Skip to main content

← Home

Data Processing Addendum

Last Updated: July 17, 2026

This Data Processing Addendum ("DPA") supplements the FullFloe.ai Terms of Service between FullFloe.ai Labs Inc. ("Processor") and the customer ("Controller"). It applies when Processor processes personal data on behalf of Controller in the course of providing the service, including where that data relates to EU/UK data subjects and the GDPR or UK GDPR applies.

1. Roles and scope

Controller determines the purposes and means of processing personal data submitted to the service. Processor processes personal data only on Controller's documented instructions, as set out in the Terms, this DPA and Controller's use of the service.

2. Sub-processors

Controller authorises Processor to engage the sub-processors listed at /subprocessors. Processor will provide 30 days' notice of material changes and impose data-protection obligations on sub-processors no less protective than this DPA.

3. International transfers

Where personal data is transferred outside the EEA/UK, the parties rely on the EU Standard Contractual Clauses (2021/914) and the UK IDTA / UK Addendum, incorporated by reference, with Processor acting as data importer and Controller as data exporter.

4. Security

Processor implements appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls, audit logging, and regular vulnerability testing. A summary is available on request.

5. Data subject requests

Processor will provide reasonable assistance to Controller in responding to data subject rights requests (access, erasure, rectification, portability, restriction, objection). Where a request is sent directly to Processor, it will forward it to Controller without undue delay.

6. Breach notification

Processor will notify Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Controller's data.

7. Deletion and return

On termination, Processor will delete or return Controller personal data within 30 days unless retention is required by law. Backups are purged on their standard cycle.

8. Audits

Processor will make available information necessary to demonstrate compliance and, no more than once per year, allow for and contribute to audits conducted by Controller or an independent auditor mandated by Controller, on reasonable notice and subject to confidentiality.

To execute a countersigned copy, email privacy@fullfloe.ai.