Data Processing Agreement (DPA)

Flinque Data Processing Agreement

The short version, so you know what this DPA covers

This Data Processing Agreement (DPA) governs how Flinque processes personal data on behalf of customers who act as data controllers. It is required under GDPR Article 28, UK GDPR, and similar frameworks. By using Flinque, customers and Flinque enter into this DPA, which sets out our processor obligations, security commitments, sub-processor management, breach notification, audit rights, and international transfer safeguards.

This DPA forms part of our Terms and Conditions and supplements our Privacy Policy, Data Privacy Policy, GDPR Compliance, and Security Policy.

Enterprise customers requiring a signed DPA can request one through the contact page.

1. Parties and Scope
2. Definitions
3. Processing Details
4. Controller and Processor Responsibilities
5. Instructions and Lawfulness
6. Confidentiality of Personnel
7. Technical and Organizational Measures
8. Sub-processors
9. International Data Transfers
10. Data Subject Rights Cooperation
11. Personal Data Breach Notification
12. Audit Rights
13. Deletion or Return on Termination
14. Liability and Indemnification
15. Contact for DPA Matters

1. Parties and Scope

This Data Processing Agreement (DPA) is entered into between:

• The Customer: the individual or legal entity that has registered for or purchased access to the Flinque influencer marketing platform, acting as the Controller
• Flinque: acting as the Processor

1.1 When this DPA applies

This DPA applies only to processing activities where Flinque acts as a Processor on behalf of the Customer (the Controller). Specifically:

• User Content created or uploaded by the Customer in its workspace
• Third-party contact data the Customer imports into Flinque
• Integration data the Customer connects from external systems

1.2 When this DPA does not apply

Where Flinque acts as a Controller in its own right (including for account management, billing, marketing, platform analytics, and creator public data aggregation), this DPA does not apply. For those processing activities, our Privacy Policy and GDPR Compliance apply.

1.3 Agreement formation

This DPA is automatically incorporated into the Customer’s Terms and Conditions upon acceptance of those terms. For Enterprise customers requiring a countersigned DPA, we can arrange formal execution on request.

2. Definitions

Terms used in this DPA have the meanings given to them in GDPR, UK GDPR, and applicable data protection law. Key definitions:

• Controller: the party that determines the purposes and means of processing
• Processor: the party that processes personal data on behalf of the Controller
• Sub-processor: a third party engaged by the Processor to process personal data
• Personal Data: any information relating to an identified or identifiable natural person
• Processing: any operation performed on personal data, such as collection, storage, access, disclosure, or deletion
• Data Subject: the individual to whom personal data relates
• Personal Data Breach: a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data
• Applicable Law: GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and other data protection laws applicable to the Parties’ processing
• Technical and Organizational Measures (TOMs): security measures implemented to protect personal data

Additional terms are defined in context throughout this DPA.

3. Processing Details

This section sets out the processing details required by GDPR Article 28(3).

The Customer determines the specific categories of personal data processed through its use of the platform.

4. Controller and Processor Responsibilities

4.1 Customer (Controller) responsibilities

The Customer agrees that it:

• Has established a lawful basis for the processing it instructs Flinque to perform
• Has provided any required notices to data subjects regarding the processing
• Has obtained any required consents before importing data to the platform
• Is responsible for the accuracy, quality, and legality of personal data
• Will not instruct Flinque to perform processing that would violate Applicable Law
• Maintains its own Records of Processing Activities under Article 30

4.2 Flinque (Processor) responsibilities

Flinque agrees that it:

• Will process personal data only on documented instructions from the Customer
• Will implement and maintain appropriate Technical and Organizational Measures
• Will ensure personnel authorized to process personal data are bound by confidentiality
• Will cooperate with the Customer in responding to data subject rights requests
• Will assist the Customer with breach notification, DPIAs, and consultations with supervisory authorities
• Will notify the Customer of personal data breaches affecting their data
• Will return or delete personal data at the end of the service per Section 13
• Will make information available to demonstrate compliance with Article 28

5. Instructions and Lawfulness

Flinque processes personal data only on documented instructions from the Customer.

5.1 Documented instructions

• The Customer’s use of the Flinque platform, in accordance with the Terms and Conditions and this DPA, constitutes the Customer’s documented instructions
• Additional or varied instructions must be in writing and agreed between the Parties
• Instructions outside the standard scope of the platform may incur additional fees or require contractual amendments

5.2 Legal obligations

If Flinque is required by Applicable Law to process personal data outside the Customer’s instructions, Flinque will inform the Customer of that legal requirement before processing, unless the law prohibits such notification on grounds of public interest.

5.3 Unlawful instructions

Flinque will promptly notify the Customer if, in its opinion, an instruction infringes Applicable Law. Flinque may refuse to comply with instructions that are manifestly unlawful.

6. Confidentiality of Personnel

Flinque ensures that all personnel who have access to personal data processed under this DPA:

• Have signed written confidentiality agreements or are under equivalent statutory obligations of confidentiality
• Have received appropriate training on data protection and security
• Are granted access only on a need-to-know basis
• Are subject to disciplinary action for confidentiality violations
• Continue to be bound by confidentiality obligations after the end of their engagement with Flinque

Personnel controls are detailed in our Security Policy.

7. Technical and Organizational Measures

Flinque implements appropriate Technical and Organizational Measures (TOMs) to ensure a level of security appropriate to the risk, including (as relevant):

7.1 Encryption

• Data in transit is protected with TLS 1.2 or higher
• Data at rest is encrypted using AES-256 or equivalent
• Encryption keys are managed through hardware-backed key management services

7.2 Access controls

• Role-based access control with least-privilege defaults
• Multi-factor authentication for all administrative access
• Regular access reviews
• Immediate access revocation upon role change or departure

7.3 Resilience

• Multi-zone infrastructure for redundancy
• Regular backups with tested restoration procedures
• Documented business continuity and disaster recovery plans

7.4 Security monitoring

• Continuous security monitoring and alerting
• Centralized tamper-resistant logging
• Vulnerability scanning and periodic penetration testing

7.5 Regular testing and evaluation

The effectiveness of TOMs is regularly tested, evaluated, and improved. A full description of our TOMs is in our Security Policy, which forms part of this DPA for reference.

7.6 Changes to TOMs

Flinque may update TOMs from time to time provided the overall level of security is not materially reduced. Material reductions in security, if any, will be communicated to affected customers with reasonable advance notice.

8. Sub-processors

The Customer provides general authorization for Flinque to engage sub-processors to perform parts of the processing, subject to the conditions below.

8.1 Current sub-processors

Flinque maintains a current list of sub-processors in the Data Privacy Policy. Sub-processor categories typically include:

• Cloud infrastructure and hosting providers
• Payment processing (Stripe)
• Email delivery services
• Customer support and help desk tools
• Analytics platforms
• AI service providers
• Security and monitoring vendors

8.2 Sub-processor requirements

Before engaging any sub-processor, Flinque:

• Conducts reasonable due diligence on the sub-processor’s security and data protection practices
• Enters into a written agreement imposing data protection obligations equivalent to those in this DPA
• Restricts sub-processor access to personal data to what is required for the services
• Remains fully liable to the Customer for the performance of sub-processors

8.3 Notice of new sub-processors

• Standard notice: Flinque provides at least 30 days advance notice of new sub-processors to Enterprise customers who have subscribed to sub-processor change notifications
• For non-Enterprise customers: updates to the sub-processor list in the Data Privacy Policy constitute notice
• Emergency changes: where an urgent change is required (for example a sub-processor becoming insolvent or failing security standards), shorter notice may be given, with explanation

8.4 Customer objection rights

Enterprise customers may object to the addition of a new sub-processor on reasonable data protection grounds during the 30-day notice period. If the Parties cannot resolve the objection:

• Flinque may elect to not engage the sub-processor for the objecting customer’s data
• Flinque may elect to proceed with the sub-processor and offer the Customer an option to terminate the affected services with a pro rata refund for unused prepaid fees
• The Parties may negotiate an alternative arrangement

9. International Data Transfers

Personal data may be transferred internationally as part of providing the Flinque service. Transfers are subject to appropriate safeguards.

9.1 Transfer mechanisms

• EU Standard Contractual Clauses (SCCs): the 2021 SCCs are deemed incorporated by reference into this DPA for transfers from the EEA to third countries without adequacy decisions
• UK International Data Transfer Addendum: for UK-originating transfers
• Swiss Addendum: for Swiss-originating transfers
• Adequacy decisions: where applicable, transfers may proceed under an adequacy decision
• EU-US Data Privacy Framework: used where applicable for transfers to certified US recipients

9.2 Module selection

Where the SCCs apply:

• Module Two (Controller to Processor) applies where the Customer is the Controller and Flinque is the Processor
• Module Three (Processor to Processor) applies where the Customer is itself a processor of a third-party controller and Flinque is engaged as a sub-processor

9.3 Transfer Impact Assessments

For transfers to countries without adequacy decisions, Flinque conducts Transfer Impact Assessments and applies supplementary measures where needed (encryption, pseudonymization, contractual commitments). Summary assessments are available to Enterprise customers on request.

10. Data Subject Rights Cooperation

Flinque provides reasonable cooperation to the Customer in responding to data subject rights requests.

10.1 Cooperation obligations

• Providing appropriate technical and organizational measures to allow the Customer to respond to data subject requests
• Providing tools within the platform for exporting, correcting, and deleting data
• Responding to Customer queries related to data subject requests within reasonable timeframes
• Assisting in providing supplementary information required for responses

10.2 Direct requests to Flinque

If a data subject contacts Flinque directly regarding personal data Flinque processes as a Processor, Flinque will:

• Direct the data subject to the Customer (the Controller)
• Inform the Customer of the request without undue delay
• Not respond to the substance of the request without Customer authorization unless required by Applicable Law

10.3 Fees for cooperation

Standard cooperation is provided at no additional charge. Extraordinary cooperation (for example responding to large-scale or complex requests requiring significant engineering effort) may incur reasonable fees, disclosed before any work is performed.

11. Personal Data Breach Notification

Flinque notifies the Customer of personal data breaches affecting Customer data in accordance with GDPR Article 33(2).

11.1 Notification timeline

• Initial notification: without undue delay after becoming aware of the breach, and in any event within 72 hours
• Updates: as investigation progresses and more information becomes available
• Final report: after investigation concludes

11.2 Notification contents

Breach notifications include (to the extent known):

• Nature of the breach, including categories and approximate numbers of data subjects and records affected
• Contact details for further information
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects

11.3 Customer obligations after notice

The Customer is responsible for determining whether to notify supervisory authorities and data subjects under Articles 33 and 34 of GDPR. Flinque provides reasonable assistance in these notifications.

11.4 No liability for false alarms

Flinque’s notification of a suspected breach does not constitute an admission of fault or liability. Precautionary notifications made in good faith based on incomplete information will not be treated as admissions against Flinque.

12. Audit Rights

Flinque makes information available to the Customer to demonstrate compliance with this DPA and GDPR Article 28.

12.1 Information available on request

• Summary of current Technical and Organizational Measures
• Summary of independent security assessments (for example executive summaries of penetration tests)
• Copies of relevant certifications (SOC 2, ISO 27001) where applicable and available
• Responses to standardized security questionnaires (SIG, CAIQ)
• Summary of sub-processor due diligence

12.2 Customer audits

Enterprise customers may conduct audits or inspections under the following conditions:

• At reasonable intervals (generally no more than once per 12-month period, unless a breach or regulatory requirement triggers additional audits)
• With reasonable advance notice (at least 30 days unless regulatory urgency requires shorter)
• During Flinque’s business hours
• Through a mutually agreed independent auditor bound by confidentiality
• Without disrupting Flinque’s operations or compromising other customers’ data
• At the Customer’s expense, except where the audit identifies material non-compliance with this DPA

12.3 Alternative to on-site audits

Flinque can satisfy audit requirements by providing third-party audit reports, certifications, and detailed responses to security questionnaires. Customers are encouraged to rely on these where they satisfy the Customer’s compliance needs.

13. Deletion or Return on Termination

When the Customer’s subscription ends, Flinque deletes or returns personal data in accordance with the following:

13.1 Export before termination

The Customer is responsible for exporting personal data before account termination using the platform’s export features. Export tools are available up until the end of the subscription period.

13.2 Default: deletion

• Production data: deleted within 30 days of subscription end
• Backup data: rotated out within 90 days per the Data Retention Policy
• Deletion covers all personal data processed under this DPA, subject to retention exceptions

13.3 Retention exceptions

Notwithstanding deletion, Flinque may retain personal data where and for as long as required to:

• Comply with legal obligations (for example tax and audit retention)
• Establish, exercise, or defend legal claims
• Retain minimal identifiers for fraud prevention

Retained data remains subject to the confidentiality and security obligations in this DPA.

13.4 Certificate of destruction

Enterprise customers may request a certificate of destruction confirming deletion. Certificates are provided where reasonably feasible.

14. Liability and Indemnification

14.1 Liability cap

Each Party’s liability under this DPA is subject to the liability limitations in the Terms and Conditions, except where such limitations are not permitted by Applicable Law.

14.2 Apportionment of liability

Where both Parties are liable for the same damage, liability is apportioned in proportion to each Party’s responsibility. Where one Party pays full compensation, it may seek contribution from the other Party for the other Party’s share of responsibility.

14.3 Customer indemnification

The Customer indemnifies Flinque against claims arising from:

• Processing of personal data without a lawful basis established by the Customer
• Instructions that violate Applicable Law
• Inaccurate or unlawfully obtained personal data imported by the Customer
• Customer violations of the Terms and Conditions or this DPA

14.4 Cooperation in claims

Parties cooperate in defending claims by data subjects or regulatory authorities, including sharing information reasonably required for defense. Neither Party settles claims that materially affect the other Party’s rights without prior consent, which will not be unreasonably withheld.

15. Contact for DPA Matters

For DPA execution, audit requests, security questionnaires, or questions about this agreement, contact us.