Data Processing Agreement

Last modified: 1st January 2026

1. Scope

1.1. This Data Processing Agreement ("DPA") forms part of the agreement(s) for the purchase, use and/or licensing of products or services of fluctor ("Services"), together with its exhibits, or other incorporated or referenced documents and any other agreement(s) governed by such agreement(s) ("Agreement"), between fluctor and the customer that has executed or agreed to such agreement(s) ("Customer").

1.2. In the course of providing the Services to Customer under the Agreement, fluctor may Process Personal Data on behalf of the Customer in which case parties agree to comply with the provisions of this DPA. The provisions of this DPA shall only apply to the extent that (and as the case may be) fluctor (as the Processor) Processes Personal Data on behalf of the Customer (as the Controller) under the Agreement.

1.3. In case of conflict between any provision of this DPA and any provision or another part of the Agreement, this DPA shall prevail.

1.4. If at any time any provision of this DPA is or becomes illegal, invalid or unenforceable in any respect under any law of any jurisdiction, in whole or in part neither the legality, validity or enforceability of the remaining provisions of this DPA nor the legality, validity or enforceability of such provisions under the laws of any other jurisdiction will in any way be affected or impaired.

1.5. The DPA is entered into for the term of the Agreement and remains in full force until the Processing of Personal Data is no longer required in the framework or pursuant to the Agreement or longer, if required by law or Data Protection Legislation.

1.6. If the Customer has any questions regarding the Processing of Personal Data by fluctor, Customer may send such questions to support@fluctor.com

2. Definitions

For the purpose of this DPA, the following terms shall have the following meaning. In case of any doubt or differences with the terms defined in the Data Protection Legislation, the definitions stipulated in the relevant Data Protection Legislation shall prevail.

"Controller" means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data carried out under its authority, for the purposes of the Consultancy Agreement and the DPA, being the Customer.

"Data Protection Legislation" means the GDPR together with any other (data protection) laws resulting from the GDPR and/or all other applicable laws of any country with regard to the protection of Personal Data or privacy.

"Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.

"GDPR" means the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"Personal Data" means any information relating to a Data Subject within the meaning of Article 4, 1) GDPR.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed in connection with the Agreement and the provision of the Services.

"Processing", "Process(es)" or "Processed" means any operation or set of operation which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor" means a natural or legal person, public authority, agency or any other body which is authorised to process Personal Data on behalf of the Customer, being fluctor.

"Security Measures" means the technical and organizational measures within the meaning of Article 32 GDPR aiming at protecting Personal Data against accidental or unlawful destruction or loss, as well as against non-authorised access, alteration or transmission.

"SSCs" means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

"Sub-processor" means any Processor engaged as a sub-processor or subcontractor by fluctor and processes Personal Data for, on behalf of and in accordance with the instructions of fluctor.

"Supervisory Authority" means an independent public authority which is established by a Member State pursuant to Article 51 GDPR.

"Third Party" means any party who is not a Data Subject, Controller, Processor or Sub-processor under this DPA.

2.2. Any other terms used in this DPA but not defined will have the same meaning as in the Data Protection Legislation or the Agreement.

3. Details of the Processing

3.1. Subject-nature: the Processing of Personal Data by fluctor (as Processor) on behalf of Customer (as Controller) relates to the performance of the Services as described in the Agreement.

3.2. Means of the Processing: systems, software, products, Services, tools and/or servers of fluctor.

3.3. Categories of Personal Data: The Personal Data that will be processed will depend upon Customer's use of the Services. To the extent Customer documents used with the Services contain Personal Data, it may consist of identifying information of end users (such as name, email address, physical address, IP address, or other unique identifier), financial data, identifying information of third parties with whom data is shared, organization data, and any other Personal Data contained in documents, images and other content or data in electronic form stored or transmitted by end users via the Services.

3.4. Categories of Data Subjects: customers and/or prospective customers, end-users (authorized by the Customer to use the Services), partners, employees, agents or other service providers or contractors of the Customer.

3.5. Purposes of the Processing: to perform the Services as described in the Agreement, and/or to comply with other documented or written reasonable instructions provided by the Customer where such instructions are consistent with the terms of the Agreement.

3.6. Retention period(s): fluctor will Process Personal Data for the term of the Agreement, unless otherwise agreed upon in writing or as required by applicable law and no longer than is necessary for the purposes for which the Personal Data are Processed.

4. General

4.1. fluctor Processes the Personal Data only on behalf of the Customer and in accordance with the documented or written instructions of the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by law to which fluctor is subject; in such a case, fluctor shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

4.2. fluctor shall only Process Personal Data in accordance with the purposes specified in section 3.5 above. fluctor shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other Data Protection Legislation.

4.3. Any Processing of Personal Data by fluctor under the Agreement shall be performed in accordance with the applicable Data Protection Legislation, including the GDPR. The Customer shall comply with the applicable Data Protection Legislation and is solely responsible for the lawfulness of the Personal Data.

4.4. fluctor ensures that the Personal Data is only disclosed to the personnel or persons acting on behalf of fluctor that are authorized to Process the Personal Data and who need it to perform the Services. fluctor ensures that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Transfer of Personal Data

5.1. fluctor agrees to keep all Personal Data and its Processing strictly secret and shall not disclose or reveal it, in whole or in part, directly or indirectly, to any Third Party, unless with prior written consent by the Customer or required by law.

5.2. The Customer agrees to allow transfers of Personal Data outside the country from which it was originally collected provided that such transfers are required in connection with the provision of the Services under the Agreement and such transfers take place in accordance with Data Protection Legislation.

5.3. Where fluctor transfers Personal Data collected in the European Economic Area to a country outside the European Economic Area and without an adequacy decision under Article 45 of the GDPR, fluctor shall transfer Personal Data pursuant to the SCCs, and to the extent applicable, fluctor shall ensure that its Sub-processors comply with the obligations of a data importer.

6. Security Measures

fluctor shall implement and maintain all appropriate Security Measures to ensure a level of security to the risks in accordance with Article 32 GDPR. The Customer may request fluctor to provide an updated description of the implemented Security Measures.

7. Sub-processors

7.1. The Customer acknowledges and agrees that fluctor may engage Sub-processors for the provision of the Services under the Agreement and that fluctor can transfer Personal Data to these Sub-processors in this context. fluctor shall inform the Customer upon request about all Sub-processors engaged and that Process Personal Data under the Agreement.

7.2. fluctor will list its current Sub-processors for the Services upon request.

7.3. fluctor shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes within ten (10) business days after receipt of fluctor's communication.

7.4. fluctor shall enter into a written agreement with any engaged Sub-processor that contains data protection obligations no less protective than those contained in this DPA.

7.5. Where such Sub-processor fails to fulfil its Personal Data protection obligations, fluctor shall be liable for the performance of that Sub-processor's obligations.

8. Assistance and Information Obligations

8.1. Taking into account the nature of the Processing and the information available to fluctor, fluctor shall assist the Customer by appropriate technical and organization measures for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR and in ensuring compliance with the obligations pursuant to Article 32-36 GDPR.

8.2. fluctor shall make available to the Customer all information necessary to demonstrate compliance with the GDPR and in particular with the obligations laid down in Article 28 GDPR.

8.3. fluctor shall be entitled to invoice the Customer on a time and material basis at the then-current prices for any time expended for any such assistance.

9. Audits

9.1. The Customer is entitled to reasonably verify fluctor's compliance with the DPA and the Data Protection Legislation, provided that fluctor shall have no obligation to provide confidential and/or proprietary information. To this extent, the Customer may, upon written request with prior notice of thirty (30) calendar days, at its own expense, instruct acknowledged audit professionals to execute such audit or inspection once every twelve (12) months during normal office hours.

9.2. Before the commencement of any such audit, parties shall mutually agree upon the scope, timing and duration of the audit, including conditions of confidentiality. Audit reports and any other information to which the Customer has access pursuant to any audit activities will be considered confidential information.

9.3. fluctor shall be entitled to invoice the Customer on a time and material basis at the then-current applicable prices for any time expended for any such audit inquiries.

10. Personal Data Breaches

10.1. In the event of a Personal Data Breach, fluctor shall notify the Customer without undue delay after having become aware of such Personal Data Breach, specifying where known: (i) the nature of the Personal Data Breach; (ii) the categories and approximate number of Data Subjects and Personal Data records concerned; (iii) any remedial actions taken or proposed; and (iv) the identity and contact details of any other contact person from whom more information can be obtained.

10.2. Both parties agree to fully cooperate with any investigation of a Personal Data Breach and to assist each other in complying with any notification requirements and procedures.

11. Return and/or Deletion of Personal Data

11.1. Upon termination of the DPA and/or the Agreement, fluctor shall delete or anonymize all Personal Data on its systems at the latest sixty (60) calendar days after the last effective day of the DPA and/or the Agreement, unless otherwise instructed by the Customer or unless applicable law requires longer storage.

11.2. Upon written request of the Customer, fluctor will provide the Customer with a readable copy in a standard format of the Personal Data on its systems. The costs related to such request are at the Customer's expense.

12. Liability

12.1. fluctor is only liable for the damage caused by the Processing of Personal Data under the DPA where it has not complied with the applicable Data Protection Legislation specifically directed to Processors and/or where it has acted outside or contrary to lawful instructions of the Customer.

12.2. The provisions of the Agreement on (limitation of) liability fully apply for the Processing of Personal Data by fluctor under the DPA. In any event, fluctor's aggregate maximum liability under this DPA will be limited to the sum equal to the highest of the following amounts: (i) the fees paid under the Agreement by the Customer to fluctor or (ii) the amount of the insurance coverage offered by any of fluctor's relevant insurance policies.

Exhibit 1 — Standard Contractual Clauses: Clause Selections

1. To the extent legally required, by agreeing to this DPA, Customer and fluctor are deemed to have signed the SCCs as an additional safeguard, which form part of this DPA and will be deemed completed as follows:

  • Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a Controller) to fluctor (as a Processor) and Module 3 applies to transfers from Customer (as a Processor) to fluctor (as a Subprocessor);
  • Clause 7 (the optional docking clause) is included;
  • Under Clause 9 (Use of Subprocessors), the Parties select Option 2 (General written authorization);
  • Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
  • Under Clause 17 (Governing law), the Parties choose the law of Ireland;
  • Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
  • Annex III (List of Subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9.

2. With respect to Personal Data transferred from the United Kingdom, for which the United Kingdom Data Protection Act of 2018 ("UK GDPR") governs the international nature of the transfer, the International Data Transfer Addendum to the SCCs forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs.