Data Processing Addendum
Last Updated: July 17, 2026
This Data Processing Addendum ("DPA") supplements the FullFloe.ai Terms of Service between FullFloe.ai Labs Inc. ("Processor") and the customer ("Controller"). It applies when Processor processes personal data on behalf of Controller in the course of providing the service, including where that data relates to EU/UK data subjects and the GDPR or UK GDPR applies.
1. Roles and scope
Controller determines the purposes and means of processing personal data submitted to the service. Processor processes personal data only on Controller's documented instructions, as set out in the Terms, this DPA and Controller's use of the service.
2. Sub-processors
Controller authorises Processor to engage the sub-processors listed at /subprocessors. Processor will provide 30 days' notice of material changes and impose data-protection obligations on sub-processors no less protective than this DPA.
3. International transfers
Where personal data is transferred outside the EEA/UK, the parties rely on the EU Standard Contractual Clauses (2021/914) and the UK IDTA / UK Addendum, incorporated by reference, with Processor acting as data importer and Controller as data exporter.
4. Security
Processor implements appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls, audit logging, and regular vulnerability testing. A summary is available on request.
5. Data subject requests
Processor will provide reasonable assistance to Controller in responding to data subject rights requests (access, erasure, rectification, portability, restriction, objection). Where a request is sent directly to Processor, it will forward it to Controller without undue delay.
6. Breach notification
Processor will notify Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Controller's data.
7. Deletion and return
On termination, Processor will delete or return Controller personal data within 30 days unless retention is required by law. Backups are purged on their standard cycle.
8. Audits
Processor will make available information necessary to demonstrate compliance and, no more than once per year, allow for and contribute to audits conducted by Controller or an independent auditor mandated by Controller, on reasonable notice and subject to confidentiality.
To execute a countersigned copy, email privacy@fullfloe.ai.