Data Processing Agreement
Last updated: June 14, 2026 · Effective: June 14, 2026
1. Definitions
In this DPA:
- "Controller" means the FlexOra business customer who determines the purposes and means of processing personal data of their own end-clients.
- "Processor" means FlexOra, processing personal data on behalf of the Controller.
- "Data Subjects" means the Controller's clients and customers whose personal data is processed via FlexOra.
- "Personal Data" has the meaning given in Article 4(1) GDPR.
- "Processing" has the meaning given in Article 4(2) GDPR.
- "Sub-processor" means any third party engaged by FlexOra to process personal data on behalf of the Controller.
- "Standard Contractual Clauses (SCCs)" means the standard data protection clauses adopted by the European Commission under Article 46(2)(c) GDPR.
2. Scope and Nature of Processing
| Subject matter | Management of the Controller's client data via the FlexOra platform |
| Duration | For the term of the FlexOra subscription and 90 days thereafter |
| Nature | Storage, retrieval, organisation, display, and deletion of personal data |
| Purpose | Enabling CRM, appointment booking, invoicing, communication, and AI features |
| Data categories | Names, email addresses, phone numbers, appointment history, payment records, notes, tags |
| Data subjects | The Controller's clients and customers |
3. Controller Obligations
The Controller shall:
- Have a valid legal basis under GDPR for instructing FlexOra to process personal data (e.g., contract performance, consent, legitimate interests)
- Ensure data subjects have been informed about the processing, including the use of FlexOra as a processor
- Obtain any necessary consents before sending marketing messages or WhatsApp messages to data subjects via FlexOra
- Not instruct FlexOra to process personal data in a way that violates applicable law
- Ensure accuracy of personal data submitted to FlexOra
4. Processor Obligations
FlexOra shall:
- Process personal data only on documented instructions from the Controller (i.e., to provide the Service), unless required by law
- Ensure all personnel who process personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR)
- Not engage any new sub-processor without first notifying the Controller and giving opportunity to object
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability) insofar as this is possible given the nature of the processing
- Assist the Controller in fulfilling obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation)
- Upon termination, delete or return all personal data within 90 days unless retention is required by law
- Provide all information necessary to demonstrate compliance with this DPA and allow audits (Article 28(3)(h) GDPR)
5. Technical and Organisational Security Measures
FlexOra implements the following measures (Article 32 GDPR):
- All data encrypted in transit via TLS 1.2+
- Passwords hashed with bcrypt (never stored in plaintext)
- Authentication via HttpOnly, Secure, SameSite=Strict cookies
- Role-based access control — staff can only access their business's data
- Multi-tenant isolation — each business's data is strictly separated by businessId
- Regular automated backups with tested restore procedures
- Incident response plan with 72-hour breach notification capability
- Payment data handled exclusively by Stripe (PCI-DSS Level 1 certified)
- AI prompts sanitised to remove PII before transmission to Anthropic
- Redis-backed rate limiting to prevent abuse
6. Sub-Processors
FlexOra currently uses the following sub-processors. The Controller consents to their engagement by accepting this DPA:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA (SCCs + DPF) |
| Anthropic (Claude API) | AI features — PII masked | USA (SCCs) |
| Resend | Email delivery | USA (SCCs) |
| Railway | Cloud infrastructure & database hosting | USA (SCCs) |
| Google (Analytics) | Anonymized analytics only | USA (DPF) |
FlexOra will notify the Controller of any intended changes to this list (additions or replacements) by email at least 14 days in advance. The Controller may object in writing within 14 days. Continued use of the Service after the notice period constitutes acceptance.
7. International Data Transfers
Where personal data is transferred to countries outside the EEA or UK, FlexOra ensures adequate safeguards via:
- Standard Contractual Clauses (SCCs) — Module 3 (Processor-to-Processor) with sub-processors in non-adequate third countries
- EU-U.S. Data Privacy Framework (DPF) certification where applicable
- Adequacy decisions by the European Commission
Copies of the applicable SCCs are available on request at privacy@flex-ora.app.
8. Data Subject Rights Assistance
When a data subject exercises their rights (access, rectification, erasure, portability, restriction, objection), the Controller is responsible for responding within GDPR deadlines. FlexOra will:
- Provide tools enabling the Controller to access, correct, export, or delete their clients' data via the FlexOra dashboard
- Respond to Controller requests for data-subject-specific exports or deletions within 5 business days
- Not respond directly to data subjects on the Controller's behalf unless separately agreed in writing
9. Personal Data Breach Notification
In the event of a personal data breach affecting the Controller's data, FlexOra will notify the Controller without undue delay (and within 72 hours of becoming aware). The notification will include:
- Nature of the breach and categories of data affected
- Approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
The Controller remains responsible for notifying the relevant supervisory authority and data subjects as required by Articles 33–34 GDPR.
10. Audit Rights
The Controller may audit FlexOra's compliance with this DPA by:
- Requesting a written compliance summary (provided within 15 business days)
- Conducting an on-site audit (with at least 30 days' written notice, during business hours, no more than once per year, at the Controller's cost)
- Reviewing SOC 2 or ISO 27001 reports if and when obtained by FlexOra
11. Duration and Termination
This DPA remains in force for the duration of the Terms of Service and terminates automatically upon termination of the subscription. Upon termination, FlexOra will delete or return all Controller personal data within 90 days, except where retention is required by law.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. FlexOra shall not be liable for processing carried out on instructions of the Controller that violate applicable law.
13. Contact
For DPA-related enquiries, to request SCCs, or to exercise audit rights:
FlexOra Data ProtectionEmail: privacy@flex-ora.app
Subject: "DPA Request"