Data Processing Agreement

In this Data Processing Agreement ("DPA"):

• "Controller" means the entity that determines the purposes and means of processing Personal Data (the Customer).
• "Processor" means the entity that processes Personal Data on behalf of the Controller (Fora, Inc.).
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
• "Sub-processor" means any third party engaged by Fora to process Personal Data on behalf of the Controller.
• "Data Protection Laws" means GDPR, CCPA, and other applicable data protection legislation.

This DPA applies to all Processing of Personal Data by Fora on behalf of the Customer in connection with the Fora service.

Fora may process the following categories of Personal Data:

• Identity data: Name, email address, profile information from OAuth authentication
• Communication data: Email messages, calendar events, and messaging content from connected services (processed in-memory, not stored)
• Document data: Content from connected document storage services (processed in-memory, not stored)
• Derived data: Extracted tasks, vector embeddings, and metadata generated from processing
• Usage data: Logs of service interactions for security and support purposes

Personal Data processed may relate to:

• Customer's employees and contractors
• Customer's contacts appearing in emails, calendars, or documents
• Other individuals whose data appears in connected sources

Fora agrees to:

• Process Personal Data only on documented instructions from the Controller, unless required by law
• Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures as described in Section 7
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
• Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities where required
• Delete or return all Personal Data upon termination of services, at the Controller's choice
• Make available information necessary to demonstrate compliance and allow for audits
• Notify the Controller without undue delay upon becoming aware of a Personal Data breach

The Controller authorizes Fora to engage Sub-processors for the processing of Personal Data. Fora maintains a current list of Sub-processors at our Sub-Processors page.

Fora implements the following technical and organizational measures to protect Personal Data:

• Encryption at rest: AES-256 encryption for all stored data
• Encryption in transit: TLS 1.2+ enforced on all connections
• Access control: Role-based access with least-privilege principles; OAuth-only authentication
• Tenant isolation: PostgreSQL row-level security enforced on all tenant-scoped data
• Zero-retention architecture: Raw content processed in-memory and discarded; only derived data (embeddings, tasks) stored
• Token protection: OAuth tokens encrypted with per-tenant key material
• Audit logging: All data access logged with user, source, and purpose
• Incident response: 24/7 monitoring with defined incident response procedures

For detailed security information, see our Security Overview.

Fora will assist the Controller in fulfilling data subject requests:

• Right of access: Export functionality for user data
• Right to rectification: Users can update profile information via OAuth re-authentication
• Right to erasure: Account deletion removes all Personal Data within 30 days
• Right to data portability: Data export in machine-readable format
• Right to restrict processing: Users can disconnect individual data sources

Personal Data may be transferred to and processed in the United States. For transfers from the European Economic Area, United Kingdom, or Switzerland, Fora relies on:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• Additional technical measures (encryption, access controls) to supplement transfer mechanisms

The SCCs are incorporated by reference into this DPA. Upon request, Fora will execute the SCCs with the Controller.

Upon reasonable notice and subject to confidentiality obligations, Fora will:

• Make available information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller
• Provide SOC 2 Type II reports (when available) and other relevant certifications

Audits shall be conducted during regular business hours with reasonable advance notice and shall not unreasonably disrupt Fora's operations.

In the event of a Personal Data breach, Fora will:

• Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of the breach
• Provide information about the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed
• Cooperate with the Controller in investigating and mitigating the breach
• Document all breaches including facts, effects, and remedial actions

This DPA remains in effect for the duration of the Agreement between the parties. Upon termination:

• Fora will delete all Personal Data within 30 days, unless retention is required by law
• Upon request, Fora will certify in writing that all Personal Data has been deleted
• The Controller may request data export before deletion

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA limits either party's liability for breaches of Data Protection Laws.

For questions about this DPA or to request execution:

• Legal inquiries: legal@fora.is
• Privacy inquiries: privacy@fora.is