Fibr AI is an Agentic Web Experience Platform that transforms website URLs into intelligent, adaptive agents. Each page senses visitor intent, makes decisions, and reshapes itself in real time to deliver personalized web experiences.

Where is Fibr AI headquartered?

Fibr AI is headquartered in Delaware, USA.

Who is Fibr AI built for?

Fibr AI is built for enterprises looking to personalize at scale, growing businesses starting their web optimization journey, and agencies or marketing affiliates looking to optimize websites for their clients.

What problem does Fibr AI solve?

Fibr AI addresses the disconnect where ads, email, and search are hyper-targeted and AI-powered, but website visitors land on the same static page regardless of where they came from. Fibr makes the website itself as intelligent and context-aware as the marketing channels driving traffic to it.

How does Fibr AI personalize web experiences?

Fibr AI uses AI agents combined with human oversight to detect visitor signals, decode intent, and rewrite page experiences in real time. Personalization can be based on ads, location, device, browser, behavioral signals, visit frequency, LLM-sourced traffic, CDP data, CRM data, and custom audiences.

What results does Fibr AI claim to deliver?

Fibr AI claims results including +28% higher ROI from AI-driven personalization, +30% lower customer acquisition cost (CAC) from intent-based targeting, and 4X more leads from personalizing experiences at scale.

What are the pricing plans offered by Fibr AI?

Fibr AI offers three plans: a Starter Plan for growing businesses (up to 1,000 experiences), an Enterprise Plan for large organizations requiring unlimited visitor sessions and unlimited domains/URLs, and an Agency Plan for agencies and marketing affiliates covering 10,000 monthly visitor sessions and 5 unique URLs.

What features are included in the Enterprise plan?

The Enterprise plan includes Web-Journey Personalization, LLM-Traffic Personalization, AI Landing Page Creator, Customized Agentic Workflows, White-Glove Assistance, CDP/CRM and Analytics integration, On-Brand Agent Training, and 24/7 Dedicated Support with unlimited visitor sessions and unlimited domains and URLs.

What security and compliance certifications does Fibr AI have?

Fibr AI states alignment with SOC 2, ISO 27001, GDPR, and CCPA standards.

What integrations does Fibr AI support?

Fibr AI integrates with CDP (Customer Data Platform), CRM systems, and analytics platforms.

Does Fibr AI support A/B testing and experimentation?

Yes. Fibr AI includes an Experimentation Suite that provides AI-powered hypothesis creation, automated variant creation, audience-based experimentation, statistical significance monitoring, traffic allocation setup, and continuous learning and iteration.

How does Fibr AI handle AI ethics and human oversight?

Fibr AI states that its agents adapt experiences without manipulating them, and that it prioritizes transparency, security, and human oversight at every layer. The platform operates with a 'humans-in-the-loop' model where human allies guide strategy, brand alignment, and key decisions.

How do I get started with Fibr AI?

Fibr AI directs prospective customers to book a demo to get started.

What is Fibr.ai's role under this DPA — Data Controller or Data Processor?

VibeMarketing Inc. dba Fibr.ai acts as the Data Processor, processing personal data on behalf of the Customer/Partner, who acts as the Data Controller. The Customer determines the purposes and means of processing.

Which data protection regulations does this DPA cover?

This DPA is based on GDPR Regulation (EU) 2016/679 (Articles 28, 32, and 82). It also addresses restricted transfers under the Swiss DPA and UK GDPR through the EU Standard Contractual Clauses with appropriate modifications.

How does Fibr.ai handle international data transfers outside the EEA?

Transfers outside the European Economic Area are governed by Standard Contractual Clauses (EU) 2021/914. For EU GDPR transfers, Module Two (Controller to Processor) applies and the SCCs are governed by Irish law. For Swiss DPA transfers, equivalent Swiss law applies. For UK GDPR transfers, the UK Addendum to the EU SCCs applies. AI processing is performed within the Frankfurt Region, Germany.

How quickly must Fibr.ai notify the Data Controller of a personal data breach?

Fibr.ai must notify the Data Controller without undue delay and, where feasible, within forty-eight (48) hours after becoming aware of a Personal Data Breach. The notification must include the nature of the breach, categories and approximate number of affected Data Subjects, likely consequences, and measures taken or proposed to address and mitigate the breach.

What happens to personal data when the agreement is terminated?

Upon termination or expiration of the Agreement, Fibr.ai shall, at the Data Controller's choice, return or delete all Personal Data within a reasonable period not exceeding sixty (60) days. Fibr.ai shall provide written confirmation of deletion upon written request. Personal Data may be retained in secure backup systems for a limited period in accordance with standard backup retention practices, after which it shall be securely deleted or overwritten.

Does Fibr.ai undergo third-party security audits?

Yes. Fibr.ai engages independent third-party auditors to assess the adequacy of its security and data protection measures at least annually, including in accordance with ISO 27001 and SOC 2 requirements. Upon written request and subject to a mutually agreed NDA, Fibr.ai will provide SOC 2 Type II reports, ISO 27001 certifications, and related security documentation.

What sub-processors does Fibr.ai use and where are they located?

Fibr.ai's sub-processors include: Google Cloud Platform (US and India) for cloud infrastructure; OpenAI, Anthropic, and Google Vertex AI (US) for AI model inference; SendGrid (US) for email delivery; Sentry (US) for application monitoring; ChargeBee (US) for billing; Google Workspace, ClickUp, Slack, and GitHub (US) for internal operations; and Gusto (US) and Keka (India) for HRIS. Fibr.ai will provide ten (10) days' prior notice before authorizing any new sub-processor.

What insurance does Fibr.ai maintain under this DPA?

Fibr.ai maintains the following minimum coverages for the duration of the DPA and for two years after its expiration or termination: Commercial General Liability at USD 1,000,000 per occurrence / USD 2,000,000 aggregate; Cyber Liability / Data Breach and Tech E&O at USD 1,000,000 per claim / USD 3,000,000 aggregate; and Umbrella / Excess Liability at USD 3,000,000 aggregate, with carriers rated at least A- VII by AM Best.

Who is Fibr.ai's Data Protection Officer and how can they be contacted?

VibeMarketing Inc. has appointed a Data Protection Officer (DPO) in compliance with GDPR Article 37. The DPO is Pritam Roy and can be contacted at dpo@fibr.ai.

Can the Data Controller audit Fibr.ai's data protection practices directly?

Audit rights are primarily satisfied through third-party audit reports (SOC 2 Type II, ISO 27001). Additional on-site or detailed audits are permitted only where required by applicable law or regulatory authority, or following a material security incident affecting Customer Personal Data. Such audits must be conducted with reasonable prior notice, during normal business hours, and at the Data Controller's expense.

Data Protection Addendum (DPA) — Fibr.ai / VibeMarketing Inc.

This Data Processing Addendum ("DPA") sets out the GDPR obligations governing the processing of personal data by VibeMarketing Inc. dba Fibr.ai ("Data Processor") on behalf of the Customer/Partner ("Data Controller") who has signed a Subscription Services Agreement with VibeMarketing Inc.

Regulatory basis: GDPR Regulation (EU) 2016/679 — Articles 28, 32, and 82

1. Definitions

The following terms have the meanings set out below throughout this Addendum.

1.1 Personal Data

Any information relating to an identified or identifiable natural person ('Data Subject'). The following data, often used for the express purpose of distinguishing individual identity, can be classified as Personal Data: Name, Identification Number, Location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person, IP Address, Cookie Identifiers, and Radio Frequency ID (RFID) tags.

1.2 Natural Person / Data Subject

An identifiable Natural Person/Data Subject is one who can be identified, directly or indirectly, by reference to their Personal Data.

1.3 Processing

Any operation or set of operations performed on Personal Data or on sets of Personal Data by automated means, including but not limited to: Collection, Recording, Organisation, Structuring, Storage, Adaptation or alteration, Retrieval/Downloading data, Consultation, Use, Disclosure by transmission, Dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.4 Data Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

1.5 Data Processor

A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

1.6 Data Sub-Processor

A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Processor.

1.7 GDPR

The General Data Protection Regulation (EU) 2016/679 — a legal framework that sets guidelines for the collection and processing of Personal Data of individuals within the European Union (EU).

1.8 Profiling

Any form of automated processing of Personal Data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person — in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

1.9 Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

1.10 Consent

Any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

1.11 Data Protection Impact Assessment (DPIA)

An activity carried out to enhance compliance with GDPR where processing operations are likely to result in a high risk to the rights and freedoms of Data Subjects.

1.12 Security Breach

Means: (a) any actual or reasonably suspected unauthorized use of, loss of, access to, or disclosure of Subscriber Data; provided that an incidental disclosure to an Authorized Party or VibeMarketing Inc. where no reasonable suspicion of theft, fraud, criminal or malicious conduct exists shall not constitute a Security Breach unless such incidental disclosure triggers a notification obligation under applicable Law; and (b) any security breach (or substantially similar term) as defined by applicable Law.

1.13 Supervisory Authority

An independent public authority established by an EU Member State. A Supervisory Authority is 'Concerned' by the processing of personal data because: (a) the Data Controller or Processor is established on the territory of the Member State of that Supervisory Authority; (b) Data Subjects residing in the Member State of that Supervisory Authority are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that Supervisory Authority.

2. Obligations of VibeMarketing Inc. as Data Processor

As a Data Processor, VibeMarketing Inc. agrees to:

Process Customer Data only on Customer's behalf for the purpose of providing and supporting VibeMarketing Inc.'s services (including insights, reporting, analytics, and platform abuse, trust and safety monitoring); in compliance with written instructions received from Customer; and in a manner that provides no less than the level of privacy protection required under applicable Data Protection Laws.
Promptly inform Customer in writing if VibeMarketing Inc. cannot comply with the requirements of this DPA.
Not provide Customer with any remuneration in exchange for Customer Data. The parties acknowledge and agree that Customer has not "sold" (as defined under applicable data protection laws, including CCPA where applicable) Customer Data to VibeMarketing Inc.
Not "sell" or "share" Personal Data as defined under applicable data protection laws.
Inform Customer promptly if, in VibeMarketing Inc.'s opinion, any instruction from Customer violates applicable Data Protection Laws.
Ensure that persons employed by VibeMarketing Inc. and other persons engaged to perform services on its behalf are subject to appropriate confidentiality obligations with respect to Customer Data and comply with the data protection obligations applicable under this DPA.
Engage sub-processors only as necessary to fulfill its obligations under this DPA, and ensure that such sub-processors are bound by data protection obligations that are no less protective than those set out in this DPA. A list of sub-processors is maintained and made available in Annex 2.

3. Applicability

If the Data Controller entity signing this Addendum is a party to the MSA, this DPA is an addendum to and forms part of the MSA.
If the Data Controller entity signing this DPA has executed an Order Form with VibeMarketing Inc. or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Forms.
If the Data Controller entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Data Controller entity who is a party to the Agreement executes this DPA.
If the Data Controller entity signing the DPA is not a party to an Order Form nor a Master Subscription Agreement directly with VibeMarketing Inc., but is instead a Data Controller indirectly via an authorized reseller of VibeMarketing Inc.'s services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required.

The Data Controller and VibeMarketing Inc. each warrant that they are and will continue to adhere to GDPR and shall perform their obligations under this GDPR Addendum in accordance with the provisions of the GDPR from time to time in force. The parties acknowledge that for the purposes of GDPR, the Data Controller/Partner is the Data Controller for the Personal Data and that the performance of the services will require the processing of Personal Data by VibeMarketing Inc. for the Data Controller.

4. Scope

VibeMarketing Inc. shall process Personal Data provided by the Data Controller, limited to Name, Phone, E-Mail and Job Title, for the escalation and communication that is used to send notifications/alerts during business operations to the Data Subjects whose personal data is shared by the Data Controller.
VibeMarketing Inc. implements controls to obtain Consent from users of the platform without disrupting Data Controller's operations. The Data Controller is responsible for ensuring the respective Data Controllers and users accept the user consent.
VibeMarketing Inc. may use various software tools/Cloud Services for storing such Personal Data in their repositories.
VibeMarketing Inc. may use or store the Personal Data for retracting any reference to the Data Subject, as mentioned in their Privacy Policy, if required in future even after expiry of the agreement for identifying or tracing any alerts/notifications sent to the Data Subject.
The Data Controller/Partner shall be responsible to notify and obtain Consent from their Employees/Data Controllers/Contractors on how the Personal Data is processed by VibeMarketing Inc. and their Data Sub-Processor.
VibeMarketing Inc. shall bring to the Data Controller's/Partner's attention if they find a Personal Data Breach in their or their Data Sub-Processor environment that has impacted any form of Personal Data stored by either or both parties.
VibeMarketing Inc. shall not process Personal Data other than for the purposes documented in the Agreement.

5. Warranty by VibeMarketing Inc.

VibeMarketing Inc. warrants to the Data Controller to comply with the following:

It shall fully comply with the provisions of GDPR in carrying out its obligations under this Agreement.
It has all provisions for data protection necessary for carrying out its obligations under this Agreement and shall maintain such provisions throughout the term.
It shall immediately advise the Data Controller in writing if it receives or learns of any: complaint or allegation indicating a violation of Data Privacy Laws regarding Personal Data; request from one or more individuals seeking to access, correct, or delete Personal Data; inquiry or complaint from one or more individuals relating to the collection, processing, use, or transfer of Personal Data; or any regulatory request, search warrant, or other legal, regulatory, administrative, or governmental process seeking Personal Data.

6. Representations by VibeMarketing Inc.

VibeMarketing Inc. shall:

Adopt and maintain appropriate technical and organizational measures to ensure Personal Data is kept secure throughout the data life cycle, and take such precautions as are necessary to ensure the integrity of Personal Data and to prevent any Personal Data Breach.
Ensure that Data Sub-Processors process Personal Data as per the instructions provided by VibeMarketing Inc. in accordance with the requirements of GDPR.
Not collect Personal Data more than is required by VibeMarketing Inc. for processing.
Maintain a current list of Sub-processors on its website at https://www.fibr.ai, including for each Sub-processor: (i) name, (ii) geographic location, and (iii) a description of the processing activities performed. In case VibeMarketing Inc. intends to add a new Sub-processor, it shall update the website/send a communication email ten (10) days prior to authorising any new Sub-processor to process Data Controller Content. If the Data Controller objects on reasonable grounds related to data protection, the parties shall work together in good faith to resolve the concern. If no resolution is reached, the Data Controller shall have the right to terminate the agreement.
Before the Sub-processor first processes Data Controller Information, ensure that the Sub-processor is capable of providing the level of protection required by this Exhibit.
Remain fully liable to the Data Controller in respect of any failure by the Sub-processor to fulfil its data protection obligations.
Allow Data Subjects to keep the contents of their Personal Data accurate.
On reasonable written notice by the Data Controller, make available all such information as is necessary to demonstrate compliance with GDPR, and provide reasonable assistance to the Data Controller in relation to data subject requests, DPIAs, and regulatory inquiries, at no additional cost where such requests are standard and proportionate. For requests that are excessive, repetitive, or require significant additional effort, VibeMarketing Inc. reserves the right to charge reasonable fees based on the effort involved, subject to prior notice to the Data Controller.
On termination of the Agreement, at the Data Controller's sole requisition, provide all Personal Data to the Data Controller and shall provide confirmation of erasure.
Keep records of the processing activities carried out on behalf of the Data Controller.
Assist the Data Controller in meeting its GDPR obligations to notify Personal Data Breaches to the Supervisory Authority, along with the process and information required.
Provide commercially reasonable cooperation to the Data Controller in responding to regulatory or supervisory authority requests, data subject complaints or inquiries, and investigations relating to any Personal Data Breach or suspected breach. Such cooperation shall include providing relevant information and support necessary for the Data Controller to meet its obligations under applicable Data Protection Laws, provided that such cooperation does not require VibeMarketing Inc. to disclose confidential information of other customers or violate applicable law.
Not use Personal Data for activities like analytics and profiling unless required for business operations to provide subscribed services.
Inform the Data Controller if, in VibeMarketing Inc.'s opinion, a processing instruction infringes applicable legislation or regulation.
Where shared Personal Data is transferred outside the Data Processor's territorial boundaries, ensure that the recipient of such data is under contractual obligations to protect such Personal Data to the same or higher standards as those imposed under this Addendum and applicable Data Protection Laws.
Regularly train individuals having access to Personal Data in data security and data privacy in accordance with accepted industry practice, and ensure that all Personal Data is kept strictly confidential.

7. Audit Rights

VibeMarketing Inc. shall engage independent third-party auditors to assess the adequacy of its security and data protection measures at least annually, including in accordance with ISO 27001 and SOC 2 requirements.
Upon written request and subject to a mutually agreed Non-Disclosure Agreement (NDA), VibeMarketing Inc. shall provide the Data Controller with relevant audit reports, including SOC 2 Type II reports, ISO 27001 certifications, and related security documentation, sufficient to demonstrate compliance with applicable Data Protection Laws.
Audit rights of the Data Controller shall primarily be satisfied through such third-party audit reports and documentation.
Any additional audit requests (including on-site or detailed assessments) shall be permitted only where required by applicable law or regulatory authority, or following a material security incident affecting Customer Personal Data. Any such audits shall be conducted with reasonable prior notice, occur during normal business hours, not unreasonably interfere with VibeMarketing Inc.'s operations, and be at the Data Controller's expense.
VibeMarketing Inc. may reasonably limit the scope of any audit to protect confidentiality, security, and obligations owed to other customers.

8. Right to Terminate

If VibeMarketing Inc. contravenes the provisions mentioned in Clause 7 (Audit), the Data Controller shall have the right to terminate this Data Processing Addendum (DPA) and the Master Services Agreement (MSA).

9. Mechanism of Data Transfers

9.1 Standard Contractual Clauses

Where Personal Data is transferred outside the European Economic Area ("EEA") or to a country that has not been recognized by the European Commission as providing an adequate level of protection, the Parties agree that such transfers shall be governed by the Standard Contractual Clauses (EU) 2021/914 ("SCCs"). The SCCs are hereby incorporated by reference into this DPA and form an integral part of the Agreement. For the purposes of the SCCs: the Customer shall act as the data exporter; VibeMarketing Inc. shall act as the data importer; the applicable module shall be Module Two (Controller to Processor) or Module Three (Processor to Processor), as applicable. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail with respect to international data transfers.

9.2 Restricted Transfers — EU GDPR

When the transfer of Customer Personal Data from Customer (as exporter) to VibeMarketing Inc. (as importer) is a Restricted Transfer and EU Area Law applies, the transfer shall be subject to the appropriate Controller to Processor SCCs as follows: Module Two will apply (controller to processor transfers); in Clause 7, the optional docking clause will apply; in Clause 9, Option 2 will apply and the time period for prior notice of sub-processor changes shall be as set out in Section 4.2(d) of this Addendum; in Clause 11, the optional language will not apply; in Clause 17, Option 1 will apply and the EU SCCs will be governed by Irish law; in Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland; Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this Addendum; and Annex II of the EU SCCs shall be deemed completed with the information set out in Section 4 of Annex 1 to this Addendum.

9.3 Restricted Transfers — Swiss DPA

In relation to Customer Personal Data protected by the Swiss DPA, the EU SCCs shall apply as set out in Section 9.2, but with the following modifications: any references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein; any references to "EU", "Union", "Member State", and "Member State law" shall be interpreted as references to Switzerland and Swiss law; any references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the relevant data protection authority and courts in Switzerland; and the Controller to Processor SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss Courts.

9.4 Restricted Transfers — UK GDPR

In relation to Customer Personal Data protected by the UK GDPR, the EU SCCs shall apply as set out in Section 9.2, but as modified and interpreted by the Part 2: Mandatory Clauses of the UK Addendum, which shall be incorporated into and form an integral part of this Addendum. Any conflict between the terms of the EU SCCs and the UK Addendum shall be resolved in accordance with Sections 10 and 11 of the UK Addendum. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I of this Addendum, and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting both "Importer" and "Exporter".

9.5 AI Processing

VibeMarketing Inc. shall process Personal Data using AI and machine learning technologies within the Frankfurt Region, Germany, in accordance with the terms of this Addendum and applicable Data Protection Laws, including GDPR. The purpose of such AI processing is limited to the services provided by VibeMarketing Inc. VibeMarketing Inc. shall ensure that any AI processing of Personal Data is conducted only to the extent necessary to achieve the specified purposes. VibeMarketing Inc. shall not participate in any other Restricted Transfers of Customer Personal Data unless the Restricted Transfer is made in compliance with applicable Data Protection Law and pursuant to the relevant Standard Contractual Clauses.

9.6 Transfer Mechanism

"Transfer Mechanism" refers to any lawful means of transferring personal data from the EEA or any adequate country to a third country in compliance with applicable data protection laws. This may include, but is not limited to: Standard Contractual Clauses (SCCs) approved by the European Commission Decision of 4 June 2021 (as amended from time to time); International Data Transfer Agreement issued by the Information Commissioner's Office (ICO) under Section 119A of the Data Protection Act 2018, effective from 21 March 2022; and International Data Transfer Addendum issued by the Information Commissioner's Office (ICO) under Section 119A of the Data Protection Act 2018, effective from 21 March 2022.

9.7 Additional Measures

If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard required under Data Protection Laws.

9.8 Disclosures to Public Authorities

Subject to terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed): challenge the request and promptly notify the data exporter about it; and only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure. Customer should routinely review all international transfers of Personal Data on a case-by-case basis in order to monitor new risks and implement additional safeguards (such as encryption or pseudonymization) to mitigate identified risks.

10. Data Incident Management

VibeMarketing Inc. maintains security incident management policies and procedures and shall notify the Data Controller without undue delay and, where feasible, within forty-eight (48) hours after becoming aware of a Personal Data Breach — including the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Data Controller Data transmitted, stored or otherwise processed by VibeMarketing Inc. or its Sub-processors (a "Data Controller Data Incident"). VibeMarketing Inc. shall make reasonable efforts to identify the cause of such Data Controller Data Incident and take those steps it deems necessary and reasonable in order to remediate the cause to the extent the remediation is within VibeMarketing Inc.'s reasonable control.

Such notification shall, to the extent available at the time of notification, include: the nature of the Personal Data Breach; categories and approximate number of affected Data Subjects; likely consequences of the breach; and measures taken or proposed to address and mitigate the breach. The obligations herein shall not apply to incidents caused by the Data Controller or the Data Controller's Users.

The Data Processor shall immediately notify the Data Controller with full details of: any Personal Data Breach in relation to this Addendum; processing of Personal Data which is contrary to GDPR or would require the Processor to act in a way contrary to GDPR; and any request received (including from an individual or the Supervisory Authority) to disclose any Personal Data.

11. Return and Erasure of Data Controller Data

Upon termination or expiration of the Agreement, VibeMarketing Inc. shall, at the choice of the Data Controller, return or delete all Personal Data processed on behalf of the Data Controller, unless retention is required by applicable law. Such deletion or return shall be completed within a reasonable period not exceeding sixty (60) days from the date of termination. VibeMarketing Inc. shall, upon written request, provide written confirmation of deletion of such Personal Data. Notwithstanding the foregoing, Personal Data may be retained in secure backup systems for a limited period in accordance with standard backup retention practices, after which such data shall be securely deleted or overwritten.

12. General

Nothing in this Agreement shall relieve VibeMarketing Inc. of its own direct responsibilities and liabilities under GDPR. The Clauses in this document shall be governed by the law of the Member State of the EEA (European Economic Area) in which the data processing is established. In assessing the appropriate level of security, VibeMarketing Inc. shall conduct a Data Protection Impact Assessment (DPIA) on a periodic basis to evaluate the risks presented by processing, in particular from a Personal Data Breach perspective.

13. Data Processing

Scope and Roles. This DPA applies when Customer Data is processed by VibeMarketing Inc. In this context, VibeMarketing Inc. will act as processor to Customer, who can act either as controller or processor of Customer Data.

Customer Controls. Customer can use the Service Controls to assist it with its obligations under Applicable Data Protection Law, including its obligations to respond to requests from data subjects. Taking into account the nature of the processing, Customer agrees that it is unlikely that VibeMarketing Inc. would become aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated. Nonetheless, if VibeMarketing Inc. becomes aware that Customer Data transferred under the SCCs is inaccurate or outdated, it will inform Customer without undue delay. VibeMarketing Inc. will cooperate with Customer to erase or rectify inaccurate or outdated Customer Data by providing the Service Controls that Customer can use to erase or rectify Customer Data.

14. Details of Data Processing

Subject matter: The subject matter of the data processing under this DPA is Customer Data. Duration: As between VibeMarketing Inc. and Customer, the duration of the data processing under this DPA is determined by Customer. Purpose: The purpose of the data processing under this DPA is the provision of the Services initiated by Customer from time to time. Nature of the processing: Compute, storage and such other Services as described in the Documentation and initiated by Customer from time to time. Type of Customer Data: Customer Data uploaded to the Services under Customer's accounts with VibeMarketing Inc. Categories of data subjects: The data subjects could include Customer's customers, employees, suppliers and end users.

15. Compliance with Laws

Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including Applicable Data Protection Law.

16. Indemnity

Each Party (the "Indemnifying Party") shall defend, indemnify, and hold harmless the other Party and its Affiliates (the "Indemnified Party") from and against any third-party claims, damages, liabilities, fines, penalties, and expenses (including reasonable legal fees) arising out of or related to: any breach of this Data Processing Addendum by the Indemnifying Party; or any violation of applicable Data Protection Laws by the Indemnifying Party.

Customer Indemnity — Customer shall indemnify VibeMarketing Inc. for claims arising from: unlawful or improper collection of Personal Data; failure to obtain required consents or provide required notices; or instructions that violate applicable Data Protection Laws.

Fibr Indemnity — VibeMarketing Inc. shall indemnify Customer for claims arising from: breach of its obligations under this DPA; failure to implement appropriate technical and organizational security measures; or acts or omissions of its Sub-processors, to the extent VibeMarketing Inc. is responsible.

Each Party may participate in the defense of any claim with counsel of its choosing at its own expense. This Section shall be subject to the limitation of liability set forth in the Master Services Agreement (MSA), except in cases of gross negligence, willful misconduct, or regulatory fines directly attributable to a Party's breach.

17. Insurance

During the term of this DPA and for a period of two (2) years following its expiration or termination, Fibr.ai shall maintain the following minimum insurance coverages with carriers having an AM Best rating of at least A- VII:

Insurance Type	Coverage Limit
Commercial General Liability	USD 1,000,000 per occurrence / USD 2,000,000 aggregate
Cyber Liability / Data Breach and Errors & Omissions (Tech E&O)	USD 1,000,000 per claim / USD 3,000,000 aggregate
Umbrella / Excess Liability	USD 3,000,000 aggregate

Upon Customer's written request, Fibr.ai shall provide Certificates of Insurance evidencing the coverages described in Section 17.1 within 10 business days. Fibr.ai shall notify Customer in writing within 30 days if any of the above coverages are cancelled, materially reduced, or lapse during the term. The existence of insurance does not limit or reduce Fibr.ai's liability under this DPA.

18. Severability

The Parties agree that, if any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.

19. Data Protection Officer

VibeMarketing Inc. has appointed a Data Protection Officer (DPO) in compliance with GDPR Article 37.

DPO Contact: dpo@fibr.ai

Annex 1 — Parties & Description of Transfer

1. Data Exporter

Name: Customer (as set forth in the relevant Order Form). Address: As set forth in the relevant Order Form. Contact Person: As set forth in the relevant Order Form. Activities relevant to the transfer: Recipient of the Services provided by VibeMarketing Inc. in accordance with the Agreement. Role: Controller.

2. Data Importer

Name: VibeMarketing Inc. Address: 42700 Everglades Park Dr, Fremont, CA 94538. Contact Person: Pritam Roy, DPO — dpo@fibr.ai. Activities relevant to the transfer: Provision of the Services to the Customer in accordance with the Agreement. Role: Processor.

3. Description of Transfer

Categories of data subjects: Customer's authorized users of the Services.

Categories of personal data transferred: Name, Address, Date of Birth, Age, Education, Email, Gender, Image, Job, Language, Phone, Related person, Related URL, User ID, Username, and other such items as defined in Article 9 of GDPR.

Sensitive data transferred: No sensitive data collected.

Frequency of transfer: Continuous basis.

Nature of the processing: Client-facing: Email addresses and names are collected for login, stored in Firebase and MongoDB. Automated triggers are used to send newsletters and alerts. No invisible tracking pixels are used for behavior analysis beyond click-through rates. All data resides in the primary country where the client has logged in. User (Client's Client)-facing: The SDK collects non-PII information for events like page visits, conversions and other engagements. No personal customer information is collected. All data is stored in the primary country where the client operates.

Purpose of data transfer: The purpose of the transfer is to facilitate the performance of the Services more fully described in the Agreement and accompanying order forms.

Retention period: The period for which the Customer Personal Data will be retained is more fully described in the Agreement, Addendum, and accompanying order forms.

4. Technical and Organisational Security Measures

Security Management System

Organisation: VibeMarketing Inc. designates qualified security personnel whose responsibilities include development, implementation, and ongoing maintenance of the Information Security Program.
Policies: Management reviews and supports all security-related policies to ensure the security, availability, integrity and confidentiality of Customer Personal Data. These policies are updated at least once annually.
Assessments: VibeMarketing Inc. engages a reputable independent third-party to perform risk assessments of all systems containing Customer Personal Data at least once annually.
Risk Treatment: VibeMarketing Inc. maintains a formal and effective risk treatment program that includes penetration testing, vulnerability management and patch management to identify and protect against potential threats to the security, integrity or confidentiality of Customer Personal Data.
Vendor Management: VibeMarketing Inc. maintains an effective vendor management program.
Incident Management: VibeMarketing Inc. reviews security incidents regularly, including effective determination of root cause and corrective action.
Standards: VibeMarketing Inc. operates an information security management system that complies with the requirements of ISO/IEC 27001:2022.

Personnel Security

Personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.
VibeMarketing Inc. conducts reasonably appropriate background checks on any employees who will have access to client data under this Agreement, to the extent legally permissible and in accordance with applicable local labor law, customary practice and statutory regulations.
Personnel are required to execute a confidentiality agreement in writing at the time of hire and to protect Customer Personal Data at all times.
Personnel must acknowledge receipt of, and compliance with, VibeMarketing Inc.'s confidentiality, privacy and security policies.
Personnel are provided with privacy and security training on how to implement and comply with the Information Security Program.
Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role (e.g., certifications).
Personnel will not process Customer Personal Data without authorization.

Access Controls

Access Management: VibeMarketing Inc. maintains a formal access management process for the request, review, approval and provisioning of all personnel with access to Customer Personal Data, to limit access to Customer Personal Data and systems to properly authorized persons having a need for such access. Access reviews are conducted periodically.
Infrastructure Security Personnel: VibeMarketing Inc. has and maintains a security policy for its personnel, requiring security training. Infrastructure security personnel are responsible for ongoing monitoring of VibeMarketing Inc.'s security infrastructure and responding to security incidents.
Access Control and Privilege Management: VibeMarketing Inc.'s and Customer's administrators and end users must authenticate themselves via a Multi-Factor authentication system or via a single sign on system in order to use the Services.
Internal Data Access Policies: Systems are designed to allow only authorized persons to access data they are authorized to access, based on principles of "least privilege" and "need to know." The granting or modification of access rights is based on the authorized personnel's job responsibilities, job duty requirements necessary to perform authorized tasks, a need-to-know basis, and accordance with VibeMarketing Inc.'s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records. Access to systems is logged to create an audit trail. Where passwords are employed, password policies follow industry standard practices (complexity, expiry, lockout, restrictions on reuse, re-prompt after inactivity).

Data Center and Network Security

Data Centers: US clients: us-central1 (Google Cloud Platform region — Council Bluffs, Iowa, USA). Indian clients: asia-south1 (Google Cloud Platform region — Mumbai, MH, India).
Resiliency: Multi Availability Zones are enabled on GCP; Backup Restoration Testing is conducted regularly.
Server Operating Systems: Servers are customised and hardened for security. A code review process is employed to increase security of the code used to provide the Services.
Disaster Recovery: Data is replicated over multiple systems to protect against accidental destruction or loss. Disaster recovery programs are designed and regularly tested.
Security Logs: Systems have logging enabled to support security audits and monitor for actual and attempted attacks.
Vulnerability Management: Regular vulnerability scans are performed on all infrastructure components. Vulnerabilities are remediated on a risk basis, with Critical, High and Medium patches installed as soon as commercially possible.

Networks and Transmission

Data Transmission: Transmissions on the production environment are transmitted via Internet standard protocols.
External Attack Surface: VPC Firewall Rules combined with Target Tags or Service Accounts and Security Groups are in place for the Production environment on GCP.
Incident Response: VibeMarketing Inc. maintains incident management policies and procedures, including detailed security incident escalation procedures. VibeMarketing Inc. monitors a variety of communication channels for security incidents, and security personnel will react promptly to suspected or known incidents, mitigate harmful effects of such security incidents, and document such security incidents and their outcomes.
Encryption Technologies: VibeMarketing Inc. makes HTTPS encryption available for data in transit and implements encryption technologies for data at rest to ensure the security and confidentiality of Customer Data.

Data Storage, Isolation, Authentication, and Destruction

VibeMarketing Inc. stores data in a multi-tenant environment on GCP servers.
Data, the Services database and file system architecture are replicated between multiple availability zones in the US and India (applicable only for user-facing high availability resolution servers; for other data, it stays within the same country).
VibeMarketing Inc. logically isolates the data of different customers.
A central authentication system is used across all Services to increase uniform security of data.
VibeMarketing Inc. ensures secure disposal of Client Data through the use of a series of data destruction processes.

Annex 2 — List of Sub-Processors

Sub-Processor Name	Nature of Processing	Location
Google Cloud Platform (GCP)	Cloud infrastructure, data hosting, compute, storage, database services, backup & disaster recovery	US and IN
Google Workspace	Corporate email, internal collaboration, document storage	US
ClickUp	Project management, task tracking, internal workflow coordination	US
Keka	HRIS	IN
Gusto	HRIS	US
Slack	Communication	US
OpenAI	AI model inference for content generation, personalization, and natural language processing	US
Anthropic	AI model inference for content generation, personalization, and natural language processing	US
Google Vertex AI	AI model inference, machine learning services for content personalization and optimization	US
ChargeBee	Payment processing and billing	US
Sentry	Application monitoring, error tracking, logging	US
SendGrid	Transactional and marketing email delivery	US
GitHub	Source code hosting, CI/CD pipelines	US