Overview

Tools

See All Tools

Integrations

See All Integrations

Industries

See All Industries

Use Cases

Teams

Size

Learn More

Get Help

Get Started

  • Menu

Overview

Tools

See All Tools

Integrations

See All Integrations

Industries

See All Industries

Use Cases

Teams

Size

Learn More

Get Help

Get Started

Data Processing Agreement (U.S.) for Fluix Service

Effective date: 26 June 2023

1. Information About the Parties

Name: Subscriber Fluix Limited
Role in the processing: Controller Processor

This Data Processing Agreement (“DPA”) is an integral part of the Terms of Service (“Terms”) and governs the personal information processing activities between Fluix Limited and Subscribers that are the residents of the United States of America. In this DPA, Fluix Limited and the Subscriber shall be jointly referred to as the “Parties” and each separately as a “Party”.

2. Applicability

The Subscriber is the individual or entity that has subscribed for the hosting of the specific Fluix software Application identified during the ordering process, developed or licensed, operated, and maintained by Fluix Limited, accessible via https://fluix.io or another designated by Fluix Limited website or IP address, or ancillary online or offline products and services provided to Subscriber by Fluix, to which Subscriber is being granted access under the Terms (“Service”).

This DPA shall apply to the processing by Fluix Limited of the personal information (“Personal Information”) of the Subscriber’s employees, representatives, consultants, contractors, customers, or agents who are authorized to use the Service and have been supplied user identifications and passwords by the Subscriber (or by or for Fluix Limited at Subscriber’s request) (“Users”).

3. Purpose of Information Processing

The Subscriber or the Subscriber’s representatives inserts or transfers by any possible means the Personal Information of the Users to the Service and Fluix Limited processes this Personal Information solely for the purpose of Fluix Limited providing the functionality of the Service to the Subscriber.

4. Processing of Personal Information

Following the purposes of the processing of the Personal Information, it shall include, but is not limited to, the following:

  • transferring of the information between the Parties or by the Party with a third party under the “Details of processing” sections of the DPA;
  • storing of the Personal Information on servers;
  • subcontracting the processing of the Personal Information to the sub-processors;
  • granting third parties rights to access the Personal Information;
  • deletion or return of the Personal Information;
  • using the Personal Information for the purpose of fulfilling the Terms.

5. Personal Information

Fluix Limited processes the Personal Information the Subscriber provides. The amount of the Personal Information:

  • Company email domain;
  • SSO URL;
  • USER ID ATTRIBUTE;
  • Time of the last login in the Service;
  • Group membership;
  • Role in the account;
  • Information on the processes and tasks assigned;
  • Files downloaded;
  • Device info.

The Parties will notify each other without undue delay if they become aware of inaccuracies in the Personal Information.

6. Personal Information Storage Term

Fluix Limited shall store the Personal Information received from the Controller for the periods specified in the Privacy Notice for Fluix Service, available following the link https://fluix.io/privacy-notice-for-fluix-service, and sometime thereafter in the hash.

After that, Fluix Limited shall delete or return all Personal Information to the Subscriber.

Notwithstanding anything to the contrary in this section, Fluix Limited may retain Personal Information, or any portion of it, if required by applicable law, provided such Personal Information remains protected in accordance with the Terms, this DPA, and applicable laws and regulations.

7. Details of Processing

Settings Data
Type of data Reasons for processing Legal basis
Company email domain. To let the User login using Single Sign-On (“SSO”). Performance of the contract.
SSO URL. To redirect the User to the SSO flow. Performance of the contract.
USER ID ATTRIBUTE. To verify the email of the User logging in with SSO. Performance of the contract.
Functionality Data
Type of data Reasons for processing Legal basis
Time of the last login in the Service. To show the other Users the periods of your last activity. Performance of the contract.
Group membership. To let the Subscribers and Users manage permission and access. Performance of the contract.
Role in the account. To let Subscribers and Users manage permission and access. Performance of the contract.
To create more relevant messaging and improve the Service. Legitimate interest.
Information on the processes and tasks assigned. To provide the Users with the Service functionality. Performance of the contract.
To create more relevant messaging and improve the Service. Legitimate interest.
Files downloaded. To provide the Users with the Service functionality. Performance of the contract.
Device info. To let the admins see Users’ device info for security reasons. Performance of the contract.

8. Sensitive Information

Sensitive information will not be transferred for processing.

9. Limitation of the Processing

Fluix Limited shall not collect, retain, use, transfer, disclose, or otherwise process the Personal Information for any purpose other than performing the Service.

Fluix Limited shall process the Personal Information only as necessary to provide the Service and to fulfill the obligations set out in the Terms.

Fluix Limited does not use Personal Information outside of direct contractual relations.

10. The Frequency of the Transfer for Processing

Personal Information will be transferred for processing on a continuous basis.

11. Nature of the Processing

Fluix Limited collects the Subscriber’s information to process it upon the Subscriber’s request.

12. Sub-processors

The Subscriber agrees that Fluix Limited may engage sub-processors to process the Personal Information on behalf of the Subscriber, providing the necessary safeguards.

Fluix Limited may engage the sub-processor at any time at its sole discretion.

Fluix Limited shall make available to Subscriber upon its request a current list of sub-processors engaged in connection with the provision of the Service.

Fluix Limited transfers the Personal Information to its sub-processors solely for processing.

13. Recipients

The Personal Information may only be disclosed to the following recipients or categories of recipients and only if appropriate safeguards are in place:

  • advisers, contractors, consultants, and other professional experts;
  • partners;
  • team members;
  • third parties.

14. No Sale of Personal Information under the California Consumer Privacy Act

The Parties shall not have, derive, or exercise any rights or benefits regarding processing the Personal Information and may use and disclose the Personal Information solely for the purposes for which such the Personal Information was provided to it, as stipulated in this DPA.

The Parties certify that they understand the rules, requirements, and definitions of the California Consumer Privacy Act (“CCPA”) and agree to refrain from selling any Personal Information nor taking any action that would cause any transfer of the Personal Information to qualify as “selling” such Personal Information under the CCPA.

15. Data Protection Measures

The Processor shall implement appropriate technical and organizational measures to protect the Personal Information.

Implemented measures must be appropriate to the scope and risks of Personal Information processing. Relevant technical measures must be implemented on every device and information storage the Processor uses to access and process Personal Information.

The Processor must ensure that its employees, agents, and contractors:

  • can access the Personal Information only when access is strictly necessary for the purposes of the DPA;
  • are informed of the confidential nature of the Personal Information;
  • are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

The Processor must implement at least the following safeguards:

Physical measures
Limited access to premises
Organizational measures
Policies and instructions
  1. Password policy
  2. Monitoring and physical access
  3. Contractual obligations and corporate VPN
  4. Internal security policy
  5. Access control policy
Transfer protection
  1. Data protection agreements
  2. Data transfer agreements
  3. Standard contractual clauses
Agreements
  1. Non-disclosure agreements
  2. Data protection agreements
Contractor and staff training Privacy protection:
  1. Implementation of privacy by design and privacy by default.
  2. Internal procedures for GDPR compliance
  3. Data protection impact assessments

Regular access and policy review

Code review
Technical measures

Encryption technologies:

encryption in transit, backup encryption, state-of-the-art methods of cryptographic keys

Backup

We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail.

Critical services are operated redundantly in multiple data centers and controlled by a high-availability system.

Two-factor authentication
Static Analysis Quality Assurance
Regular Patch Management Dependency and Supply Chain Vulnerability Check
Stress-tests Internal pan-testing

16. Data Breach Management and Notification

In a case of a data loss or breach incident affecting the security of Personal Information, Fluix Limited shall notify the Subscriber via the email address(es) provided by the Subscriber for the use of the Service, without undue delay, but in no event later than 72 hours after identifying any potential or actual loss or breach.

Fluix Limited shall make reasonable efforts to identify and take those necessary and reasonable steps to remediate or mitigate the cause of such data loss or breach incident.

Fluix Limited shall provide reasonable assistance to Subscriber in the event that the Subscriber is required under applicable law to notify a regulatory authority or any data subjects impacted by such data loss or breach incident.

17. Applicable Legislation

Both Parties shall meet the requirements of the U.S. federal laws and privacy laws of states to the extent they may be applied as follows:

  • Federal Trade Commission Act;
  • California Consumer Privacy Act of 2018 (CCPA);
  • California Privacy Rights Act;
  • Colorado Privacy Act;
  • Connecticut Data Privacy Act;
  • Delaware Online and Personal Privacy Protection;
  • Maine Privacy Law;
  • Nevada Privacy Law;
  • New York State Personal Privacy Protection Law (PPPL);
  • Ohio Data Protection Act;
  • Utah Consumer Privacy Act;
  • Virginia Consumer Data Protection Act.

Regardless of the federal and state regulations and laws, the Processor is regulated by and meets the General Data Protection Regulation (GDPR) standards.

18. Change of Law

If there is a change of any relevant privacy laws, regulations, or rules, which affect the Terms of Service and this DPA in particular, the Processor shall amend it to comply with the law.

19. Competent Supervisory Authority

Сompetent supervisory authority is the Irish Data Protection Commission (DPC). For further information, please visit: https://www.dataprotection.ie/.