Data Processing Agreement v1.0

This Data Processing Agreement (“Agreement”, “DPA”) forms part of the Contract for Services (“Principal Agreement”) between you (either an individual or a single legal entity and its affiliates using flex.bi Services, the “Customer”) and SIA “Flex BI”, registration number: 40203021416, legal address: Slokas iela 32 - 3, Rīga, LV-1048, a Latvian company (“flex.bi”) (together as the “Parties”)

WHEREAS.

(A) The Customer acts as a Data Controller.
(B) The Customer subcontracts Services, which imply the processing of personal data by flex.bi. (C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation.

1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1. “Customer Personal Data” means any data, including Personal Data, provided by Customer that are processed pursuant to or in connection with the Principal Agreement;

1.1.2. “Contracted Processor” or a “Sub-processor” means any person appointed by or on behalf of flex.bi to process Personal Data on behalf of the Customer in connection with the Agreement;

1.1.3. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or to the extent specified applicable by the Principal Agreement – privacy laws of another country;

1.1.4. “EEA” means the European Economic Area;

1.1.5. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.6. “GDPR” means EU General Data Protection Regulation 2016/679;

1.1.7. “Data Transfer” means:

  • transfer of Customer Personal Data from the Customer to flex.bi; or

  • an onward transfer of Customer Personal Data from flex.bi to a Contracted Processor, in each case, where such transfer would be permitted by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

1.1.8. “Services” means using the flex.bi website flex.bi..

1.2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Customer Personal Data

2.1. flex.bi shall:
2.1.1. comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and.
2.1.2. process Customer Data only for the purposes described in this Agreement and only in accordance with the Customer’s documented lawful instructions.
2.2. The Parties agree that this Agreement and the Principal Agreement set out the Customer’s complete and final instructions to flex.bi in relation to the processing of Customer Personal Data, and processing outside the scope of these instructions (if any) shall require a prior written agreement between Customer and flex.bi.
2.3. In the event flex.bi processes Customer Personal Data outside of the scope of Services, flex.bi becomes an independent personal data controller with respect to such personal data processing.
2.4. The Customer Personal Data processed using the Services for flex.bi Cloud product is described in respective Security statements:
- Security Policy

3. Security

3.1. flex.bi, to the extent required under the Agreement, will implement appropriate technical and organizational measures in accordance with Applicable Data Protection Law (e.g., Art. 32 GDPR) to protect Customer Personal Data from Security Incidents and to preserve the security of Customer Personal Data appropriate to the risks related to the processing of the Customer Personal Data and to avoid alteration, loss or non-authorized processing thereof or access thereto, taking into account the current state of technology, nature of the stored data and the risks to which they are exposed, as well as the confidentiality of the Customer Personal Data.
3.2. flex.bi’s current technical and organizational measures are described in Annex II (“Security Measures”).
3.3. Parties acknowledge that the Security Measures are subject to technical progress and development and that flex.bi may unilaterally update or modify the Security Measures from time to time, provided that such updates and modifications upgrade and further develop the overall security of the Services. In the event such amendments to Security Measures take place, flex.bi notifies the Customer about implemented changes without undue delay.
3.4. flex.bi ensures that the persons authorized to process Customer Personal Data as described in this Agreement are bound by appropriate confidentiality requirements.

4. Sub-processing

4.1. Customer agrees that fle.bi may engage Sub-processors to process Customer Personal Data on Customer’s behalf. The Sub-processors currently engaged by flex.bi and authorized by Customer are listed at Annex I.

4.2. flex.bi shall:

4.2.1. enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer’s Personal Data to the standard required by Applicable Data Protection Law and, in substance, to the same standard provided by this Agreement; and

4.2.2. remain liable to Customer if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant processing activities under Data Protection Laws or this Agreement.

4.3. flex.bi must:

4.3.1. make available an up-to-date list of the Sub-processors it has appointed upon written request from the Customer; and

4.3.2. notify Customer if it adds any new Sub-processors at least fourteen (14) days prior to allowing such Sub-processor to process Customer Personal Data. Customer may object in writing to flex.bi’s_appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such an event, the Parties will discuss such concerns in good faith with a view to achieving a resolution. If the Parties are not able to achieve a resolution, Customer, as its sole and exclusive remedy, may terminate the Agreement (including this DPA) for convenience.

5. Data Subject Rights

5.1. Taking into account the nature of the Processing, flex.bi shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligations, as reasonably understood by the Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

5.2. flex.bi shall:

5.2.1. promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and

5.2.2. ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the flex.bi is subject, in which case flex.bi shall to the extent permitted by Applicable Laws, inform Customer of that legal requirement before the Contracted Processor responds to the request.

5.3. If the requests of the Data Subject are manifestly unfounded or excessive or have a repetitive character, the Data Processor shall have the right to request remuneration for performing the requests.

6. Personal Data Breach

6.1. flex.bi shall notify Customer without undue delay, but in any case no later than 48 hours upon flex.bi becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

6.2. flex.bi shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

7. Deletion or return of Customer Personal Data

7.1. Customer acknowledges that all Customer Personal Data can be deleted by Customer using the Services. If Customer deletes the data using Services, flex.bi acknowledges that all copies of Customer Personal Data will be deleted within 10 (ten) business days.

7.2. If Customer does not delete Customer Personal Data before the cessation of any Services involving the Processing of Customer Personal Data, flex.bi shall retain data according to our Privacy Policy.

7.3. Upon request, flex.bi shall provide written certification to Customer that it has fully complied with this section 7 within 10 business days of the cessation of any Services involving the Processing of Customer Personal Data.

8. Audit

8.1. Customer acknowledges that flex.bi is regularly audited by independent third-party auditors and/or internal auditors, including as may be described from time to time in Annex II. Upon request, and on the condition that Customer has entered into an applicable non-disclosure agreement with flex.bi, flex.bi shall:

8.1.1. supply (on a confidential basis) a summary copy of its audit report(s) (“Report”) to Customer so that the Customer can verify flex.bi’s compliance with the audit standards against which it has been assessed and this Agreement; and

8.1.2. provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data, including responses to information security and audit questionnaires that are necessary to confirm flex.bi’s compliance with this DPA, provided that Customer cannot exercise this right more than once per calendar year.

9. Data Transfer

9.1. flex.bi may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Customer. If personal data processed under this Agreement is transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.

10. Rights and obligations of the Customer

10.1. Customer warrants that as the Data Controller, it has fulfilled all of the obligations of the personal data controller referred to in the GDPR and applicable laws to ensure that flex.bi, as the Data Processor, has the right to process the Customer Personal Data in accordance with the Agreement before the Customer Personal Data has become available to flex.bi. This shall include but is not limited to ensuring the legal basis for the Customer Personal Data processing, the Customer Personal Data processing purpose limitation, informing the Customer Personal Data subjects on the processing of their Personal Data, complying with lawful retention terms of the Customer Personal Data and ensuring proper safeguards for the Customer Personal Data transfers.

10.2. Customer confirms that flex.bi ensures the Personal Data protection measures that are enough to comply with this Agreement and requirements of the GDPR if the Data Processor adopts the Personal Data protection measures referred to in Annex II of the Agreement.

11. General Terms

11.1. Confidentiality. Each Party must keep the information it receives about the other Party and its business, including Customer Personal Data in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

11.1.1. disclosure is required by law;

11.1.2. the relevant information is already in the public domain.

11.2. Notices. All notices by flex.bi shall be given by sending an email to the Customer’s technical contact or by publishing a message in the Latest news section in the Home section of Service. All notices by Customer shall be given by sending an email to flex.bi’s support mail: support@flex.bi.

12. Term and termination of the Agreement

12.1. This Agreement is valid until the termination of the Agreement by the Parties or fulfillment of all obligations of the Parties under the Principal Agreement, including the period of data retention.

12.2. The Parties shall be entitled to terminate the Agreement unilaterally by notifying the other Party thereof at least 3 (three) calendar months in advance.

12.3. If provisions of the GDPR change or if a supervisory authority issues guidelines, decisions, or regulations regarding the application of the GDPR during the term of this Agreement, with the result that this Agreement does not meet the requirements for a data processing agreement, flex.bi shall change this Agreement to meet the requirements.

12.4. If any provision of this Agreement is or becomes invalid or void, this shall not affect the effectiveness of the remaining provisions under the Agreement. In such cases, the Parties shall make all efforts to replace the invalid provision with a new one, reflecting the intention and content of the replaced provision. If such a remedy is not possible, the Parties agree on the addition of a new provision to the Agreement, which, to the extent possible, shall govern the same relations and/or issues.

13. Governing Law and Jurisdiction

13.1. This Agreement is governed by the laws of the Republic of Latvia.

13.2. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the Republic of Latvia.

Annex I. List of flex.bi Subprocessors

Processor Purpose Entity country Website
Upcloud Data hosting Finland Upcloud

Annex II - Security Measures

This Annex describes flex.bi’s security program, security certifications, and technical, organizational and administrative controls and measures to protect Customer Data from unauthorized access, destruction, use, modification or disclosure (the “Security Measures“). The Security Measures are in line with the commonly accepted standards of similarly situated software-as-a-service providers.

Secure Personnel

Confidentiality or Non-Disclosure Agreements (NDAs) are signed by all employees and contractors who have a need to access sensitive or internal information. Security training and testing are regularly conducted for flex.bi employees and contractors.

flex.bi support team accesses Customer Personal Data data only for the purposes of application health monitoring and performing system or application maintenance and upon customer request for support purposes. Only authorized flex.bi employees have access to application data.

Secure Software Development

All software development projects follow secure development lifecycle principles. All development undergoes design review to ensure security requirements are incorporated within Software. All software development team members undergo regular secure development training. Software development is conducted in line with OWASP Top 10 recommendations for web application security.

Secure Testing

flex.bi deploys third-party penetration testing and vulnerability scanning of all production and Internet-facing systems on a regular basis. flex.bi participates in bug bounty programs permanently testing our products for vulnerabilities. We perform static and dynamic software application security testing of all code, including open-source libraries, as part of our software development process.

Cloud Security

flex.bi Cloud provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture. flex.bi Cloud is hosted on the Upcloud platform (DE-FRA1 data center in Germany).

  • Each flex.bi account imported data are stored in a separate database scheme and are isolated from other Customer data.
  • Each incoming web request is authenticated and authorized before access to Customer data is allowed.

  • All data is encrypted at rest and in transmission to prevent any unauthorized access and prevent data flex.bi application database full backups are performed once per day and are retained for 14 days. All backup data are encrypted. Backups are stored in the Upcloud platform.