Data processing agreement (“DPA”)
This Data processing agreement (“DPA”) forms an integral part of the FluxForce Contract terms and conditions and is entered into by and between: FluxForce, Inc., a company incorporated under the laws of the State of Florida (USA) (the “Data Processor”), and the Client, whether a natural or legal person using the FluxForce platform (the “Data Controller”).
1. Purpose of the Agreement
This DPA governs the processing of personal data carried out by FluxForce on behalf of the Client, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR), within the framework of the provision of the FluxForce platform services.
2. Definitions
The definitions set out in the GDPR shall apply, in particular those relating to personal data, processing, data controller, data processor, data subject, and personal data breach.
3. Nature and purpose of the processing
FluxForce shall process personal data solely for the following purposes:
- providing the services contracted by the Client;
- executing automated marketing campaigns, CRM activities, and communications;
- storing, organizing, and processing data in accordance with the Client’s instructions;
- ensuring the proper operation, maintenance, and security of the platform.
4. Categories of data and data subjects
4.1 Categories of data subjects
- Customers and prospective customers of the Data Controller;
- Leads and business contacts;
- End users;
- Employees or collaborators of the Data Controller (where applicable).
4.2 Categories of personal data
- Identification and contact data (name, email address, phone number, company);
- Professional data;
- Behavioral and activity data (emails, forms, interactions);
- Any other data uploaded by the Client to the platform.
FluxForce is not intended to process special categories of personal data (Article 9 GDPR), unless such processing occurs under the sole responsibility of the Client.
5. Obligations of the Data Processor
FluxForce undertakes to:
- process personal data solely in accordance with the documented instructions of the Client;
- ensure that persons authorized to process personal data are bound by confidentiality obligations;
- implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
- not disclose or transfer personal data to third parties, except as provided for in this DPA;
- reasonably assist the Client in complying with its data protection obligations;
- delete or return personal data upon termination of the Service, in accordance with Section 11.
6. Sub-processors
- The Client authorizes FluxForce to engage sub-processors strictly necessary for the provision of the Service (e.g., infrastructure providers, email delivery services, or messaging services).
- FluxForce guarantees that such sub-processors are located within the European Economic Area (EEA) or, where applicable, comply with the safeguards required by the GDPR.
- FluxForce shall remain fully liable to the Client for the performance of the sub-processors’ obligations.
7. Data location and international transfers
- FluxForce hosts and processes its clients’ personal data on servers located within the European Economic Area (EEA).
- Accordingly, no international transfers of personal data outside the EEA are carried out in the ordinary course of providing the Service.
- Should an international data transfer exceptionally be required, FluxForce shall notify the Client in advance and implement the appropriate safeguards required by the GDPR.
- In the event of remote access or international transfers outside the European Economic Area, FluxForce will apply the appropriate safeguards provided for in Article 46 of the GDPR, including Standard Contractual Clauses and supplementary technical measures where appropriate.
8. Security measures
FluxForce implements appropriate technical and organizational measures, including but not limited to:
- access control and authentication;
- encryption of communications;
- logical data segregation;
- regular backups;
- monitoring and prevention of unauthorized access;
- internal security and confidentiality policies.
9. Personal data breaches
FluxForce shall notify the Client without undue delay after becoming aware of any personal data breach affecting data processed on behalf of the Client, including the information required under Article 33 GDPR where applicable.
10. Data subject rights
FluxForce shall reasonably assist the Client in enabling compliance with requests for the exercise of data subject rights. FluxForce shall not respond directly to such requests unless expressly instructed by the Client or required by law.
11. Service termination and data deletion
- In the event of Service cancellation, the Client may export its data for as long as the Service remains active.
- Once the contracted period has ended, the data shall be deleted or anonymized in accordance with the FluxForce Privacy Policy and Article 17 GDPR, unless a legal obligation to retain the data applies.
12. Liability
Each party shall be responsible for GDPR infringements attributable to it. FluxForce shall not be responsible for the lawfulness of the data processed or for the legal basis of the processing, which remains the responsibility of the Client as Data Controller.
13. Audits
FluxForce does not allow individual on-site audits, but will make available to the Client, upon reasonable and good-faith request, the information necessary to prove compliance with its data protection obligations.
14. Contractual precedence
In the event of any conflict between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to data protection matters.
15. Applicable law
This DPA shall be interpreted in accordance with Regulation (EU) 2016/679 (GDPR). Contractual matters shall be governed by the FluxForce Contract terms and conditions.
16. Acceptance
This DPA shall be deemed electronically accepted by the Client at the time of contracting the Service, without the need for an individual signature or a separate customized agreement.
