Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the service agreement between Flowlyn ("Processor") and the Client ("Controller") and governs the processing of personal data in accordance with applicable data protection laws.

2. Definitions

For the purposes of this DPA:

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data
• Controller: The entity that determines the purposes and means of processing
• Processor: The entity that processes personal data on behalf of the Controller
• Data Subject: The individual to whom the personal data relates

3. Scope and Nature of Processing

4. Processor Obligations

Flowlyn undertakes to:

• Process personal data only on documented instructions from the Controller
• Ensure confidentiality of personal data
• Implement appropriate technical and organizational measures
• Assist the Controller in responding to data subject requests
• Notify the Controller of any personal data breaches
• Delete or return personal data upon termination of services
• Make available information necessary to demonstrate compliance

5. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Regular testing and assessment of security measures
• Measures to ensure ongoing confidentiality and integrity
• Ability to restore availability of data in case of incidents
• Access controls and authentication measures
• Regular security training for personnel

6. Sub-processors

The Controller provides general authorization for the engagement of sub-processors. Current sub-processors include:

We will inform the Controller of any intended changes concerning sub-processors and provide opportunity to object to such changes.

7. Data Subject Rights

We will assist the Controller in fulfilling data subject rights requests, including:

• Right of access to personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

8. Data Breach Notification

In case of a personal data breach, we will:

• Notify the Controller without undue delay (within 24 hours when feasible)
• Provide all relevant information about the breach
• Assist in investigating and mitigating the breach
• Implement measures to prevent future breaches
• Document all breaches and remedial actions taken

9. International Transfers

Personal data may be transferred to countries outside India. We ensure appropriate safeguards are in place for such transfers, including:

• Standard Contractual Clauses approved by relevant authorities
• Adequacy decisions by competent authorities
• Binding Corporate Rules where applicable
• Certification schemes and codes of conduct

10. Data Retention and Deletion

Upon termination of the service agreement, we will:

• Delete or return all personal data to the Controller
• Delete existing copies unless storage is required by law
• Provide certification of deletion upon request
• Ensure sub-processors also delete or return data

11. Audits and Compliance

The Controller has the right to:

• Conduct audits of our data processing activities
• Request information about our compliance measures
• Receive copies of relevant certifications and audit reports
• Inspect our facilities with reasonable notice

12. Liability and Indemnification

Each party shall be liable for damages caused by its processing that infringes applicable data protection laws. We will indemnify the Controller against claims arising from our non-compliance with this DPA.

13. Contact Information

For any questions regarding this DPA or data processing matters: