Data Processing Addendum (DPA)
This DPA applies when Fleksi.io processes personal data on behalf of customers and forms part of the service terms.
Roles
The customer is the controller of personal data, and Fleksi.io acts as a processor. The customer is responsible for legal basis and instructions.
Processing details
Subject: customer data submitted to the service. Nature: collection, storage, access, use, transmission, and deletion. Purpose: provide, secure, and improve the service. Data subjects: customer employees, end users, and their customers. Data types: contact details, identifiers, usage data, and uploaded content. Duration: for the term of the agreement and as instructed by the customer, subject to legal retention.
Security
We implement reasonable technical and organizational measures, including access controls, least-privilege access, logging, encryption in transit, backups, and incident response procedures.
Subprocessors
We use vendors such as Google, Apple iCloud, and Cloudflare for hosting, storage, communications, and other essential services. We may update subprocessors with notice.
Data location and transfers
We primarily use servers in the EU/EEA. Some services may process data outside the EEA; where this occurs, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs).
Assistance
We assist customers with data subject requests and incident notifications as required by law, and will notify customers of personal data breaches without undue delay.
Deletion or return
Upon termination, we will delete or return customer data within a reasonable time unless we are required to retain it by law. Backup data is removed on its normal retention cycle.
Contact
DPA requests should be sent via the contact form on the website.