📖 Trust Center Navigation

Trust Center

Legal Documents

← Back to Documentation

Data Processing Agreement

(hereinafter: "DPA")

1. Introduction & Definitions

1.1. DPA and its purpose

The DPA is an agreement that applies to the Processing of Customer Data (to the extent it constitutes Personal Data) by Firnity on behalf of a User, where the User determines the purposes and means of Processing and Firnity Processes such data as a Processor within the meaning of the GDPR.

This DPA is intended to satisfy the requirements of Article 28(3) GDPR for Processing performed by Processor as a Processor.

Processing performed by Service Provider as an independent controller (for example Account Data processing described in the Privacy Policy) is not governed by this DPA.

1.2. Parties of DPA

1.2.1. Any User (natural person or legal entity) that purchases a Subscription, accesses, or uses Application and acts as data controller for Customer Data processed through the Services, who is a Data Controller within the meaning of GDPR;

1.2.2. Firnity (full business name: Łukasz Wiatrak Firnity) (the "Service Provider") with its registered office at ul. Zamknięta 10, lok. 1.5, 30-554 Kraków, Poland, having Tax Identification Number (NIP): 5130127144 and Statistical Number (REGON): 520124248, who is a Data Processor within the meaning of GDPR.

Controller and Processor are collectively referred to as the "Parties" and individually as a "Party."

1.3. Definitions

1.3.1. Customer Data: has the meaning given in the Terms of Use; for this DPA, it covers the portion of such data that is Personal Data processed by Processor on behalf of Controller in connection with the Services.

1.3.2. Sub-Processor: any third party engaged by Processor to Process Customer Data on behalf of Controller.

1.3.3. Aggregated and/or Anonymized Data: data derived from use of the Services that does not identify, and cannot reasonably be used to identify, Controller, any data subject, or any individual user/device.

1.4. Integration with other documents

This DPA forms part of Agreement entered into between Parties for Controller's use of Application. In the event of a conflict:

  • this DPA prevails for Processing of Customer Data where Processor acts as processor under Article 28 GDPR;
  • Terms of Use prevail for commercial or operational matters not related to Processing of Customer Data under this DPA; and
  • Privacy Policy is a transparency notice and applies to Processing where Service Provider acts as independent controller (including Account Data), but does not override this DPA for processor Processing.

Capitalized terms not defined in this DPA have the meanings given in the Terms of Use and/or GDPR (as applicable). In case of conflict, this DPA prevails for Processing of Customer Data under Article 28 GDPR.

1.5. DPA communications and documented instructions

1.5.1. Unless Parties agree otherwise in writing, Controller will send notices, requests, objections, and documented instructions under this DPA to contact@firnity.com.

1.5.2. Processor may send notices under this DPA to the account-owner email address associated with Controller's account in the Services, or another email address designated by Controller in writing.

1.5.3. Processor may rely on requests and instructions submitted through the Services' account controls, configuration settings, and authenticated support channels as documented instructions, provided the request is made by an authorized user of Controller's account.

2. Subject of DPA

Details of Processing (Article 28(3) GDPR)

Subject-matter: provision of NotiCord integration Services between Controller-selected Third-Party Platforms (Discord and Notion).

Duration: for the term of Agreement and until deletion or return is completed under Section 3.3.8.

Nature of Processing: receiving, transmitting, storing (where applicable), retrieving, consulting, logging delivery events, and other operations necessary to provide and secure Services.

Purpose: providing and securing Services as described in Section 2.2, including Diagnostics and Automated Remediation limited to restoring connectivity/configuration.

Types of Customer Data and categories of data subjects: as described in Sections 2.1 and 2.5 of this DPA.

2.1. Categories of data subjects (scope of entrustment)

Controller entrusts Processor with Processing of Customer Data relating to data subjects whose data is processed through Services at Controller's instruction, including in particular:

  • members/users of Controller-controlled Discord servers who submit messages, commands, or other inputs processed by the integration;
  • members/users of Controller-authorized Notion workspaces whose content or identifiers are processed by the integration; and
  • Controller's Personnel and other persons to whom Controller grants access to Services.

2.2. Purpose of Processing

Processor is entitled to Process entrusted Customer Data only during the time that Controller uses Application in accordance with Terms of Use for the purposes described in Terms of Use, and in particular to enable proper use of Application and provide access to Services, in particular to:

2.2.1. Provide core functionalities of Application, including the integration, communication, and task management features between Discord and Notion;

2.2.2. Maintain and troubleshoot Application functionality and reliability for Controller's use of Services;

2.2.3. Ensure operational security, performance, and compliance with legal obligations related to data protection and Application's use;

2.2.4. Diagnostics & Reliability. To keep the Services secure and reliable, Processor performs Diagnostics and Automated Remediation as defined in the Terms of Use, and only on Controller's documented instructions under this DPA.

2.2.5. Provide support and troubleshooting requested by Controller, including review and handling of support communications submitted by Controller through support channels (such as email, support portal, or in-app support form) to the extent such communications include Customer Data. Where support tooling processes such Customer Data, that provider acts as a Sub-Processor and must be listed on the Sub-Processors page referenced in Section 5.3.

2.2.6. Review service logs, diagnostics data, and incident telemetry that may contain Customer Data and, where necessary, retrieve limited Customer Data from Controller-connected Notion/Discord integrations, only to the extent necessary for support, troubleshooting, incident response, security, and reliability of Services provided to Controller.

2.2.7. Generate and use Aggregated and/or Anonymized Data derived from stored service-operational data for security, benchmarking, and service improvement, provided such data does not identify Controller, any data subject, or any individual user/device, and Processor does not attempt re-identification. Data that remains personal data remains Customer Data and is processed only on Controller's documented instructions under this DPA.

2.3. Methods of Processing

Processing is carried out primarily using IT systems. Any manual access to Customer Data is limited to what is necessary for support, incident response, security, or maintenance, subject to appropriate access controls and confidentiality obligations.

2.4. The scope of Processing

Processing of Customer Data will include recording, organizing, structuring, storing, retrieving and consulting Customer Data.

2.5. The scope of Customer Data entrusted for Processing may include (depending on Controller configuration and features used):

2.5.1. Notion data

  • User identifiers (such as account IDs and display names) processed from Controller's Notion workspace to enable the integration.
  • Page content and workspace metadata (such as page titles, properties, comments, and other field values) processed as part of Controller-configured Notion actions.

2.5.2. Discord data

  • Messages, command inputs, user identifiers/usernames, attachments, and server/channel identifiers, to the extent processed by the integration based on Controller configuration.

2.5.3. Operational metadata

  • Integration and delivery metadata: identifiers, timestamps, configuration identifiers, diagnostics records, and integration authorization credentials required to execute Controller-configured actions (for example connected Notion workspace access credentials), to the extent necessary to operate, troubleshoot, and secure the Services.

2.5.4. Support communications (where provided by Controller)

  • Support request content, message metadata, and attachments submitted by Controller via support channels where such submissions include Customer Data.

2.6. Data Processing period and further proceeding

Processor will Process Customer Data for the duration of Controller's use of Application, for as long as necessary to fulfil obligations under Terms of Use and this DPA, or as required by applicable law. Upon termination or at Controller's request, Processor will delete or return Customer Data as required under this DPA and applicable law, unless applicable law requires storage.

2.7. Documented instructions

By creating an account and connecting Discord/Notion to the Services, Controller provides documented instructions authorising the Processing necessary to provide, secure, and maintain the Services, including Diagnostics and Automated Remediation as described in this DPA.

If Controller withdraws instructions for Processing that is necessary to provide, secure, and maintain the Services (including Diagnostics and Automated Remediation), Processor may be unable to provide affected Services and may suspend or terminate affected Services in accordance with the Agreement.

Controller's use of Services (including submitting support requests) and configuration of settings/features (including integration settings, routing rules, mappings, and destination selections) constitutes Controller's documented instructions for Processing described in Section 2.

Controller's instruction includes transfers to Third-Party Platforms configured by Controller. Controller is responsible for ensuring lawfulness of such transfers under GDPR Chapter V, including implementing or accepting appropriate transfer safeguards made available by the relevant Third-Party Platform and providing required disclosures to data subjects.

For clarity, Processor may use telemetry and diagnostics tooling (including approved Sub-Processors listed under Section 5.3, where applicable) to process Customer Data strictly on Controller's documented instructions for the purposes in Sections 2.2.4-2.2.6.

Processor's independent product-behavior analytics under Section 2.2.7 remains limited to Aggregated and/or Anonymized Data.

Discord and Notion are Third-Party Platforms selected by Controller and are not Sub-Processors engaged by Processor under this DPA.

3. Declarations and Obligations of Processor

3.1. Technical and organisational measures of Processor

Processor declares that it provides sufficient guarantees to implement appropriate technical and organizational measures to ensure that Processing of Customer Data entrusted under Agreement complies with the requirements of GDPR and protects rights of data subjects.

3.2. Controller's instructions

Processor Processes Customer Data only on documented instructions from Controller, as outlined in this DPA and Terms of Use, if Controller decides to provide them. By accepting these agreements, Controller provides instruction to Processor to Process Customer Data for the purposes stated in Section 2 of DPA, including delivering, maintaining, and troubleshooting Application and Services, as well as fulfilling applicable legal obligations.

3.3. General declarations and obligations

Processor agrees to Process Customer Data entrusted to it in accordance with DPA, Terms of Use and law, including GDPR, and in particular Processor:

3.3.1. Processes Customer Data only on documented instructions from Controller, including with regard to transfers of Customer Data to a third country or an international organisation, unless required to do so by Union or Member State law to which Processor is subject; in such case, Processor informs Controller of that legal requirement before Processing, unless law prohibits such information on important grounds of public interest;

3.3.2. Ensures that persons authorised to Process Customer Data are adequately trained in data protection and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

3.3.3. Takes all measures required pursuant to Article 32 GDPR;

3.3.4. International transfers. Processor does not transfer Customer Data to countries outside the EEA and/or the United Kingdom and Switzerland except:

(a) on Controller's documented instructions, including user-directed transfers to Third-Party Platforms configured by Controller; (b) through authorized Sub-Processors under Section 5; or (c) where required by Union or Member State law to which Processor is subject, in which case Processor informs Controller before Processing unless law prohibits such information on important grounds of public interest.

Where a transfer under (b) requires a transfer mechanism under GDPR Chapter V, Processor ensures appropriate safeguards are in place with the relevant Sub-Processor (for example adequacy decisions where applicable and/or contractual safeguards such as Standard Contractual Clauses, with supplementary measures as appropriate).

For user-directed transfers to Third-Party Platforms selected by Controller (including Discord and Notion), Controller remains responsible for determining and documenting the GDPR Chapter V position for its use of those platforms. Processor's role is limited to executing Controller's documented instructions and transmitting data securely within the permissions and configurations chosen by Controller;

3.3.5. Ensures that implemented measures for protection of Customer Data are periodically tested, measured, and evaluated, as appropriate to the nature of the Services and the risks of the Processing.

3.3.6. Taking into account the nature of the Processing, assists Controller— by appropriate technical and organisational measures— for the fulfilment of Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of GDPR. For requests received directly by Processor, Processor will, where legally permitted, notify Controller without undue delay and will not respond except on Controller's documented instructions or as required by applicable law;

3.3.7. Taking into account the nature of Processing and the available information, assists Controller in ensuring compliance with obligations under Articles 32 to 36 GDPR.

This includes assistance for security, breach assessment support, DPIAs, and prior consultations, by providing information reasonably available to Processor about Services, Sub-Processors, and transfers (if any) under this DPA.

For clarity, Processor does not control and may not have visibility into the internal processing practices of Third-Party Platforms selected by Controller (including Discord and Notion), and does not provide TIAs for those platforms beyond information about data flows implemented by Services at Controller's instruction.

For non-standard assistance under Sections 3.3.6 and 3.3.7, Processor uses information and resources reasonably available to Processor and acts proportionately to the nature of Services. If Controller requests assistance requiring substantial additional work beyond standard operation of Services (for example extensive bespoke documentation, questionnaires, or participation in meetings beyond what is reasonably necessary), Processor may charge reasonable fees for such assistance, provided Processor informs Controller of such fees in advance where practicable;

3.3.8. After the end of provision of services relating to Processing, Processor will, at Controller's choice, delete or return all Customer Data to Controller without undue delay, unless EU or Member State law requires storage of all or some Customer Data.

If Controller does not provide the choice to delete or return within 30 days after termination, Processor will delete Customer Data in accordance with the Services' standard deletion process, unless EU or Member State law requires storage.

Return applies only to Customer Data stored or otherwise controlled by Processor as part of Services. Customer Data stored in Third-Party Platforms selected by Controller remains under Controller's control in those platforms.

Return will be provided, to the extent technically feasible, via the Services' standard export or retrieval functionality (if available) and/or in a commonly used machine-readable format selected by Processor. Processor is not required to create bespoke exports, custom reports, or custom data extracts beyond what is technically available in the Services.

Deletion may be subject to legal hold and backup retention, and backup copies are overwritten in the ordinary course of backup rotation;

3.3.9. Information and audits. Processor makes available to Controller the information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR, and enables and contributes to audits, including inspections, conducted by Controller or an auditor mandated by Controller.

Processor may satisfy audit requests by providing reasonable documentation and evidence (for example applicable policies, procedures, summaries of security controls, and third-party audit reports or certifications where available), and may restrict or redact information where reasonably necessary to protect confidentiality and security of other customers and Processor's systems.

Audits shall be:

  • limited to Processing of Customer Data under this DPA;
  • conducted no more than once per 12 months, unless required by Supervisory Authority or following a material security incident affecting Customer Data;
  • subject to at least 15 business days' prior written notice, unless a shorter period is required by Supervisory Authority or is reasonably necessary due to an incident;
  • conducted during normal business hours and in a manner that does not unreasonably interfere with Processor's operations or compromise security of other customers;
  • conducted remotely first, while on-site inspections may be conducted where reasonably necessary (for example where remote audit is not sufficient or Supervisory Authority requires on-site inspection), and Processor will not unreasonably withhold on-site access but may require reasonable scope limitations and security measures; and
  • carried out by Controller or independent auditor that is not a direct competitor of Processor and is bound by confidentiality.

Controller bears its own audit costs. If Controller requests assistance beyond standard documentation and reasonable cooperation, Processor may charge reasonable fees agreed in advance.

3.3.10. Documents all personal data breaches involving Customer Data, including details of breach, its effects, and remedial actions taken. This documentation is made available to Controller upon request;

3.3.11. Cooperates with Controller for proper Processing of Customer Data, in particular to communicate with Supervisory Authorities;

3.3.12. Confidentiality. Processor keeps Customer Data confidential and does not disclose Customer Data except:

  • to authorized personnel bound by confidentiality;
  • to approved Sub-Processors under Section 5 as necessary to provide Services; or
  • where required by applicable law or binding request from competent authority.

Parties may disclose this DPA as reasonably necessary for compliance, audits, or legal advice, subject to confidentiality where appropriate.

3.3.13. Notifies Controller, once Processing of Customer Data under DPA has been completed, of any legal requirement to retain some or all Customer Data, unless prohibited by law;

3.3.14. Promptly informs Controller if, in Processor's opinion, an instruction from Controller infringes GDPR or other applicable data-protection law.

3.4. Notification of Personal Data breach

Processor shall notify Controller without undue delay after becoming aware of a personal data breach involving Customer Data.

Where feasible, Processor aims to provide an initial notification within 48 hours of awareness. Initial notification may be provided in phases as information becomes available, without undue further delay.

Notifications will include information reasonably available to Processor to assist Controller in meeting obligations under Articles 33 and 34 GDPR. Processor reasonably cooperates with Controller in investigating, mitigating, and remedying such breach.

Any timing stated in this Section 3.4 is a cooperation target and not a service-level guarantee, and does not limit the "without undue delay" standard under applicable law.

4. Declarations and Obligations of Controller

4.1. Lawfulness of Processing

Controller shall ensure that all Customer Data provided to Processor has been collected and is Processed in compliance with GDPR and other applicable data protection laws. This includes:

4.1.1. Lawful basis: ensuring there is a valid lawful basis for Processing Customer Data (including obtaining consent where required), and ensuring Processing complies with applicable law;

4.1.2. Providing Information to Data Subjects: informing data subjects about how their Customer Data will be used, their rights under data protection laws, and any other information required by law, and determining purposes and means of Processing within use of Application.

4.2. Instructions to Processor

Controller is responsible for providing clear, documented instructions to Processor regarding Processing of Customer Data, as specified in this DPA and Terms of Use. Controller warrants that all instructions are lawful and comply with applicable data protection laws. Controller immediately informs Processor if instructions are amended or if Controller believes instruction infringes GDPR or other applicable data protection provisions.

Controller may omit to provide additional instructions. Then Processor, while Processing, follows DPA, Terms of Use, and applicable law, especially GDPR.

4.3. Accuracy and Data Minimization

Controller ensures that Customer Data provided to Processor is accurate, complete, and up-to-date. Controller will only provide Customer Data necessary for Processor to perform Services, adhering to principle of data minimization.

4.4. Responding to Data Subject Requests

Controller is responsible for managing and responding to requests from data subjects concerning their personal data under GDPR. Processor assists Controller, to the extent possible and within scope of Application.

4.5. Compliance with Third-Party Policies and Data Transfers

Controller declares that, by accepting Terms of Use and this DPA, it acknowledges that Application's functionality and provision of Services may involve transfer of Customer Data (such as user display names, messages, and content) to third-party platforms, including Discord and Notion. Controller is responsible for ensuring such transfers comply with applicable data protection laws and policies/terms of those third-party platforms.

Once Customer Data is transferred to third-party platforms, Processor has no control over further Processing and is not liable for data handling, storage, or security practices by those platforms. Controller assumes responsibility for compliance of such transfers and subsequent Processing with relevant legal and policy requirements of those platforms.

4.6. Indemnification (Business Users only)

This Section 4.6 applies only where the Controller is a Business User.

The Controller shall indemnify and hold harmless Processor against any claims, damages, losses, liabilities, costs, and expenses arising from Controller's breach of its obligations under this DPA or applicable data protection laws, to the extent permitted by applicable law.

4.7. Support communication minimization

Controller should avoid sharing unnecessary Customer Data in support communications and, where possible, use structured support channels and limit shared data to what is needed for troubleshooting.

4.8. Processing of children's personal data

Controller acknowledges that Customer Data may include personal data relating to minors depending on Controller's configuration and content in Controller-selected Third-Party Platforms (Discord/Notion).

Controller remains responsible for ensuring that its Processing of children's personal data (including providing required notices and obtaining any required authorizations/consents, where applicable) complies with GDPR and other applicable law. Processor processes such data only on Controller's documented instructions under this DPA, including documented instructions given through Controller's use of Services and configuration of settings/features described in Section 2.

4.9. Prohibited Data

Controller will not instruct Processor to Process special categories of data under Article 9 GDPR or other Prohibited Data as described in Terms of Use.

5. Sub-Processing

5.1. Authorization to entrust data to Sub-processors

Controller gives Processor a general authorization to engage third parties (Sub-Processors) for Processing of Customer Data.

5.2. The scope of Processing by Sub-processors

Processing by Sub-Processors may be performed to provide Application and related Services under DPA and Terms of Use, in particular to exchange data between Discord and Notion, operate core integration functionality, and process Controller-submitted support communications where needed for troubleshooting. Customer Data will be provided to Sub-Processors only to the extent necessary and justified under Section 2 of DPA.

5.3. List of Sub-processors

Processor is entitled to entrust Customer Data for Processing to parties listed in the sub-page "Sub-Processors" available at Sub-Processors.

5.4. Declarations and Obligations of Processor

Processor:

5.4.1. Informs Controller of any intended changes concerning the addition or replacement of Sub-Processors in advance, thereby giving Controller the opportunity to object.

Unless an urgent change is required for legal compliance, security, fraud-abuse prevention, or incident response, Processor will provide such notice at least 30 days before the effective date. Notice may be provided by updating the Sub-Processors page referenced in Section 5.3 and by email and/or in-application notice to the account owner;

5.4.2. Ensures that all Sub-Processors comply with the obligations set out in this DPA and applicable data protection laws, in particular that they provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of DPA and GDPR;

5.4.3. Entrusts Sub-Processors only with data to the necessary and justified extent under Section 2 of DPA.

5.4.4. Enters into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those set out in this DPA, in accordance with Article 28(3) and 28(4) GDPR.

5.5. Objection to Sub-Processor changes

Controller may object to an intended addition or replacement of Sub-Processor by providing written notice within 30 days of receiving notice of change, stating reasonable grounds related to data protection.

If Controller objects, Parties will discuss in good faith. If Processor cannot reasonably provide Services without the Sub-Processor, Controller may terminate affected Services (or Agreement) without penalty, effective at the end of the current billing period.

5.6. Liability for Sub-Processors

Processor remains fully liable to Controller for performance of Sub-Processors' obligations to the same extent as if Processor performed those obligations directly, in accordance with Article 28(4) GDPR.

6. Final Provisions

6.1. Complete agreement

This DPA, together with Terms of Use and annexes incorporated by reference for processor-side data processing (including the Sub-Processors page), constitutes the entire agreement between Controller and Processor concerning processing of Customer Data and supersedes any prior agreements on this subject matter.

Privacy Policy is a transparency notice for processing where Service Provider acts as an independent controller and is not part of the contractual processor arrangement under this DPA.

6.2. Governing law

DPA is governed by the laws of Poland.

6.3. Dispute resolution and jurisdiction

Parties shall make an effort to settle any disputes arising during the term of and in relation with this DPA amicably.

In the event of failure to resolve a dispute, courts having jurisdiction over Processor's registered office (Kraków, Poland) have jurisdiction, unless mandatory law provides otherwise.

6.4. Change of DPA

Processor may update this DPA from time to time.

(a) Non-material changes (for example typo fixes, formatting, clarifications, and non-substantive edits) may take effect immediately upon publication of the updated DPA.

(b) Material changes will be notified to Controller by email and/or in-application notice with an indicated effective date at least 30 days in advance, unless an urgent change is required for legal compliance, security, fraud-abuse prevention, or incident response (in which case the change may take effect immediately or as required by law, with notice provided as soon as reasonably practicable).

(c) Material changes do not apply retroactively.

(d) If Controller does not agree with a material change, Controller may terminate affected Services (or Agreement) under Terms of Use before the effective date. Changes to Sub-Processors are additionally governed by Sections 5.4 and 5.5 (including objection rights).

6.5. Application of law

To the extent not regulated by DPA, the regulations of Polish law and relevant regulations of international law, in particular GDPR, apply.

6.6. Liability

Any liability arising out of or in connection with this DPA is subject to the liability and limitation provisions set out in Terms of Use, to the maximum extent permitted by applicable law.

6.7. No limitation of data subject rights

Nothing in this DPA limits or excludes rights or remedies available to data subjects under applicable data protection law. Any allocation of liability, indemnities, or limitations in the Agreement apply only between Parties to the extent permitted by applicable law.

Annex 1 - Technical and Organisational Measures (TOMs)

Processor implements appropriate technical and organisational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Measures include, as applicable:

  1. Encryption in transit (TLS) for data transmitted over public networks.
  2. Encryption at rest for primary storage systems used for Customer Data where supported by infrastructure. Integration credentials/secrets stored by the Services (where applicable) are stored encrypted at rest.
  3. Logical access controls (least privilege), including role-based access where applicable.
  4. Authentication controls for administrative access, including strong authentication for privileged accounts where available.
  5. Logging and monitoring of security-relevant events to support incident detection and response.
  6. Change-management practices for production systems, including environment separation where applicable.
  7. Backup and restore processes intended to support service continuity. Deleted data may persist in backups until backup rotation completes.
  8. Personnel confidentiality obligations and access limited to authorized persons.
  9. Vendor-management practices for Sub-Processors, including written agreements under Article 28(4) GDPR.

Processor may update TOMs over time to maintain an appropriate level of security, provided such updates do not materially decrease overall security of the Services.

Last updated: February 17, 2026

Support