Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between Fipera Trading F.Z.E, a Free Zone Establishment registered in Ajman Free Zone, United Arab Emirates (“Processor”, “Fipera”, “we”, “us”) and the enterprise customer identified in the applicable order form (“Controller”, “Customer”, “you”).

This DPA applies when Fipera processes Personal Data on behalf of Customer in connection with the neo-fashion.ai platform (“Service”). It supplements the Terms of Service and Privacy Policy. Where this DPA conflicts with an executed enterprise order form, the order form prevails.

Enterprise customers may request a countersigned copy during onboarding. Contact legal@neofashion.ai.

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person processed by Fipera on behalf of Customer through the Service.

“Processing” has the meaning given in applicable data protection law (including the EU GDPR and UK GDPR where relevant).

“Sub-processor” means a third party engaged by Fipera to process Personal Data on behalf of Customer.

“Data Subject” means the individual to whom Personal Data relates.

“Security Incident” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data processed by Fipera on behalf of Customer.

Other capitalised terms have the meanings in the Terms or Privacy Policy.

2. Roles and scope

2.1 Controller and Processor. Customer is the Controller of Personal Data it submits to the Service (including workspace member accounts, uploaded assets containing identifiable individuals, and billing contacts). Fipera is the Processor, except where Fipera acts as Controller for its own account administration, billing, and marketing — as described in the Privacy Policy.

2.2 Subject matter. Processing is limited to providing the Service: authentication, workspace management, AI generation, storage, support, and related operations described in the order form.

2.3 Duration. Processing continues for the term of the subscription or order form and until Personal Data is deleted in accordance with Section 12.

3. Categories of data and data subjects

Category	Examples	Data subjects
Account data	Name, email, role, workspace membership	Customer’s employees and contractors
Usage data	Generation logs, module usage, IP address, timestamps	Same
Content data	Uploaded images, prompts, personas (may include likenesses)	Customer’s models, talent, staff (as applicable)
Billing data	Company name, billing address, tax ID	Customer’s finance contacts

Customer is responsible for providing appropriate notices and obtaining lawful bases and consents from Data Subjects before submitting Personal Data to the Service.

4. Processor obligations

Fipera shall:

4.1 Process Personal Data only on documented instructions from Customer, including via configuration of the Service, except where required by applicable law (in which case Fipera will inform Customer unless prohibited);

4.2 Ensure personnel authorised to process Personal Data are bound by confidentiality obligations;

4.3 Implement appropriate technical and organisational measures to protect Personal Data, as described in Section 7 and our Security page;

4.4 Not sell Personal Data or use it for advertising profiles unrelated to providing the Service;

4.5 Assist Customer, taking into account the nature of processing, with Data Subject requests (access, rectification, erasure, restriction, portability, objection) by appropriate technical and organisational measures, where applicable law requires;

4.6 Assist Customer with data protection impact assessments and prior consultations with supervisory authorities where required, to the extent information is available to Fipera;

4.7 Delete or return Personal Data upon termination as set out in Section 12, unless retention is required by law.

5. Sub-processors

5.1 Customer authorises Fipera to engage Sub-processors listed in our Sub-Processor List. Fipera imposes data protection obligations on Sub-processors substantially similar to this DPA.

5.2 Fipera will provide notice of new Sub-processors (for example, by updating the Sub-Processor List and notifying enterprise contacts). Customer may object on reasonable grounds relating to data protection within fourteen (14) days of notice. If parties cannot resolve the objection, Customer may terminate the affected Service component.

5.3 Fipera remains liable for Sub-processor performance to the extent required by applicable law.

6. International transfers

6.1 Personal Data may be processed in the United Arab Emirates, the United States, the European Union, and other locations where Sub-processors operate.

6.2 Where Personal Data is transferred from the EEA, UK, or Switzerland to countries without an adequacy decision, Fipera will implement appropriate safeguards — such as Standard Contractual Clauses or equivalent mechanisms — as required by applicable law. Details are available on request.

7. Security measures

Fipera maintains measures including, as applicable:

• Encryption in transit (TLS) and encryption at rest for stored objects;
• Row-level security and workspace isolation in the database layer;
• Access controls and least-privilege administration;
• Logging and monitoring (including error tracking via Sentry);
• Regular review of Sub-processor security practices.

Customer is responsible for securing its accounts, API keys, and member access. See the Acceptable Use Policy.

8. Security incidents

8.1 Fipera will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data, and in any event within seventy-two (72) hours where feasible and required by applicable law.

8.2 Notification will describe the nature of the incident, likely consequences, and measures taken or proposed. Fipera will cooperate with Customer’s reasonable investigation and regulatory notification obligations.

9. Audits

9.1 Upon reasonable written request, no more than once per twelve (12) months, Customer may request information necessary to demonstrate compliance with this DPA.

9.2 Fipera may satisfy audit requests through third-party certifications, penetration test summaries, or security questionnaires rather than on-site inspection, except where mandatory law requires otherwise.

10. Liability

Liability under this DPA is subject to the limitation of liability in the Terms or enterprise order form. Nothing in this DPA limits either party’s liability where limitation is prohibited by applicable data protection law.

11. Order of precedence

In case of conflict: (1) executed enterprise order form; (2) this DPA; (3) Terms of Service; (4) Privacy Policy.

12. Return and deletion

Upon termination or expiry of the Service, Customer may export Customer Content within the retention window stated in the Terms. Thereafter, Fipera will delete or anonymise Customer Personal Data from production systems within ninety (90) days, except where retention is required by law or for legitimate backup cycles (backups deleted on rolling schedule).

13. Contact

Data protection inquiries: privacy@neofashion.ai
Legal / DPA requests: legal@neofashion.ai
Postal: Fipera Trading F.Z.E, Ajman Free Zone, United Arab Emirates