III. The SCCs (and applicable addenda) are incorporated by reference and apply only to Restricted Transfers.

7. Data Subject Requests

Taking into account the nature of processing, Provider will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligations to respond to requests to exercise data subject rights under Applicable Data Protection Laws.

8. Breach Notification

Provider will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, including information Customer reasonably requires to meet its breach notification obligations.

9. Impact Assessments & Consultations

Provider will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to Provider.

10. Audits

Provider will make available to Customer information necessary to demonstrate compliance with this DPA and, upon reasonable prior notice and during normal business hours, allow audits (including inspections) by Customer or an independent auditor mandated by Customer, provided that such audits occur no more than once annually (unless required by a supervisory authority or following a Personal Data Breach) and are subject to confidentiality and reimbursement of Provider’s reasonable costs.

11. Return or Deletion of Data

Upon termination or expiration of the Agreement, Provider will, at Customer’s choice, delete or return Customer Personal Data and delete existing copies, unless retention is required by law. Operational backups will be destroyed per standard retention cycles.

12. CCPA/CPRA

Provider will not sell or share (as defined by CPRA) Customer Personal Data; will not retain, use, or disclose such data outside the direct business relationship; and will not combine it with other personal data except as permitted by CPRA and this DPA. Provider certifies it understands these restrictions.

13. Liability & Order of Precedence

The limitations of liability in the Agreement apply to this DPA. In case of conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Customer Personal Data. In case of conflict between this DPA and the SCCs, the SCCs control.

Annex I – Description of Processing

Scope of processing
  • Subject matter: Provision of the FullSession hosted analytics platform.
  • Duration: Subscription Term plus return/deletion period.
  • Nature & purpose: Collection and analysis of end‑user interaction data (e.g., session replays, heatmaps, events, errors) to provide analytics and support.
  • Categories of data subjects: Customer’s end users/visitors, Customer’s personnel using the Service.
  • Types of personal data: Pseudonymous identifiers; device/browser data; IP addresses (collected by default; may be disabled via configuration toggle); usage events; input field values subject to automatic input field masking; no keystrokes are collected; in‑app feedback content (if used); and support contact information. Customer may configure to limit or exclude data fields. Sensitive data is not intended to be processed unless expressly agreed in writing.
  • Special categories: Not intended.
  • Frequency: Continuous for the Subscription Term.
  • Processing operations: Collection, storage, structuring, analysis, transmission, and deletion as necessary to provide and support the Service.

Annex II – Security Measures (summary)

Technical & Organizational Measures
  • Organizational: Security program with policies; employee background checks where lawful; security & privacy training; role‑based access; least privilege; vendor management.
  • Logical access: SSO/MFA for admin access; unique IDs; access reviews; secure key management.
  • Data protection: Encryption in transit (TLS 1.2+); encryption at rest; data segregation by tenant; secrets management.
  • Development: Secure SDLC; code reviews; dependency scanning; vulnerability management; logging/monitoring; change management.
  • Infrastructure: Hardened cloud environment; network segmentation; firewalls/security groups; DDoS protections provided by cloud provider/CDN.
  • Backups & DR: Regular backups; tested restore procedures; defined RPO/RTO targets.
  • Incident response: Documented IR plan; 24×7 monitoring; breach notification workflow.
  • Physical: Cloud data centers with industry‑standard certifications (e.g., ISO/ SOC 2 via provider).
  • Customer controls: Role permissions; data retention/configuration settings; allowlists/filters to avoid capturing sensitive data.
  • Automatic input field masking enabled by default; keystrokes are not collected.
  • Customer‑controlled allow/block rules to prevent capture of specific inputs, including sensitive fields, via Settings.
  • IP addresses collected by default; Customer‑configurable toggle available to disable IP collection.
  • Scope control: No capture of third‑party widgets or external pages where FullSession code is not installed.

Annex III – International Transfers & SCC Details

EU SCCs, UK Addendum, Switzerland

EU SCCs: The parties rely on the EU Commission Implementing Decision (EU) 2021/914, Module 2 (Controller → Processor) (“EU SCCs”). The EU SCCs are incorporated by reference and apply only to Restricted Transfers.

  • Clause 7 (Docking): Enabled.
  • Clause 9 (Sub-processors): Option 2 (General written authorization). Provider will provide prior notice of intended changes to Sub-processors via email or website and provide Customer a 30-day period to object on reasonable grounds related to data protection.
  • Clause 11 (Redress): Not used.
  • Clause 17 (Governing law): Ireland.
  • Clause 18 (Forum & jurisdiction): The courts of Ireland.

EU SCC Annexes: Annex I(A–C) and Annex II of the EU SCCs are satisfied by the information set out in this DPA, including Annex I (Description of Processing) and Annex II (Security Measures). Annex III (List of Sub-processors) is satisfied by the Sub-processors identified in this DPA (and as updated pursuant to Section 5).

UK Transfers: Where UK Restricted Transfers occur, the EU SCCs are amended and supplemented by the UK Addendum to the EU SCCs (the “UK Addendum”) and incorporated by reference. The parties agree that the UK Addendum Tables 1–4 will be completed using the information in the Order Form, the Agreement, and this DPA (including the Annexes), and that the EU SCC selections above apply unless the Order Form specifies otherwise.

Switzerland: Where Swiss Restricted Transfers occur, the EU SCCs apply with the following adaptations: (i) references to the “GDPR” are interpreted as references to the Swiss Federal Act on Data Protection (as applicable); (ii) references to “EU Member St

Entity: FullSession, Inc. • Contact: privacy@fullsession.com • Address: 651 N Broad St, 206, Middletown, DE 19709

Order of precedence: This DPA controls over the Agreement for processing of Customer Personal Data; the SCCs control over this DPA in case of conflict.

© FullSession, Inc. All rights reserved.