1. Purpose and Scope
This Data Processing Agreement ("DPA") forms part of the agreement between Aflux and the Customer governing the use of the Aflux platform (the "Agreement") and sets out the terms under which Aflux processes Personal Data on behalf of the Customer in connection with the provision of the Services.
This DPA applies where and to the extent that Aflux processes Personal Data on behalf of the Customer as a Data Processor, within the meaning of Regulation (EU) 2016/679 (the "GDPR"), and the Customer acts as a Data Controller or, where applicable, as a Data Processor acting on behalf of another Data Controller.
The purpose of this DPA is to ensure that such Processing is conducted in accordance with applicable data protection laws, including the GDPR, and to define the respective rights and obligations of the parties with respect to the Processing of Personal Data.
This DPA applies to all Processing activities carried out by Aflux on behalf of the Customer in the course of providing the Services, as further described in Annex 1 (Description of Processing). In the event of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail with respect to matters relating to the Processing of Personal Data.
This DPA does not apply to Processing activities for which Aflux acts as an independent Data Controller, including Processing necessary for its own legal, security, billing, or compliance purposes, which shall be governed by Aflux's Privacy Policy.
2. Definitions and Interpretation
For the purposes of this Data Processing Agreement, the following terms shall have the meanings set out below. Capitalized terms not otherwise defined in this DPA shall have the meanings given to them in the Agreement.
- "Agreement" means the contract governing the Customer's use of the Aflux Services, including the Terms of Service and any applicable order forms or schedules.
- "Aflux" means the Aflux entity identified in the Agreement, acting as a Data Processor under this DPA.
- "Customer" means the legal entity or individual that has entered into the Agreement with Aflux and acts as a Data Controller or, where applicable, as a Data Processor.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under Article 4(1) of the GDPR.
- "Processing" or "Process" means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined under Article 4(2) of the GDPR.
- "Controller", "Data Controller", "Processor", and "Data Processor" shall have the meanings given to them in Article 4 of the GDPR.
- "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
- "Sub-processor" means any third party appointed by Aflux to Process Personal Data on behalf of the Customer.
- "Data Protection Laws" means all applicable laws and regulations relating to the protection of Personal Data, including, where applicable, the GDPR and any national implementing legislation.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, as defined under Article 4(12) of the GDPR.
- "Services" means the services provided by Aflux to the Customer under the Agreement.
2.2 Interpretation
- References to articles of the GDPR are references to Regulation (EU) 2016/679, as amended or replaced from time to time.
- The terms "include", "includes", and "including" shall be construed as illustrative and shall not limit the sense of the words preceding them.
- Headings are for convenience only and shall not affect the interpretation of this DPA.
- In the event of any inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to matters relating to the Processing of Personal Data.
3. Roles and Responsibilities
The Customer acts as the Data Controller (or, where applicable, as a Data Processor acting on behalf of another Data Controller) with respect to the Processing of Personal Data under this DPA. The Customer is responsible for:
• determining the purposes and means of the Processing of Personal Data; • ensuring that it has a valid legal basis under applicable Data Protection Laws for the Processing of Personal Data and for providing Personal Data to Aflux; • ensuring that all required notices have been provided to, and where necessary consents obtained from, Data Subjects; • ensuring the accuracy, quality, and lawfulness of the Personal Data submitted to the Services; • configuring the Services and applying appropriate settings, access controls, and security measures appropriate to the nature of the Personal Data being Processed; • responding to Data Subject requests, unless otherwise agreed in writing.
The Customer shall not instruct Aflux to Process Personal Data in a manner that violates applicable Data Protection Laws.
Aflux acts as a Data Processor with respect to Personal Data Processed on behalf of the Customer under this DPA. Aflux shall:
• Process Personal Data only on documented instructions from the Customer; • ensure that persons authorized to Process Personal Data have committed themselves to confidentiality; • implement appropriate technical and organizational measures to protect Personal Data; • assist the Customer in fulfilling obligations to respond to Data Subject requests; • notify the Customer without undue delay upon becoming aware of a Personal Data Breach; • make available to the Customer information reasonably necessary to demonstrate compliance.
4. Details of Processing
The subject matter of the Processing under this DPA is the provision of the Services by Aflux to the Customer, including the hosting, management, transmission, and processing of data submitted to the Services by or on behalf of the Customer.
Personal Data shall be Processed for the duration of the Agreement, unless otherwise agreed in writing or required by applicable law.
Aflux Processes Personal Data solely for the purpose of providing, maintaining, and supporting the Services in accordance with the Agreement, including:
• enabling electronic signature workflows; • enabling bulk email communications and campaign management; • enabling QR code generation and access to documents or folders; • providing user, role, and access management; • hosting, storing, and transmitting documents and related metadata; • monitoring service performance, availability, and security.
Depending on the Customer's use of the Services, Personal Data may relate to the Customer's employees, contractors, representatives, end users, recipients, signatories, or guests interacting with documents, emails, or QR codes.
5. Processor Obligations
Aflux shall Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law.
Aflux shall ensure that all persons authorized to Process Personal Data are subject to appropriate confidentiality obligations and receive appropriate data protection training where required.
Aflux shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Taking into account the nature of the Processing, Aflux shall assist the Customer in fulfilling the Customer's obligation to respond to requests for exercising Data Subject rights under applicable Data Protection Laws.
Aflux shall provide reasonable assistance to the Customer in complying with its obligations under Articles 32 to 36 of the GDPR, including obligations relating to security, breach notifications, data protection impact assessments, and prior consultations with supervisory authorities.
6. Security Measures
Aflux shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
Such measures may include, as appropriate:
• access controls to limit Personal Data access to authorized personnel only; • logical and physical security controls for systems and infrastructure; • encryption or other protective measures for data in transit and at rest; • procedures for user authentication, authorization, and role-based access management; • logging, monitoring, and incident detection mechanisms; • regular testing, assessment, and evaluation of the effectiveness of security measures; • measures to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems; • procedures for data backup, recovery, and business continuity.
7. Use of Sub-processors
The Customer hereby provides a general authorization for Aflux to engage Sub-processors to Process Personal Data on behalf of the Customer in connection with the provision of the Services, subject to the requirements of this DPA.
Where Aflux engages a Sub-processor, Aflux shall ensure that the Sub-processor is bound by a written agreement imposing data protection obligations that are no less protective than those set out in this DPA.
Aflux shall remain responsible for the performance of its Sub-processors' obligations to the same extent as if Aflux had performed such obligations itself.
At the moment, Aflux is using no sub-processor and handles all the data in proprietary data servers with no intentional integration of other data processors. The storage integrations (e.g. Google Drive, OneDrive, etc.) have their own processing flow.
The storage and processing of data in such providers is independent from Aflux and is user's sole responsibility to ensure that its storage provider handles the data accordingly.
Aflux shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors.
8. Data Subject Rights Assistance
Taking into account the nature of the Processing and the information available to Aflux, Aflux shall provide reasonable assistance to the Customer to enable the Customer to respond to requests from Data Subjects to exercise their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction of Processing, data portability, and objection.
Such assistance may include:
• implementing technical and organizational measures that allow the Customer to access, correct, delete, or export Personal Data within the Services; • providing information reasonably necessary to respond to a Data Subject request; • promptly notifying the Customer if Aflux receives a request directly from a Data Subject.
Aflux shall not respond directly to Data Subject requests unless required to do so by applicable law or expressly instructed by the Customer in writing.
9. Personal Data Breach Management
Aflux shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Customer.
Such notification shall include, to the extent reasonably available at the time:
• a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; • a description of the likely consequences of the Personal Data Breach; • a description of the measures taken or proposed to be taken by Aflux to address the Personal Data Breach and mitigate its possible adverse effects; • any other information reasonably necessary for the Customer to comply with its notification obligations.
Aflux shall cooperate with the Customer and provide reasonable assistance in investigating, mitigating, and remediating the Personal Data Breach.
10. Data Transfers
Aflux shall Process Personal Data primarily within the European Economic Area (EEA). Where Processing of Personal Data involves a transfer to a country outside the EEA, Aflux shall ensure that such transfer is carried out in compliance with applicable Data Protection Laws.
Where required, Aflux shall implement appropriate safeguards for such transfers, which may include:
• the use of Standard Contractual Clauses approved by the European Commission; • transfers to countries that have been recognized by the European Commission as providing an adequate level of data protection; • other lawful transfer mechanisms permitted under applicable Data Protection Laws.
Upon reasonable request, Aflux shall make available to the Customer information regarding the transfer mechanisms used for international data transfers under this DPA.
11. Audits and Compliance
Aflux shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws.
Subject to the terms below, the Customer may conduct audits or inspections to verify Aflux's compliance with this DPA:
• audits shall be limited to once per calendar year, unless required by a competent supervisory authority or in response to a confirmed Personal Data Breach; • audits shall be conducted during normal business hours and in a manner that does not unreasonably interfere with Aflux's business operations; • the Customer shall provide reasonable prior written notice of any audit; • audits shall be limited in scope to matters relevant to the Processing of Personal Data under this DPA.
Where reasonably available, Aflux may satisfy audit requests by providing appropriate third-party audit reports, certifications, or summaries (such as ISO, SOC, or equivalent reports).
12. Data Return and Deletion
Upon termination or expiration of the Agreement, and at the Customer's choice, Aflux shall either return or delete Personal Data Processed on behalf of the Customer, in accordance with the terms of the Agreement and this DPA, unless applicable law requires retention of such Personal Data.
Where technically feasible, the Customer may retrieve Personal Data directly from the Services prior to termination. Upon request, Aflux shall provide reasonable assistance to enable the Customer to export or retrieve Personal Data within a reasonable period following termination.
Aflux shall securely delete Personal Data within a reasonable timeframe after termination or expiration of the Agreement, except to the extent that retention is required by applicable law or necessary for the establishment, exercise, or defense of legal claims.
Upon reasonable request, Aflux shall confirm in writing that the deletion of Personal Data has been completed in accordance with this section.
13. Liability and Indemnification
Each party shall be liable for damages caused by its own violation of applicable Data Protection Laws or this DPA, in accordance with Article 82 of the GDPR.
Aflux shall be liable only for Processing of Personal Data where it has failed to comply with its obligations under this DPA or where it has acted outside or contrary to the lawful instructions of the Customer.
The Customer shall be liable for any damages arising from instructions that infringe applicable Data Protection Laws or from the Customer's failure to comply with its obligations as a Data Controller.
To the maximum extent permitted by applicable law, any liability arising out of or in connection with this DPA shall be subject to the limitations of liability set forth in the Agreement.
14. Term and Termination
This DPA shall become effective on the date the Agreement enters into force and shall remain in effect for the duration of the Agreement, unless terminated earlier in accordance with this section.
This DPA shall automatically terminate upon termination or expiration of the Agreement, except for provisions which by their nature are intended to survive termination, including but not limited to provisions relating to confidentiality, data return and deletion, liability, and compliance with applicable Data Protection Laws.
Either party may terminate this DPA if the other party materially breaches its obligations under this DPA and fails to remedy such breach within a reasonable period after receiving written notice.
Termination of this DPA shall not relieve either party of its obligations under applicable Data Protection Laws with respect to Personal Data Processed prior to termination.
15. Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws specified in the Agreement, without regard to its conflict of laws principles.
Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts specified in the Agreement, unless otherwise required by applicable Data Protection Laws.
Nothing in this section shall prevent either party from seeking interim or injunctive relief from any competent court to protect its rights or comply with applicable Data Protection Laws.
16. Amendments
Aflux may amend this DPA from time to time to the extent required to comply with applicable Data Protection Laws or to reflect changes in the Services, provided that such amendments do not materially reduce the level of protection afforded to Personal Data.
Aflux shall notify the Customer of any material amendments to this DPA through reasonable means, including by updating the DPA on its website or within the Services.
Unless otherwise required by applicable law, amendments to this DPA shall become effective upon publication or as otherwise specified in the notice. The Customer's continued use of the Services after the effective date of such amendments shall constitute acceptance of the updated DPA.
Where required by applicable law, amendments shall not apply retroactively without the Customer's express agreement.