This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Flusso and Customer. It applies where Flusso processes personal data on behalf of Customer.
1. Roles
Customer is the controller of Customer Personal Data. Flusso is the processor of Customer Personal Data. Customer determines the purposes and means of processing. Flusso processes Customer Personal Data only to provide the Services and according to Customer’s documented instructions.
2. Customer Instructions
Customer instructs Flusso to process Customer Personal Data as necessary to:
- provide the Services;
- maintain and secure the Services;
- provide support;
- process imports, campaigns, messages, inbox data, analytics, and workflow data;
- comply with applicable law.
3. Customer Responsibilities
- lawfulness of Customer Personal Data;
- providing required notices;
- obtaining required consents or legal bases;
- responding to data subject requests where Customer is controller;
- ensuring that use of the Services complies with applicable data protection laws.
4. Flusso Responsibilities
- process Customer Personal Data only on documented instructions;
- ensure personnel with access are bound by confidentiality;
- implement reasonable technical and organizational measures;
- assist Customer with data subject requests where reasonably possible;
- assist Customer with security, breach, DPIA, and compliance obligations where required by law;
- delete or return Customer Personal Data after termination, unless retention is required by law.
5. Subprocessors
Customer authorizes Flusso to use subprocessors to provide the Services. Flusso will maintain a Subprocessors page listing categories or names of subprocessors where applicable. Flusso remains responsible for subprocessors to the extent required by applicable data protection law.
6. International Transfers
Where Customer Personal Data is transferred internationally, Flusso will use appropriate transfer safeguards where required by applicable law.
7. Security Measures
- access control;
- authentication;
- least-privilege access;
- encryption where appropriate;
- secure hosting;
- logging and monitoring;
- confidentiality obligations;
- incident response procedures;
- backup and recovery measures where appropriate;
- vendor review where appropriate.
8. Personal Data Breach
Flusso will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, as required by applicable law. Flusso will provide reasonable information available to help Customer meet legal obligations.
9. Data Subject Requests
If Flusso receives a data subject request relating to Customer Personal Data, Flusso will either direct the requester to Customer or notify Customer where legally permitted.
10. Deletion or Return
After termination, Customer may request export or deletion of Customer Personal Data within a reasonable period. After that period, Flusso may delete Customer Personal Data unless retention is required by law.
11. Audits
Flusso will provide reasonable information necessary to demonstrate compliance with this DPA. Any audit must be reasonable, limited, confidential, and not disrupt Flusso operations.
12. Conflict
If this DPA conflicts with the Terms regarding personal data processing, this DPA controls.
Schedule A: Processing Details
Subject matter: Provision of LinkedIn infrastructure, automation, shared inbox, analytics, account access, browser/proxy configuration, and support.
Duration: For the term of Customer’s subscription and any retention period required by law or agreed by the parties.
Categories of data subjects:
- Customer users;
- Customer employees and contractors;
- Customer prospects and leads;
- recipients of outreach messages;
- support contacts.
Categories of personal data:
- names;
- business emails;
- LinkedIn profile URLs;
- company names;
- job titles;
- message content;
- campaign data;
- reply data;
- CRM/contact data;
- usage logs;
- technical identifiers;
- support communications.
Sensitive data: Not intended. Customer must not submit sensitive personal data unless expressly agreed in writing.
Purpose of processing: To provide, secure, maintain, support, and improve the Services.
Schedule B: Technical and Organizational Measures
- access controls;
- internal confidentiality;
- secure authentication;
- role-based permissions where available;
- encryption in transit where available;
- infrastructure monitoring;
- backup and recovery measures where available;
- incident response process;
- vendor management;
- personnel access limitation;
- secure support practices.
Schedule C: Subprocessors
| Provider / Category | Purpose | Data processed | Location | Status |
|---|---|---|---|---|
| Vercel | Website hosting and frontend deployment | Website usage data and logs | US / EU | Active |
| Supabase | Database, authentication, and backend services | Account data, service data, technical logs | EU / US | Active |
| Stripe | Payments and billing | Billing data and transaction data | EU / US | Active |
| Google Workspace | Business email and internal communication | Contact data and communication metadata | EU / US | Active |
| Google Analytics | Website analytics | Usage data, device data, event data | EU / US | Optional |
| Crisp | Live chat and customer support | Support conversations and contact data | EU | Active |
| GoLogin | Browser profile infrastructure | Browser profile data and technical session data | International | Active |
| Proxy network provider | Proxy and network access | Technical connection data | International | Active |
| Airtable | Internal CRM and operations | Business contact data and account operations data | EU / US | Optional |
See also the full Subprocessors page.
