Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

This DPA forms part of and is incorporated into the Fiscana Business Terms of Service. By subscribing to a Fiscana Business plan, the Client agrees to this DPA.

2. Definitions

• Personal Data — any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• Processing — any operation performed on Personal Data, including collection, storage, use, and deletion.
• Data Subject — the end user of the Client's embedded Fiscana widget who submits a tax query.
• Sub-processor — any third party engaged by Fiscana to process Personal Data on Fiscana's behalf.
• Services — the Fiscana B2B white-label tax information widget and associated dashboard.

3. Nature, Purpose, and Duration of Processing

Nature

Fiscana processes Personal Data solely to deliver the Services — answering tax queries submitted through the Client's embedded widget and providing the Client with usage analytics via the Fiscana dashboard.

Purpose

The purpose of processing is the provision of AI-assisted Portuguese tax information as instructed by the Client. Fiscana will not process Personal Data for any purpose beyond delivery of the Services without the Client's prior written consent.

Duration

Processing continues for the duration of the Client's active subscription. Upon termination, Fiscana will delete or anonymise all Personal Data within 90 days, in accordance with Fiscana's data retention policy.

4. Categories of Data Processed

Fiscana processes the following categories of Personal Data on behalf of the Client:

• Tax query content submitted by the Data Subject via the widget
• Session identifiers (anonymised, not linked to a named individual)
• Language preference (Portuguese or English)
• Approximate timestamp of query submission

5. Obligations of Fiscana as Processor

Fiscana agrees to:

• Process Personal Data only on documented instructions from the Client, including those in this DPA and the Terms of Service.
• Ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational security measures as required by GDPR Article 32.
• Notify the Client without undue delay upon becoming aware of a Personal Data breach affecting the Client's data.
• Assist the Client in fulfilling obligations to respond to Data Subject requests (access, rectification, erasure) to the extent technically possible.
• Delete or return all Personal Data upon termination of the Services, at the Client's choice, within 90 days.
• Make available all information necessary to demonstrate compliance with GDPR Article 28 and allow for audits conducted by the Client or a mandated auditor, with reasonable notice.

6. Sub-processors

The Client grants Fiscana general authorisation to engage the following sub-processors. Fiscana will notify the Client of any intended changes to this list, giving the Client the opportunity to object.

• Anthropic, PBC — AI language model processing (Claude API). EU Data Processing Agreement in place. Data not used to train Anthropic models.
• Supabase, Inc. — Database and authentication. Data hosted in EU region (Frankfurt, Germany).
• Hostinger, UAB — Web hosting. EU infrastructure.

All sub-processors are required by contract to provide the same level of data protection as set out in this DPA.

7. International Data Transfers

Fiscana stores all Personal Data within the European Union. Where sub-processors may process data outside the EU (for example, during AI inference via the Anthropic API), such transfers are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission, or an equivalent adequacy mechanism.

8. Security Measures

Fiscana implements the following technical and organisational measures to protect Personal Data:

• HTTPS encryption in transit on all endpoints
• Row-level security on all database tables via Supabase
• API keys and secrets stored server-side only — never exposed in client-side code
• Conversation content automatically anonymised after 90 days
• Access to production systems restricted to authorised personnel only

9. Obligations of the Client as Controller

The Client agrees to:

• Ensure there is a lawful basis for processing Personal Data collected via the Fiscana widget on the Client's website.
• Provide Data Subjects with appropriate privacy notices informing them that their tax queries are processed by an AI system.
• Not instruct Fiscana to process Personal Data in a manner that would violate applicable law.
• Promptly notify Fiscana of any Data Subject requests that require Fiscana's involvement to fulfil.

10. Data Retention and Deletion

Fiscana retains conversation content (query text and AI response text) for a maximum of 90 days from the date of submission. After 90 days, content is automatically anonymised — the query and response text are permanently deleted and replaced with anonymised metadata.

The following metadata is retained indefinitely as an anonymised statistical record and does not constitute Personal Data: intent category, language, plan type, timestamp, and anonymised session identifier.

Upon termination of the Client's subscription, all Personal Data associated with the Client's account will be deleted within 90 days of the termination date.

11. Liability

Each party shall be liable for any damages caused to Data Subjects or third parties resulting from its own breach of GDPR obligations. Where both parties are responsible for the same damage, liability shall be apportioned according to the degree of fault of each party.

Fiscana's total liability under this DPA shall not exceed the total fees paid by the Client to Fiscana in the three months preceding the event giving rise to the claim.

12. Governing Law and Jurisdiction

This DPA is governed by Portuguese law and the laws of the European Union. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Porto, Portugal.

13. Contact

For questions about this DPA, data subject requests, or to exercise your audit rights, contact: