Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Flowpoint Analytics Ltd ("Processor") and you, the user ("Controller"), for the provision of Flowpoint Analytics services.

The Processor agrees to process Personal Data on behalf of the Controller in accordance with the terms of this DPA. This agreement is governed by the laws of England and Wales.

2. Definitions

• Data Protection Legislation — All applicable data protection and privacy legislation, including the UK GDPR, the Data Protection Act 2018, and any successor legislation.
• Data Subject — An identified or identifiable natural person whose Personal Data is processed.
• GDPR — The General Data Protection Regulation (EU) 2016/679 and, where applicable, the UK GDPR as defined by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
• Personal Data — Any information relating to a Data Subject that is processed by the Processor on behalf of the Controller.
• Personal Data Breach — A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• Processing — Any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• SCCs — Standard Contractual Clauses approved by the European Commission for international transfers of Personal Data.
• IDTA — The International Data Transfer Agreement or UK Addendum to the EU SCCs, as issued by the UK Information Commissioner's Office.

3. Personal Data Types and Processing

The Controller retains full control over the Personal Data processed by the Processor. The categories of Personal Data processed include:

• Profile data — Name, email address, and organisation details provided during account registration.
• Workflow configurations — Settings and preferences configured by the Controller within the platform.
• Chat interactions — Conversations with the AI assistant used for dashboard generation.

Duration: Personal Data will be processed for the duration of the contract term. Upon termination, all Personal Data will be securely deleted within 6 months unless otherwise required by law.

Security: All data in transit is protected using TLS encryption. Access to Personal Data is restricted to authorised personnel only. The Processor implements appropriate technical and organisational measures in accordance with GDPR Article 32.

4. Subprocessors

The following subprocessors are engaged by the Processor to assist in providing the services:

5. Processor Obligations

The Processor shall:

• Process Personal Data only in accordance with the Controller's documented instructions, unless required to do so by applicable law.
• Honour all requests from the Controller regarding the deletion or transfer of Personal Data without undue delay.
• Ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
• Provide reasonable assistance to the Controller in ensuring compliance with obligations under Data Protection Legislation, including data protection impact assessments and prior consultations with supervisory authorities.
• Ensure that all employees who have access to Personal Data receive appropriate training on data protection and security practices.

6. Security

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, in accordance with GDPR Article 32. These measures include, but are not limited to:

• Encryption of Personal Data in transit and at rest.
• Access controls and authentication mechanisms.
• Regular testing and evaluation of security measures.
• Incident response and disaster recovery procedures.
• Employee security awareness training.

7. Personal Data Breach

In the event of a Personal Data Breach, the Processor shall:

• Notify the Controller promptly and without undue delay upon becoming aware of the breach.
• Provide the Controller with sufficient information to enable the Controller to meet its obligations under Data Protection Legislation, including the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
• Cooperate fully with the Controller in investigating and remediating the breach.
• Not disclose the breach to any third party without the prior written consent of the Controller, unless required to do so by applicable law.

8. Cross-border Transfers

The Controller authorises the Processor to transfer Personal Data outside the European Economic Area (EEA) and the United Kingdom, provided that the Processor ensures adequate protection for such transfers. Adequate protection may be provided through:

• Transfers to countries recognised by the European Commission or the UK Government as providing an adequate level of data protection.
• Appropriate safeguards under GDPR Article 46, including Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA).

9. Subprocessor Management

The Controller provides general authorisation for the Processor to engage subprocessors as listed in Section 4. The Processor shall:

• Provide the Controller with advance notice of any intended changes to its subprocessors, giving the Controller the opportunity to object.
• Ensure that any subprocessor is bound by data protection obligations no less protective than those set out in this DPA.
• Remain fully liable to the Controller for the performance of its subprocessors' obligations.

10. Data Subject Requests

The Processor shall provide reasonable assistance to the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Legislation, including requests for access, rectification, and erasure of Personal Data. Such assistance shall be provided at no additional cost to the Controller.

11. Term

This DPA shall be effective for as long as the agreement between the Controller and the Processor remains active, or for as long as the Processor retains any Personal Data processed on behalf of the Controller.

12. Termination

Either party may suspend or terminate this DPA in the event of a material breach by the other party that remains unremedied after reasonable notice. The Controller may terminate this DPA at any time by ceasing use of the services. The Processor may terminate this DPA by providing reasonable written notice to the Controller.

13. Data Return and Destruction

Upon termination of this DPA or upon the Controller's request, the Processor shall securely delete or return all Personal Data to the Controller, at the Controller's election. The Processor may retain Personal Data only where required by applicable law, and shall inform the Controller of any such legal retention requirement. Upon completion of deletion, the Processor shall provide the Controller with written certification of destruction upon request.

14. Audit Rights

The Controller shall have the right to audit the Processor's compliance with this DPA. The Controller shall provide the Processor with at least 15 days' prior written notice of any audit. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.

15. Governing Law

This Data Processing Agreement shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.