Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between FastingTimer ("we", "us", "our", "Processor") and the user ("you", "your", "Controller") (collectively, the "Parties").

This DPA applies to the processing of personal data by FastingTimer on behalf of the user in connection with the services provided by FastingTimer.

The terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms of Service. Except as modified below, the terms of the Terms of Service shall remain in full force and effect.

2. Definitions

For the purposes of this DPA, the following terms shall have the following meanings:

• "GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• "Data Protection Laws" means all applicable laws and regulations regarding the processing of Personal Data and privacy that may exist in the relevant jurisdictions, including, where applicable, the GDPR.
• "Personal Data" means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
• "Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
• "Sub-processor" means any Processor engaged by FastingTimer to process Personal Data on behalf of the user.

3. Processing of Personal Data

FastingTimer shall process Personal Data only on documented instructions from the user, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which FastingTimer is subject; in such a case, FastingTimer shall inform the user of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The user instructs FastingTimer to process Personal Data for the following purposes:

• Providing the services to the user as described in the Terms of Service;
• Processing initiated by users in their use of the services;
• Processing to comply with other documented reasonable instructions provided by the user where such instructions are consistent with the terms of the Terms of Service.

4. Confidentiality

FastingTimer shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security

FastingTimer shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, among others:

• The pseudonymization and encryption of Personal Data;
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

6. Sub-processing

The user acknowledges and agrees that FastingTimer may engage third-party Sub-processors in connection with the provision of the services. FastingTimer shall ensure that its contract with each Sub-processor contains substantially the same data protection obligations as set out in this DPA.

FastingTimer shall maintain a list of current Sub-processors for the services, including the identities of those Sub-processors and their country of location. FastingTimer shall provide the user with a mechanism to subscribe to notifications of new Sub-processors for each service, to which the user shall subscribe, and if the user subscribes, FastingTimer shall provide the notification to the user before authorizing any new Sub-processor to process Personal Data in connection with the provision of the applicable services.

In order to exercise its right to object to FastingTimer's use of a new Sub-processor, the user shall notify FastingTimer promptly in writing within ten (10) business days after receipt of FastingTimer's notice. In the event the user objects to a new Sub-processor, and that objection is not unreasonable, FastingTimer will use reasonable efforts to make available to the user a change in the services or recommend a commercially reasonable change to the user's configuration or use of the services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the user. If FastingTimer is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, the user may terminate the applicable services which cannot be provided by FastingTimer without the use of the objected-to new Sub-processor by providing written notice to FastingTimer.

7. Data Subject Rights

FastingTimer shall, to the extent legally permitted, promptly notify the user if it receives a request from a data subject to exercise the data subject's right of access, right to rectification, restriction of processing, erasure ("right to be forgotten"), data portability, object to the processing, or its right not to be subject to an automated individual decision making ("Data Subject Request"). Taking into account the nature of the processing, FastingTimer shall assist the user by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the user's obligation to respond to a Data Subject Request under Data Protection Laws.

8. Data Protection Impact Assessment

Upon the user's request, FastingTimer shall provide the user with reasonable cooperation and assistance needed to fulfill the user's obligation under the GDPR to carry out a data protection impact assessment related to the user's use of the services, to the extent the user does not otherwise have access to the relevant information, and to the extent such information is available to FastingTimer.

9. Return or Deletion of Personal Data

Upon termination of the services, FastingTimer shall, at the choice of the user, delete or return all the Personal Data to the user, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

10. Audit Rights

FastingTimer shall make available to the user all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the user or another auditor mandated by the user.

11. International Transfers

FastingTimer may transfer and process Personal Data to and in other locations around the world where FastingTimer or its Sub-processors maintain data processing operations. FastingTimer shall ensure that such transfers are made in compliance with the requirements of Data Protection Laws.

12. Changes to This DPA

FastingTimer may change this DPA at any time by posting a revised version on our website or by otherwise notifying the user in accordance with the Terms of Service. The revised version will be effective at the time FastingTimer posts it or, if FastingTimer provides notice by email, as stated in the email message. By continuing to use the services after the effective date of any change to this DPA, the user agrees to be bound by the revised DPA.