Data Processing Agreement (EEA) for Fluix Service
Effective date: 26 June 2023
1. Information About the Parties
| Name: | Subscriber | Fluix Limited |
| Role in the processing: | Controller | Processor |
This Data Processing Agreement (“DPA”) is an integral part of the Terms of Service (“Terms”) and governs the personal data processing activities between Fluix Limited and Subscribers that are the residents of the European Economic Area. In this DPA, Fluix Limited and the Subscriber shall be jointly referred to as the “Parties” and each separately as a “Party”. |
2. Applicability
The Subscriber is the individual or entity that has subscribed for the hosting of the specific Fluix software Application identified during the ordering process, developed or licensed, operated, and maintained by Fluix Limited, accessible via https://fluix.io or another designated by Fluix Limited website or IP address, or ancillary online or offline products and services provided to Subscriber by Fluix, to which Subscriber is being granted access under the Terms (“Service”).
This DPA shall apply to the processing by Fluix Limited of the personal data of the Subscriber’s employees, representatives, consultants, contractors, customers, or agents who are authorized to use the Service and have been supplied user identifications and passwords by the Subscriber (or by or for Fluix Limited at Subscriber’s request) (“Users”).
General Data Protection Regulation, applicable laws and regulations of the Republic of Ireland, and other applicable laws and regulations (“Applicable Law”) shall apply to the DPA.
3. Purpose of Data Processing
The Subscriber or the Subscriber’s representatives inserts or transfers by any possible means the personal data (“Personal Data”) of the Users to the Service and Fluix Limited processes this Personal Data solely for the purpose of Fluix Limited providing the functionality of the Service to the Subscriber.
4. Processing of Personal Data
Following the purposes of the processing of the Personal Data, it shall include, but is not limited to, the following:
- transferring of the data between the Parties or by the Party with a third party under the “Details of processing” sections of the DPA;
- storing of the Personal Data on servers;
- subcontracting the processing of the Personal Data to the sub-processors;
- granting third parties rights to access the Personal Data;
- deletion or return of the Personal Data;
- using the Personal Data for the purpose of fulfilling the Terms.
5. Personal Data
Fluix Limited processes the Personal Data the Subscriber provides. The amount of the Personal Data:
- Company email domain;
- SSO URL;
- USER ID ATTRIBUTE;
- Time of the last login in the Service;
- Group membership;
- Role in the account;
- Information on the processes and tasks assigned;
- Files downloaded;
- Device info.
The Parties will notify each other without undue delay if they become aware of inaccuracies in the Personal Data.
6. Personal Data Storage Term
Fluix Limited shall store the Personal Data received from the Controller for the periods specified in the Privacy Notice for Fluix Service, available following the link https://fluix.io/privacy-notice-for-fluix-service, and sometime thereafter in the hash.
After that, Fluix Limited shall delete or return all Personal Data to the Subscriber.
Notwithstanding anything to the contrary in this section, Fluix Limited may retain Personal Data, or any portion of it, if required by applicable law, provided such Personal Data remains protected in accordance with the Terms, this DPA, and applicable laws and regulations.
7. Details of Processing
| Settings Data | ||
| Type of data | Reasons for processing | Legal basis |
| Company email domain. | To let the User login using Single Sign-On (“SSO”). | Performance of the contract. |
| SSO URL. | To redirect the User to the SSO flow. | Performance of the contract. |
| USER ID ATTRIBUTE. | To verify the email of the User logging in with SSO. | Performance of the contract. |
| Functionality Data | ||
| Type of data | Reasons for processing | Legal basis |
| Time of the last login in the Service. | To show the other Users the periods of your last activity. | Performance of the contract. |
| Group membership. | To let the Subscribers and Users manage permission and access. | Performance of the contract. |
| Role in the account. | To let Subscribers and Users manage permission and access. | Performance of the contract. |
| To create more relevant messaging and improve the Service. | Legitimate interest. | |
| Information on the processes and tasks assigned. | To provide the Users with the Service functionality. | Performance of the contract. |
| To create more relevant messaging and improve the Service. | Legitimate interest. | |
| Files downloaded. | To provide the Users with the Service functionality. | Performance of the contract. |
| Device info. | To let the admins see Users’ device info for security reasons. | Performance of the contract. |
8. Sensitive Data
Sensitive data will not be transferred for processing.
9. Limitation of the Processing
Fluix Limited shall not collect, retain, use, transfer, disclose, or otherwise process the Personal Data for any purpose other than performing the Service.
Fluix Limited shall process the Personal Data only as necessary to provide the Service and to fulfill the obligations set out in the Terms.
Fluix Limited does not use Personal Data outside of direct contractual relations.
10. The Frequency of the Transfer for Processing
Personal Data will be transferred for processing on a continuous basis.
11. Nature of the Processing
Fluix Limited collects the Subscriber’s Data to process it upon the Subscriber’s request.
12. Sub-processors
The Subscriber agrees that Fluix Limited may engage sub-processors to process the Personal Data on behalf of the Subscriber, providing the necessary safeguards.
Fluix Limited may engage the sub-processor at any time at its sole discretion.
Fluix Limited shall make available to Subscriber upon its request a current list of sub-processors engaged in connection with the provision of the Service.
Fluix Limited transfers the Personal Data to its sub-processors solely for processing.
The Subscriber consents to the engagement of affiliate service providers as sub-processors in the scope of performance of the contract by Fluix Limited.
With respect to changes of the sub-processors providing the services of server hosting the code and databases resulting in the change of the state of such sub-processor (excluding such change within the European Economic Area), Fluix Limited shall endeavor to give notice sixty (60) days prior to any change but in any event, shall give notice no less than thirty (30) days prior to any such change.
13. Recipients
The Personal Data may only be disclosed to the following recipients or categories of recipients and only if appropriate safeguards are in place:
- advisers, contractors, consultants, and other professional experts;
- partners;
- team members;
- third parties.
14. Data Subject Rights
As part of the Service, Fluix Limited provides the Subscriber with a number of self-service features, including the ability to delete, obtain a copy of, or restrict the use of Personal Data.
The Subscriber may use these self-service features to assist in complying with its obligations under Applicable Law with respect to responding to requests from data subjects via the Service at no additional cost. In addition, upon Subscriber’s request, Fluix Limited will provide reasonable additional and timely support (at Subscriber’s expense only if complying with the Subscriber’s request will require Fluix Limited to assign significant resources to that effort) to assist Subscriber in complying with its data protection obligations with respect to data subject rights under Applicable Law.
The Party shall promptly inform the other Party in writing in the event that the Party receives:
- any request from a data subject to exercise any of its rights under Applicable Law (including its rights of access, correction, objection, erasure, and data portability, as applicable); or
- any request relating to the processing of Subscriber’s account or usage data conducted by the other Party from any individual, organization, or governmental body, except for the Parties and the data subjects.
The Parties agree to cooperate, in good faith, as necessary to respond to any such requests and fulfill their respective obligations under Applicable Law.
15. Data Protection Measures
The Processor shall implement appropriate technical and organizational measures to protect the Personal Data. By the request of the Subscriber, the Processor shall share security and privacy certifications it obtains, including ISO 27001.
Implemented measures must be appropriate to the scope and risks of Personal Data processing. Relevant technical measures must be implemented on every device and data storage the Processor uses to access and process Personal Data.
The Processor must ensure that its employees, agents, and contractors:
- can access the Personal Data only when access is strictly necessary for the purposes of the DPA;
- are informed of the confidential nature of the Personal Data;
- are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
The Processor must implement at least the following safeguards:
| Physical measures |
| Limited access to premises |
| Organizational measures | |
| Policies and instructions 1. Password policy 2. Monitoring and physical access 3. Contractual obligations and corporate 4. VPN 5. Internal security policy 6. Access control policy | Transfer protection 1. Data protection agreements 2. Data transfer agreements 3. Standard contractual clauses |
| Agreements 1. Non-disclosure agreements 2. Data protection agreements | |
| Contractor and staff training | Privacy protection: 1. Implementation of privacy by design and privacy by default. 2. Internal procedures for GDPR compliance 3. Data protection impact assessments |
|
Regular access and policy review Code review | |
| Technical measures | |
Encryption technologies: encryption in transit, backup encryption, state-of-the-art methods of cryptographic keys | Backup We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail.Critical services are operated redundantly in multiple data centers and controlled by a high-availability system. |
| Two-factor authentication | |
| Static Analysis | Quality Assurance |
| Regular Patch Management | Dependency and Supply Chain Vulnerability Check |
| Stress-tests | Internal pan-testing |
16. Data Breach Management and Notification
In a case of a data loss or breach incident affecting the security of Personal Data, Fluix Limited shall notify the Subscriber via the email address(es) provided by the Subscriber for the use of the Service, without undue delay, but in no event later than 72 hours after identifying any potential or actual loss or breach.
Fluix Limited shall make reasonable efforts to identify and take those necessary and reasonable steps to remediate or mitigate the cause of such data loss or breach incident.
Fluix Limited shall provide reasonable assistance to Subscriber in the event that the Subscriber is required under Applicable Law to notify a regulatory authority or any data subjects impacted by such data loss or breach incident.
17. Impact Assessments and Consultations
Fluix Limited shall provide reasonable cooperation to Subscriber in connection with any data protection impact assessment (at Subscriber’s expense only if such reasonable cooperation requires Fluix Limited to assign significant resources to that effort) and consultations with regulatory authorities that may be required in accordance with Applicable Law.
18. Applicable Legislation
Both Parties shall meet the requirements of the EU privacy regulations and laws of the Republic of Ireland to the extent they may be applied, including the General Data Protection Regulation.
19. Change of Law
If there is a change of any relevant privacy laws, regulations, or rules, which affect the Terms of Use and this DPA in particular, the Processor shall amend it to comply with the law.
20. Competent Supervisory Authority
Сompetent supervisory authority is the Irish Data Protection Commission (DPC). For further information, please visit: https://www.dataprotection.ie/.