Data Processing Addendum (DPA)
Data processing terms when Fleksi.io handles customer data.
Roles
The customer is the controller of personal data, and Fleksi.io acts as a processor. The customer is responsible for legal basis and instructions.
Processing details
Subject: customer data submitted to the service. Nature: collection, storage, access, use, transmission, and deletion. Purpose: provide, secure, and improve the service. Data subjects: customer employees, end users, and their customers. Data types: contact details, identifiers, usage data, and uploaded content. Duration: for the term of the agreement and as instructed by the customer, subject to legal retention.
Processing according to customer instructions
We process personal data primarily according to the customer's documented instructions. Normal use, configuration, and support requests form the core of those instructions in practice.
Security
We implement reasonable technical and organizational measures, including access controls, least-privilege access, logging, encryption in transit, backups, and incident response procedures.
Subprocessors
We use vendors such as Google, Apple iCloud, and Cloudflare for hosting, storage, communications, and other essential services. We may update subprocessors with notice.
Assistance
We assist customers with data subject requests and incident notifications as required by law, and will notify customers of personal data breaches without undue delay.
Data breach notification
We will notify the customer of a personal data breach without undue delay and no later than 72 hours after becoming aware of it. The notification will describe the nature of the breach, its estimated scope, likely consequences, and measures taken or planned to address it. The customer, as data controller, is responsible for notifying the supervisory authority.
International transfers
If personal data is transferred outside the EEA, we use transfer mechanisms required by applicable law, such as standard contractual clauses and, where necessary, supplementary safeguards.
Deletion or return
Upon termination, we will delete or return customer data within a reasonable time unless we are required to retain it by law. Backup data is removed on its normal retention cycle.