Legal
Print this page

Data Processing Agreement

Effective day 27 April 2026


Table of Contents

1. Preamble

2. Applicability and Scope

3. Processing Customer Personal Data According to Instructions

4. Compliance

5. Confidentiality

6. Sub-processors

7. Security of processing of Customer Personal Data

8. Return or Deletion of Customer Personal Data

9. Location of Processing and Transfer Mechanisms

10. Assistance to the Customer

11. No sale or Sharing

12. Miscellaneous

13. Definitions

Annex I: Information About the Processing

Annex II: Technical and Organizational Security Measures

Annex III: List of Sub-Processors

  1. Preamble 
    1. This Data Processing Agreement, including its annexes and the Standard Contractual Clauses, ("DPA") is made by and entered into between Flowcase AS (“Flowcase”), and Customer, pursuant to the Flowcase Service Agreements, Service Order Form, the Flowcase Terms of Service or other written or electronic signed agreement between the parties (as applicable) ("Agreement") for the purpose of the Service. Subject to Section 2 of this DPA, by signing such aforementioned agreements referencing and incorporating this DPA, the Customer has read and agreed to this DPA, including this DPA is incorporated into and forms part of the Agreement. 
    2. This DPA sets out the terms that apply when Customer Personal Data is processed by Flowcase under the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with Applicable Data Protection Legislation and with due respect for the rights and freedoms of individuals whose Personal Data is processed.
  2. Applicability and Scope
    1. Applicability. This DPA will apply only to the extent that Flowcase processes, on behalf of Customer, Personal Data to which Applicable Data Protection Legislation applies. The parties agree that this DPA shall replace and supersede any and all prior data processing agreement that Flowcase and Customer may have previously entered into. Notwithstanding the foregoing, this DPA, in whole or in part, will not apply to the extent the parties agree otherwise in (i) a separately executed data processing agreement that expressly overrides or excludes this DPA, or (ii) the Service Order Form, to the extent it expressly refers and modifies this DPA. 
    2. Scope and Duration. Flowcase will process Customer Personal Data in order to provide the Service and in accordance with the Agreement and this DPA. Annex 1 (Information About the Processing) sets out the nature and purpose of the processing, the types of Personal Data Flowcase processes and the categories of data subjects whose Personal Data is processed. This DPA will remain in effect until the later of (a) the expiration or termination of the Agreement and (b) the return or deletion of Customer Personal Data in accordance with Section 8.
    3. Flowcase as a Processor of Customer Personal Data. The parties acknowledge and agree that regarding the processing of Customer Personal Data, Customer may act either as a controller or processor and Flowcase is a processor. Flowcase will process Customer Personal Data in accordance with Customer’s instructions as set forth in Section 3 (Customer Instructions).
    4. Flowcase as a Controller of Account Data. The parties acknowledge and agree that regarding the processing of Account Data, Customer is a controller and Flowcase is an independent controller, not a joint controller with Customer. Flowcase will process Account Data as a controller (a) in order to manage the relationship with Customer, including creating customer accounts, handling billing, customer support, and sales and marketing activities; (b) to operate, maintain, and administer the Services, including account accesses and system management, (c) carry out Flowcase’s internal business operations, such as accounting, auditing, tax preparation and filing, and compliance purposes; (d) in order to detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (e) identity verification; (f) to comply with Flowcase’s legal or regulatory obligations; (g) to develop, improve, and understand the use of our products and services, including through aggregated anonymized analytics; (h) to communicate with the Customer, including service-related notices and updates; (i) to enforce our terms, policies, and legal rights, and to establish, exercise, or defend legal claims; (j) in connection with corporate transactions such as mergers, acquisitions, or reorganizations; and (k) as otherwise permitted under Applicable Data Protection Legislation, and otherwise as set out in Flowcase’s Privacy Notice.
    5. Integrations with Third Party Applications. 
      1. Customer may choose to enable integrations or exchange Customer Data, including Customer Personal Data, with third-party applications, products, or services provided by third-party providers (“Third Party Applications”). Customer's use of any Third Party Application is governed by Customer's own agreement with the relevant third-party provider. By enabling an integration, Customer instructs Flowcase to share Customer Data with, and accept Customer Data from, the relevant Third Party Application as necessary to facilitate the integration.
      2. The relevant third-party provider is not a sub-processor of Flowcase, nor is Flowcase a sub-processor of that provider. Flowcase's provision of technical integration capabilities does not establish any sub-processing or processor-to-processor relationship on behalf of Flowcase.
      3. Flowcase does not warrant or support any Third Party Application and is not responsible or liable for the security, privacy, accuracy, integrity, or availability of Customer Data shared with, accessed by, received from, or processed by any Third Party Application, including any data written to or modified within the Flowcase platform by such Third Party Application.
      4. Customer is solely responsible for (a) selecting any Third Party Application and performing appropriate due diligence on its security and data protection practices; (b) determining which Customer Data is exchanged and configuring any applicable access permissions or controls; (c) establishing any required contractual arrangements with the third-party provider (including any data processing agreement or transfer mechanism); (d) ensuring a lawful basis exists for any transfer of Customer Personal Data; (e) and revoking any Third Party Application's access upon disabling of the integration. Customer shall indemnify and hold Flowcase harmless from and against any claims, damages, losses, fines, penalties, costs, and expenses (including reasonable legal fees) arising from or related to Customer's use of Third Party Applications.
  3. Processing Customer Personal Data According to Instructions
    1. Customer Instructions. Customer appoints Flowcase as a processor to process Customer Personal Data on behalf of, and in accordance with (a) Customer’s instructions as set forth in the Agreement, this DPA, and as otherwise necessary to provide the Services to Customer; (b) as necessary to comply with applicable law, including Applicable Data Protection Legislation; and (c) as otherwise agreed in writing between the parties (“Permitted Purposes”).
    2. Lawfulness of Instructions. Customer have the right and obligation to make decisions about the purposes and means of the processing of Customer Personal Data. Customer will ensure, and is responsible for, that its instructions comply with applicable laws, including Applicable Data Protection Legislation, including that the processing of Customer Personal Data has a legal basis. Customer acknowledges that Flowcase is neither responsible for determining which laws are applicable to Customer’s business nor whether Flowcase’s Services meet or will meet the requirements of such laws. Customer will ensure that Flowcase’s processing of Customer Personal Data, when done in accordance with Customer’s instructions, will not cause Flowcase to violate any applicable law, including Applicable Data Protection Legislation. Flowcase will inform Customer if it becomes aware that Customer’s instructions violate Applicable Data Protection Legislation.
  4. Compliance
    1. Customer shall be responsible for ensuring that: a) all such notices have been given, and all such authorizations have been obtained, as required under Applicable Data Protection Legislation, for Flowcase (and its Affiliates and Sub-processors) to process Customer Personal Data as contemplated by the Agreement and this DPA; b) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including Applicable Data Protection Legislation; and c) it has, and will continue to have, the right to transfer, or provide access to, Customer Personal Data by Flowcase for processing in accordance with the terms of the Agreement and this DPA.
  5. Confidentiality
    1. Flowcase shall only grant access to Customer Personal Data being processed on behalf of the Customer to persons under Flowcase’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access can be withdrawn, if access is no longer necessary, and Customer Personal Data shall consequently not be accessible anymore to those persons. Flowcase shall at the request of the Customer demonstrate that the concerned persons under Flowcase’s authority are subject to the abovementioned confidentiality.
  6. Sub-processors
    1. Authorization for Sub-processing. Customer understands that effective operation of the Services may require the transfer of Customer Personal Data to Flowcase’s Affiliates or Sub-processors. Customer provides a general authorization for Flowcase to engage onward sub-processors to process Customer Personal Data that is conditioned on the following requirements: (a) Flowcase will restrict the onward sub-processor’s access to Customer Personal Data only to what is strictly necessary to provide the Services and in accordance with the Agreement, and Flowcase will prohibit the sub-processor from processing the Customer Personal Data for any other purpose; (b) Flowcase agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Personal Data to the standard required by Applicable Data Protection Legislation.
    2. Current Sub-processors and Notification of Sub-processor Additions.
      1. Customer agrees that (i) Flowcase may engage Sub-processors as listed in the link to Sub-processor Page in Annex III, which may be updated from time to time, and Flowcase Affiliates; (ii) such Affiliates and Sub-processors respectively may engage third party processors to process Customer Personal Data on Flowcase's behalf, and (iii) the processing of Customer Personal Data may take place in the Sub-Processor’s or Affiliate’s location as listed therein, subject to continued compliance with this DPA throughout the duration of the Agreement. 
      2. Customer agrees that Flowcase may, by giving reasonable notice to the Customer, add or replace Sub-processors from the Sub-processor Page at least twenty (20) days prior to any such changes. To receive such notifications, Customers can register through the privacy and security notification form or send an email to privacy@flowcase.com to be added to the distribution list. Continued usage beyond the effective date of the changes constitutes acceptance of the Sub-processor. If Customer reasonably objects to the appointment of a new Sub-processor within twenty (20) days of receiving such notice, on reasonable grounds relating to the protection of the Customer Personal Data, then Flowcase will work in good faith with Customer to find an alternative solution. In the event that the parties are unable to reach a mutually acceptable resolution, Customer is permitted to terminate the Agreement.
  7. Security of processing of Customer Personal Data
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Flowcase shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Customer and Flowcase shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks.
    2. Flowcase has in place and will maintain throughout the term of this Agreement appropriate technical and organizational measures designed to protect Customer Personal Data against Security Breaches. Such measures may be further specified at https://trust.flowcase.com. These measures shall at a minimum comply with Applicable Data Protection Legislation.
    3. Customer acknowledges that the security measures are subject to technical progress and development and that Flowcase may update or modify the security measures from time to time, provided that such updates and modifications do not result in material degradation of the overall security of the Services purchased by the Customer.
    4. Customer is responsible for its own secure use of the Service, including (a) making appropriate use of the Service to ensure a level of security and privacy appropriate to the risk in respect of Customer Personal Data; (b) securing the account authentication credentials, its own networks, systems and devices used to access the Service, and (c) any third-party services, integrations, or backup solutions not provided as part of the Service, including the security of Customer Personal Data transferred to or processed by such third parties. The Customer shall ensure that only authorized users are granted access and shall take reasonable steps to prevent unauthorized access or use. The Customer is also responsible for configuring and using the Service in a manner that maintains appropriate security and data protection, including the use of secure passwords, access controls, and device security.
    5. Upon becoming aware of a Security Breach impacting Customer Personal Data processed by Flowcase on behalf of Customer under this DPA, Flowcase shall notify Customer without undue delay and shall provide such information as Customer may reasonably require, including to enable Customer to fulfil its data breach reporting obligations under Applicable Data Protection Legislation. To ensure such notifications reach the appropriate individuals, Customer should designate a privacy and security contact person by registering through the privacy and security notification form or send an email to privacy@flowcase.com to be added to the distribution list. Flowcase’s notification of or response to a Security Breach shall not be construed as an acknowledgement by Flowcase of any fault or liability with respect to the Security Breach.
  8. Return or Deletion of Customer Personal Data
    1. Close Date and Deletion from Active Systems. Upon the latest of (a) the effective date of termination or expiry of the Agreement, or (b) such other date as agreed in writing between the parties, Flowcase shall within 5 business days deactivate Customer's users and account, and delete all Customer Personal Data (including copies) from its active systems, subject to the provisions below ("Close Date"). Customer acknowledges that following deletion from active systems, data restoration may not be possible, or may be subject to additional costs if restoration from backup systems is technically feasible and requested by Customer.
    2. Return of Customer Personal Data. Prior to the Close Date, Customer may export Customer Personal Data at any time through the Service's user interface. The Customer is solely responsible for exporting any data it wishes to retain before the Close Date. After the Close Date, Customer Personal Data will be deleted from active systems and may only be available in backup systems as set forth in Section 8.3 below.
    3. Backup Retention and Deletion. Flowcase maintains backups of data, which are retained for 90 days before automatic permanent deletion. Customer Personal Data contained in backups will be securely stored in accordance with Flowcase's backup retention procedures and will be permanently and irrecoverably deleted 90 days following the Close Date.
    4. Legal Retention. The obligations in this Section 8 shall not apply to the extent that Flowcase is required or allowed by applicable law to retain Customer Data.
  9. Location of Processing and Transfer Mechanisms
    1. Location of Processing. Customer acknowledges that Flowcase, its Affiliates and its Sub-processors may transfer and process personal data to and in countries and locations in which Flowcase, its Affiliates or its Sub-processors maintain data processing operations, as more particularly described in the Sub-processor Page. Flowcase shall ensure that such transfers are made in compliance with Applicable Data Protection Legislation and this DPA. 
    2. Transfer Mechanism: This section 9.2 and its subparagraphs only applies where transfer of data from Customer (as “data exporter”) to Flowcase (as “data importer”) is a Restricted Transfer. If such transfer is a Restricted Transfer, the Standard Contractual Clauses shall be incorporated into this DPA and apply as follows: 
      1. Where the Restricted Transfer is an EU Restricted Transfer, the EU SCCs shall apply between Customer and Flowcase, completed as follows:
        (a) Module Two terms apply to the extent Customer is a Controller and Module Three terms apply to the extent Customer is a Processor of Customer Personal Data; (b) in Clause 7, the optional docking clause will apply; (c) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in section 6.2.2 of this DPA; (d) in Clause 11, the optional language will not apply; (e) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the laws of Ireland; (f) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (g) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA; and (h) Subject to section 7.3 of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA.
      2. Where the Restricted Transfer is a UK Restricted Transfer, the EU SCCs as completed in Clause 9.2.1 shall apply between Customer and Flowcase, and shall be supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner's Office under Section 119A(1) of the Data Protection Act 2018 (the “UK Addendum”), completed as follows:
        (a) table 1 of the UK Addendum shall be deemed completed with relevant information from Annex I of this DPA; (b) table 2 of the UK Addendum shall be deemed completed with relevant information from section 9.2.1 and 13.17 of this DPA; (c) table 3 of the UK Addendum shall be deemed completed with relevant information from section 9.2.1 of this DPA; and (d) the options "Exporter" and "Importer" shall be deemed checked in table 4.
      3. Where the Restricted Transfer is a Swiss Restricted Transfer, the EU SCCs as implemented under sub-paragraphs 9.2.1 above will apply with the following modifications:
        (a) references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA; (b) references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss DPA; (c) references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "Switzerland", or "Swiss law" (as applicable); (d) the term "member state" shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (e) Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the Swiss Federal Data Protection and Information Commissioner; (f) references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection and Information Commissioner" and "applicable courts of Switzerland"; and (g) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland.
  10. Assistance to the Customer
    1. Data Subject Rights. 
      1. Flowcase provides Customer with a number of self-service features via the Services, including the ability to access, delete, obtain a copy of, or update Customer Personal Data (subject to access to the system and its data). Customer may use such self-service features to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to Third Party Requests from data subjects via the Services at no additional cost. 
      2. Upon Customer’s request, Flowcase shall, taking into account the nature of the processing, provide reasonable assistance to Customer where possible and at Customer’s cost and expense, to enable Customer to respond to requests from a data subject seeking to exercise their rights under Applicable Data Protection Legislation. In the event that such request is made directly to Flowcase shall, to the extent legally permitted, promptly inform the Customer and reasonably assist. 
      3. In the event that either party receives (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Legislation or (b) any Third Party Request relating to the processing of Personal Data conducted by the other party, such party will promptly inform the other party in writing. The parties agree to cooperate, in good faith, as necessary to respond to any Third Party Request and fulfill their respective obligations under Applicable Data Protection Legislation.
    2. Data Protection Impact Assessment. Flowcase shall, to the extent required by Applicable Data Protection Legislation, provide Customer with reasonable assistance (at Customer's cost and expense) with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under such legislation.
    3. Audit and Inspection. 
      1. The parties acknowledge that when Flowcase is acting as a processor on behalf of Customer, Customer must be able to assess Flowcase’s compliance with its obligations under Applicable Data Protection Legislation and this DPA.
      2. Upon written request and at no additional cost to Customer, Flowcase shall provide Customer, and/or its appropriately qualified third-party representative (collectively, the "Auditor"), access to reasonably requested documentation evidencing Flowcase's compliance with its obligations under this DPA in the form of the relevant information.
      3. While it is the parties’ intention ordinarily to rely on the provision of the documentation to demonstrate Flowcase’s compliance with this DPA and the provisions of Applicable Data Protection Legislation (where required), Flowcase shall permit Customer or its Auditor to carry out an audit, at Customer’s cost and expense, (including, without limitation, the costs and expenses of Flowcase), of Flowcase’s processing of Customer Personal Data under this DPA upon Customer’s written request for an audit, subject to the terms of this Section. Following Flowcase’s receipt of such request, Flowcase and Customer shall mutually agree in advance on the details of the audit, including the reasonable start date, scope and duration of any such audit. Any such audit shall be subject to Flowcase’s security and confidentiality terms and guidelines, may only be performed a maximum of once annually and will be restricted to only Customer Personal Data relevant to Customer. Any expenses incurred by an Auditor in connection with any review of reports or an audit shall be borne exclusively by the Auditor or Customer. For clarity, the exercise of audit rights under the SCCs shall be as described in this Section 10.3 (Audit and Inspection).
    4. Where required by Applicable Data Protection Legislation, Flowcase shall assist Customer in ensuring compliance with Customer's obligations under Applicable Data Protection Legislation.
  11. No sale or Sharing
    To the extent that the processing of Customer Personal Data is subject to U.S. data protection laws on behalf of the Customer, Flowcase agrees to the following:
    1. Customer Personal Data disclosed by the Customer to Flowcase is disclosed or received only for limited and specified purposes, including for one or more business or commercial purposes as those terms are defined under the US data protection laws.
    2. Flowcase will not sell, share, rent, release, disclose, disseminate, make available, transfer or otherwise communicate Customer Personal Data to any third party for monetary or other valuable consideration. 
    3. Flowcase shall not retain, use or disclose Customer Personal Data (a) for any purposes (including, but not limited to, any commercial purpose) other than a business purposes specified in agreement with Customer, or as otherwise permitted by US data protection laws, or (b) outside of the direct business relationship between the Customer and Flowcase.
  12. Miscellaneous
    1. Order of Precedence. If there is a conflict between this DPA and any other agreement between the parties in connection with Customer Personal Data, the following order of precedence shall apply: (a) the Standard Contractual Clauses (only where applicable); (b) Service Order Form that expressly reference and modify this DPA; (c) this DPA; (d) the Agreement (including the Terms of Service); and (e) the Privacy Notice. For the purposes of Account Data, the Privacy Notice will prevail. For the avoidance of doubt, general terms in a Service Order Form that do not expressly reference this DPA shall not be construed as modifying or superseding any provision of this DPA. 
    2. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.
    3. In no event does this DPA restrict or limit the rights of any data subject or of any competent supervisory authority. This DPA shall not exempt either party from mandatory obligations to which they are subject under Applicable Data Protection Legislation.
    4. In the event (and to the extent only) of a conflict (whether actual or perceived) among Applicable Data Protection Legislation, the parties (or relevant party as the case may be) shall comply with the more onerous requirement or standard which shall, in the event of a dispute in that regard, be determined by Flowcase.
    5. Notwithstanding anything else to the contrary in the Agreement and without prejudice to Sections 2.3 and 2.4, Flowcase may update this DPA from time to time as may be required to comply with Applicable Data Protection Legislation. In the event of any such updates, Flowcase shall notify the Customer at least twenty (20) days prior to the changes taking effect. Continued usage beyond the effective date of the changes constitutes acceptance of the changes. To receive such notifications, Customers can register through the privacy and security notification form or send an email to privacy@flowcase.com to be added to the distribution list. If Customer reasonably objects to the updated DPA within twenty (20) days of receiving such notice, on reasonable grounds relating to the protection of Customer Personal Data, then Flowcase will work in good faith with Customer to find an alternative solution. In the event that the parties are unable to reach a mutually acceptable resolution within a reasonable time thereafter, Customer is permitted to terminate the Agreement.
    6. Notwithstanding anything in the Agreement or any order form entered in connection therewith, the parties acknowledge and agree that Flowcase access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
    7. In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data Subjects under Applicable Data Protection Legislation or this DPA (including the SCCs if applicable).
    8. The parties may agree on additional or modified clauses concerning the processing of Customer Personal Data in the Service Order Form, provided that such clauses expressly reference this DPA and the specific provisions being modified, and do not prejudice the fundamental rights or freedoms of data subjects or the protections afforded by Applicable Data Protection Legislation. 
    9. The parties agree that any notice or communication sent by Flowcase to Customer shall also satisfy any obligation to send such notice or communication to Customer’s Affiliate.
    10. Questions regarding this DPA can be directed to privacy@flowcase.com
  13. Definitions
    Any capitalized term used but not defined in this DPA has the meaning provided to it in the Agreement

    1. "Account Data" means Personal Data that relates to Customer’s relationship with Flowcase, including Customer’s account and billing information, customer contact, identity verification, monitoring and usage data, maintain or improve performance of the Services, provide support, investigate and prevent system abuse, or fulfill legal obligations. For the avoidance of doubt, Flowcase is the Controller of Account Data. 
    2. "Affiliate" means (a) any entity controlled by, controlling or under common control by an entity, where "control" means ownership of or the right to control greater than 50% of the voting securities of such entity, or (b) any entity that is designated by Customer and authorized to access or use the Services under the Agreement, where such entity's use is governed by and subject to the terms of this Agreement, and where Customer remains responsible for payment and compliance with the Agreement terms on behalf of such entity.
    3. "Applicable Data Protection Legislation" refers to laws and regulations applicable to Flowcase’s processing of personal data under the Agreement, including but not limited to (a) the GDPR, (b) in respect of the UK, the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2019 ("UK GDPR") and the Data Protection Act 2018 (together, "UK Data Protection Laws"), (c) the Swiss Federal Data Protection Act and its implementing regulations ("Swiss DPA"), (d) applicable United States state privacy laws, including the CCPA & CPRA, and the privacy laws of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana, (e) Australian Privacy Principles and the Australian Privacy Act (1988), and (f) the Personal Information Protection and Electronic Documents Act (“PIPEDA”), in each case, as may be amended, superseded or replaced.
    4. "CCPA" or "CCPA and CPRA" means the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder, in each case, as may be amended from time to time. This includes but it is not limited to the California Privacy Rights Act of 2020.
    5. "Controller" or "controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. It shall have the same meaning ascribed to “controller” under the GDPR and other equivalent terms under Applicable Data Protection Legislation (e.g., ”Business” as defined under the CCPA), as applicable.
    6. "Customer Data" has the meaning set forth in the Agreement.
    7. “Customer Personal Data” means Personal Data that Flowcase processes as a Processor on behalf of Customer.
    8. “Data Privacy Framework” or “DPF” means, as applicable, the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework developed by the US Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration permitting organizations participating in such Data Privacy Frameworks to receive Personal Data from the European Union / European Economic Area, the UK and Gibraltar, and Switzerland in compliance with applicable Data Protection Laws in those regions.
    9. "Europe" means for the purposes of this DPA the European Economic Area ("EEA"), the United Kingdom ("UK") and Switzerland, or another country which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Personal Data, as determined by the European Commission in the case that EU Data Protection Law applies respectively as determined by the ICO in the case that UK Data Protection Law applies.
    10. "GDPR" means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
    11. "Personal Data" or "personal data" or "personal information" means any information, including personal information, relating to an identified or identifiable natural person (“data subject”) or as defined in and subject to Applicable Data Protection Legislation.
    12. Privacy Notice” means the current Privacy Notice available at https://www.flowcase.com/privacy-notice.
    13. "Processor" or "processor" means the entity which processes Personal Data on behalf of the Controller. It shall have the meaning ascribed to “processor” under the GDPR and other equivalent terms under other Applicable Data Protection Legislation (e.g., “Service Provider” as defined under the CCPA), as applicable.
    14. "Processing" or "processing" (and "Process" or "process") means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, securing, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
    15. "Restricted Transfer" means: (i) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission (an "EU Restricted Transfer"); (ii) where UK Data Protection Laws applies, a transfer of personal data from the UK to any other country which is not subject to or based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018 (a "UK Restricted Transfer"); and (iii) where the Swiss DPA applies, a transfer of personal data to any other country which is not subject to an adequacy determination by the Swiss Federal Data Protection and Information Commissioner or Federal Council (as applicable) (a "Swiss Restricted Transfer").
    16. "Security Breach" means a confirmed breach of Flowcase’s security measures specified in the Agreement or this DPA, leading to any accidental, unauthorized or unlawful loss, disclosure, destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed by Flowcase. A Security Breach shall not include an unsuccessful attempt or activity that does not compromise the security of Customer Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
    17. "Standard Contractual Clauses" or "SCCs" means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN ("EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c), or (d) where the UK GDPR means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, as such Addendum may be revised under Section 18 therein ("UK SCCs") and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the "Swiss SCCs") (in each case, as updated, amended or superseded from time to time).
    18. "Sub-processor" or "sub-processor" means (a) Flowcase, when Flowcase is processing Customer Personal Data and where Customer is itself a processor of such Customer Personal Data, or (b) any third-party Processor engaged by Flowcase or its Affiliates to assist in fulfilling Flowcase's obligations under the Agreement and which processes Customer Personal Data. Sub-processors may include third parties or Flowcase Affiliates but shall exclude Flowcase employees, contractors or consultants.
    19. “Third Party Application" means any third-party software application, platform, service, or system that is not provided by Flowcase but which may be enabled to integrate with, or exchange Customer Data with, the Service.
    20. "Third Party Request" means any request, correspondence, inquiry, or complaint from a data subject, regulatory authority, or third party.
    21. "UK Addendum" means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, as such Addendum may be revised under Section 18 therein. 

Annex I: Information About the Processing

This Annex I shall automatically be deemed executed when the Agreement is executed by Customer

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: The party identified as the "Customer" in the Agreement incorporating this DPA
Address: As set forth in the Agreement incorporating this DPA
Contact person's name, position and contact details: As set forth in the Agreement incorporating this DPA
Activities relevant to the data transferred under these Clauses: See Annex 1 B
Signature and date: This Annex I (where applicable) shall automatically be deemed executed when the Agreement is executed between the parties
Role (controller/processor): Controller or Processor

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Name: As set forth in the Agreement
Address: As set forth in the Agreement
Contact person's name, position and contact details: Flowcase Privacy Team, privacy@flowcase.com
Activities relevant to the data transferred under these Clauses: See Annex 1 B
Signature and date: This Annex I (where applicable) shall automatically be deemed executed when the Agreement is executed between the parties
Role (controller/processor): Processor for Customer Personal Data
Controller for Account Personal Data

 

B. DESCRIPTION OF PROCESSING/TRANSFER

Category Details
Categories of Data Subjects whose personal data is transferred Module Two and Three

Customer's employees, consultants, contractors, employees or contact persons of Customer's prospects, clients customers, business partners and vendors, or other individuals authorized by Customer to access Customer's Flowcase account, including any other data subjects whose personal data the Customer or its end users upload, submit, or otherwise disclose through the use of the Services. Flowcase does not knowingly process Personal Data relating to a child. Customer warrants that it shall not submit Personal Data of a child to the Service.
Categories of Personal Data transferred Module Two and Three

Any Customer Personal Data processed by Flowcase in connection with the Services and which relate to Customer's end users' activity and interactions with the Flowcase systems. This includes, but is not limited to:
  • Identification and contact details such as name, email address, telephone number, age, gender, place of residence and nationality;
  • Professional information including employer history, job titles, educations, qualifications, skills, work and project experience, languages, certificates, courses and other information contained in CVs, résumés, proposals or case studies relating to data subjects;
  • User account data relating to Customer's end users, such as usernames, user ID, user authentication information, user status, user access role, user registration/deactivation date, and records of actions or activities within the system for the purpose of Audit Log;
  • Technical data such as IP address, operating system, browser type, version and language, last visited browser page, device information, and approximate geolocation;
  • Communications and other information disclosed by the Customer or its end users, including content submitted through customer support chat, or other means of interaction with the services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards Flowcase does not knowingly collect (and Customer shall not submit) any sensitive data or any special categories of data (as defined under Applicable Data Protection Legislation).
Frequency of the transfer Continuous
Nature and purpose(s) of the data transfer and Processing Module Two and Three

Flowcase will process Customer Personal Data as necessary to provide, maintain, secure and support the Services and in accordance with the Agreement.

Additional details about Flowcase's products and services can be found at https://www.flowcase.com.
Retention period (or, if not possible to determine, the criteria used to determine the period) Module Two and Three

Refer to section 8 of the DPA
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing Module Two and Three

Flowcase will restrict the onward sub-processor's access to Customer Personal Data only to what is strictly necessary to provide the Services and in accordance with the Agreement and this DPA.

Flowcase imposes contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Personal Data to the standard required by Applicable Data Protection Legislation.
Identify the competent supervisory authority/ies in accordance with Clause 13 Where the EU GDPR applies, the competent supervisory authority shall be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. Where the UK GDPR applies, the UK Information Commissioner's Office.

Annex II: Technical and Organizational Security Measures

Further details of Flowcase’s technical and organizational security measures to protect Customer Data are available at: https://trust.flowcase.com.

Flowcase shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security. 

Flowcase shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller: 

  • Encryption at rest and in transit 
  • Audited Information Security Management System that implements the necessary security controls to ensure an appropriate level of confidentiality, integrity and availability. 
  • Backups are to be kept for 90 days and deleted after 90 days. 
  • Data should be accessible through the online user interface 
  • An audit log should be kept 

Annex III: List of Sub-Processors

The list of Sub-processors currently or to-be engaged by Flowcase is listed at www.flowcase.com/legal/sub-processors (the "Sub-processor Page").