For Customer Data, you are the controller/business and Statfinity is your processor/service provider. These terms satisfy processor obligations under GDPR/UK GDPR/Swiss FADP/CPRA/LGPD/India DPDP (as applicable).

We process Customer Data only on your documented instructions: to provide, secure, support, and maintain the Service, and as required by law. If an instruction appears unlawful, we will notify you where legally permitted.

Personnel authorized to process Customer Data are bound by confidentiality and receive privacy/security training.

We implement appropriate technical and organizational measures, including TLS 1.2+ in transit, AES-256 at rest, RBAC/least-privilege, SSO/MFA options, network isolation (private VPCs, firewalls/WAF/DDoS), secure SDLC, logging/monitoring, vulnerability management, and backups/DR. Controls may be updated without materially reducing protections.

You authorize our use of vetted subprocessors (currently: AWS, Google Cloud Platform, Stripe, Google Workspace/Gmail). We impose data-protection terms no less protective than these and remain responsible for them. We will give 30 days’ notice of material changes (urgent exceptions allowed for security/availability). If you reasonably object, we will work in good faith on a remedy; if unresolved, you may suspend the affected feature or terminate it with a pro-rata refund of prepaid fees for the unused term.

Taking account of the processing, we will assist you with data-subject requests, security obligations, and (where required) DPIAs/consultations, using appropriate technical and organizational measures.

If we become aware of a personal-data breach affecting Customer Data, we will notify your admin without undue delay (target 24–48 hours) with available details (nature, scope, likely consequences, measures taken/proposed).

On termination or written request, we will return or delete Customer Data in our possession within 30 days, and purge backups within ~90 days, unless retention is required by law. You are responsible for your own destinations.

On request, we will provide information necessary to demonstrate compliance (e.g., security overview, policy excerpts, third-party test summaries). Where further audit is required by law, you may conduct a reasonable audit (remote by default) once per 12-month period with 30 days’ notice, during business hours, subject to confidentiality and safe-operations limits. You bear your own costs (and our reasonable support costs if a bespoke on-site audit is required).

If Customer Data is transferred from the EEA/UK/Switzerland to a country without an adequacy decision, we will put in place an approved transfer mechanism (e.g., EU SCCs (2021/914) and the UK Addendum/IDTA). On request, we will execute these modules; until executed, you should avoid routing such data through the Service if a mechanism is legally required.

If we receive a legally binding request for Customer Data from public authorities, we will notify you before disclosure (unless legally prohibited), challenge overbroad requests where reasonable, and disclose only the minimum required.

If these Integrated Terms conflict with the rest of the Terms regarding Customer Data processing, this Section 4A controls.

“Personal Data,” “processing,” “controller,” and “processor/service provider” have meanings under applicable data-protection laws.

Terms & legal: shantanu@statfinity.com

Security & privacy questions: shipika@statfinity.com