Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") is entered into between FlowGrid (a subsidiary of Osei Interactive) ("Processor", "we", "us") and the customer entity accepting this DPA ("Customer", "Controller"). This DPA forms part of and is incorporated into the FlowGrid Terms of Service (the "Agreement").

If there is any conflict between this DPA and the Agreement regarding data protection, this DPA controls.

1. Definitions and Interpretation

Capitalized terms not defined here have the meanings given in the GDPR.

• "GDPR" means Regulation (EU) 2016/679.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data.
• "Subprocessor" means a third party engaged by Processor to process Personal Data on behalf of Customer.

2. Roles

Customer is the Controller (or a Processor acting on behalf of a Controller) of Personal Data.

FlowGrid is the Processor of Personal Data processed on behalf of Customer.

3. Scope of Processing

FlowGrid will process Personal Data only:

• to provide, secure, maintain, and improve the FlowGrid service under the Agreement,
• as documented and configured by Customer through use of the Service, and
• as otherwise required by applicable law.

Processing details are described in Schedule 1.

4. Processor Obligations

FlowGrid will:

• Process on instructions. Process Personal Data only on documented instructions from Customer, including Customer's configuration and use of the Service.
• Confidentiality. Ensure personnel authorized to process Personal Data are under appropriate confidentiality obligations.
• Security. Implement appropriate technical and organizational measures to protect Personal Data, as described in Schedule 2.
• Subprocessors. Engage Subprocessors only in accordance with Section 5.
• Assist with rights requests. Provide reasonable assistance to Customer for responding to data subject requests, subject to Section 7.
• Assist with DPIAs. Provide reasonable information/assistance for DPIAs and supervisory authority consultations where required by GDPR, to the extent Customer cannot reasonably do so without Processor's help.

5. Subprocessors

Customer provides a general authorization for FlowGrid to engage Subprocessors.

A current list of Subprocessors is available at: https://flowgrid.info/subprocessors

FlowGrid will ensure Subprocessors are bound by written obligations that are at least as protective as this DPA.

FlowGrid remains responsible for Subprocessors' performance of their obligations.

Changes. FlowGrid will update the Subprocessor list as Subprocessors change. Customer may object to a new Subprocessor on reasonable data protection grounds by contacting [email protected].

6. International Transfers

Where Personal Data is transferred outside the EU/EEA/UK/Switzerland, FlowGrid will ensure an appropriate transfer mechanism is in place, such as:

• the EU–US Data Privacy Framework (where applicable), and/or
• Standard Contractual Clauses (where applicable).

7. Data Subject Requests (DSARs)

The Service includes functionality that enables Customer to access, export, and delete Customer Data.

If Customer requires assistance, requests may be submitted to [email protected]. FlowGrid will provide reasonable assistance to Customer in responding to data subject requests under applicable law.

FlowGrid is not responsible for responding directly to data subjects unless legally required.

8. Personal Data Breach

FlowGrid will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on Customer's behalf and will provide information reasonably required for Customer to meet its breach-notification obligations.

Notifications will be sent to the email address associated with Customer's account or another contact email designated by Customer.

9. Deletion and Return

During the term of the Agreement, Customer may delete Personal Data using Service functionality.

Upon termination or expiration of the Agreement, FlowGrid will delete or return Personal Data in accordance with the Service's capabilities and the Agreement, except to the extent retention is required by law.

Backups. Personal Data may remain in encrypted backups for a limited period consistent with FlowGrid's backup retention practices.

10. Audit and Compliance

Upon Customer's written request (no more than once per year), FlowGrid will provide reasonable written information to demonstrate compliance with this DPA.

Customer acknowledges FlowGrid is not obligated to provide on-site audits or allow access to multi-tenant systems or other customers' data.

11. Liability

Liability under this DPA is subject to the limitations and exclusions in the Agreement, except where prohibited by applicable law.

12. Order of Precedence

If there is any conflict between this DPA and the Agreement regarding data protection, this DPA controls.

Schedule 1 — Processing Details

Subject matter: Provision of the FlowGrid platform and related support.

Duration: For the term of the Agreement, plus any period necessary to delete data in accordance with the Agreement and applicable law.

Nature and purpose of processing: Hosting, storing, organizing, and enabling Customer's management of Customer Data, including user access, search, automation, and customer support.

Categories of data subjects: Customer's authorized users; Customer's contacts, leads, clients, and other end customers (as determined by Customer).

Categories of Personal Data: Determined by Customer. May include contact information, business relationship data, and user account data.

Special categories of data: Customer should not submit special categories of data unless expressly enabled and supported by FlowGrid and permitted by applicable law.

Schedule 2 — Security Measures (Summary)

FlowGrid maintains technical and organizational measures appropriate to risk, which may include:

• encryption in transit;
• encryption at rest;
• field-level encryption for designated sensitive fields;
• access controls and least-privilege permissions;
• multi-tenant isolation controls;
• audit/event logging;
• monitoring and security alerting;
• incident response procedures.

Security measures may evolve over time provided they do not materially reduce protection.