Fleqra
Log inStart free

Data Processing Agreement

Last updated: 2026-05-27 · Version 2.0

Request a countersigned copy

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the customer (“Controller”) and Product Guru IT Ltd, a company registered in England and Wales (“Processor”, operating the Fleqra platform), and reflects the parties' agreement on the processing of personal data as required by Article 28 of the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and where applicable, the California Consumer Privacy Act (“CCPA”).

Use of the Fleqra platform after the “Last updated” date above constitutes acceptance of this DPA. A signed paper version is available on request — see “Acceptance” below.

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service.

  • Controller — the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
  • Processor — Product Guru IT Ltd, which Processes Personal Data on behalf of the Controller.
  • Personal Data — any information relating to an identified or identifiable natural person uploaded to or generated within the Fleqra platform by the Controller.
  • Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, and erasure.
  • Data Subject — the individual to whom Personal Data relates (e.g. the Controller's leads, prospects, customers, employees, or website visitors).
  • Sub-processor — a third party engaged by the Processor to Process Personal Data on behalf of the Controller.
  • Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • Standard Contractual Clauses — Module 2 (Controller-to-Processor) of the European Commission's Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914, together with the International Data Transfer Addendum issued by the UK Information Commissioner's Office.

2. Scope and purpose

This DPA applies to all Personal Data uploaded to or generated within the Fleqra platform by the Controller for the duration of the active subscription. The parties acknowledge that the Controller is the controller of the Personal Data, and the Processor is the processor.

The subject matter, duration, nature, and purpose of Processing are described in Annex 1 to this DPA and incorporated by reference. The Processor shall Process Personal Data only on documented instructions from the Controller, including via the Controller's use of the platform's features, unless required to do so by EU, UK, or Member State law.

3. Processor obligations

With respect to all Personal Data processed under this DPA, the Processor shall:

  1. Confidentiality. Ensure that personnel authorized to Process Personal Data are subject to written confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
  2. Security. Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further described in the Security policy and the public Security overview. These include, at a minimum: TLS 1.3 in transit, AES-256-GCM at rest for sensitive material, row-level multi-tenant isolation, role-based access controls, bcrypt password hashing, audit logging, and daily encrypted backups.
  3. Sub-processors. Engage Sub-processors only under Section 9 of this DPA.
  4. Cooperation. Provide reasonable assistance to the Controller in fulfilling its obligations under Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities).
  5. Data subject rights. Provide reasonable assistance, including by appropriate technical and organizational measures, to enable the Controller to respond to requests from Data Subjects under Articles 15–22 of the GDPR, as further described in Section 7.
  6. Return or deletion. At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, as further described in Section 11.
  7. Audit. Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as described in Section 9.
  8. Instructions. Immediately inform the Controller if, in its opinion, an instruction infringes the GDPR, the UK GDPR, or other applicable data protection law.

4. Controller obligations

The Controller represents and warrants that it shall:

  1. Establish and maintain a valid lawful basis under Article 6 (and, where applicable, Article 9) of the GDPR for the Processing of Personal Data uploaded to the platform.
  2. Provide all required notices and obtain all required consents from Data Subjects in connection with the Processing — including marketing-email consent and any consent required for the use of the AI Sales Agent widget on the Controller's websites.
  3. Configure the platform (retention policies, access controls, marketing-consent flags) consistently with its obligations under data protection law.
  4. Respond to Data Subject requests it receives, using the export, deletion, and unsubscribe tooling the Processor makes available, and contact the Processor only where additional assistance is genuinely required.
  5. Not upload to the platform any special categories of data (Article 9 GDPR) or data subject to sector-specific regimes (HIPAA Protected Health Information, PCI cardholder data outside Stripe's scope, etc.) without a written addendum executed with the Processor.

5. International data transfers

The Processor primarily hosts Personal Data in the United States (AWS region us-east-1). Where the Controller is established in the European Economic Area, the United Kingdom, or Switzerland and transfers Personal Data to the Processor or its Sub-processors outside those territories, the following safeguards apply:

  • EU transfers. The parties incorporate by reference Module 2 (Controller-to-Processor) of the Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914 (“EU SCCs”). The Controller is the data exporter; the Processor is the data importer. The optional Clause 7 (Docking) is included; Option 2 of Clause 9(a) is selected (general written authorization for Sub-processors, with 30 days' prior notice); Option 1 of Clause 17 is selected (governing law of Ireland); Clause 18(b) selects the courts of Ireland. Annexes I and II of the EU SCCs are completed by reference to Annex 1 (Processing details) and the Security policy respectively.
  • UK transfers. The parties incorporate by reference the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office (“UK Addendum”), version B1.0, with Part 1 completed by reference to the EU SCCs above.
  • Swiss transfers. The EU SCCs apply with references to the GDPR read as references to the Swiss Federal Act on Data Protection where appropriate.
  • Supplementary measures. The Processor implements supplementary measures consistent with the European Data Protection Board's recommendations following Schrems II, including encryption in transit and at rest, access controls, government-access request transparency, and challenges to any unlawful access demands.

6. Data subject rights

The platform provides the Controller with tooling to fulfill Data Subject rights under Articles 15–22 of the GDPR without requiring engineering intervention:

  • Article 15 (Access) and Article 20 (Portability): workspace export as structured JSON via Settings → Data export, including contacts, deals, campaigns, audit log, and team members. Sensitive material (password hashes, OAuth tokens) is stripped.
  • Article 16 (Rectification): contact and team-member records are editable in-product; programmatic access is available via the REST API.
  • Article 17 (Erasure): per-contact deletion in-product; workspace-level erasure via account closure (Section 11).
  • Article 18 (Restriction): the Controller may freeze a workspace (read-only mode) on request.
  • Article 21 (Objection): unsubscribe links in every outbound marketing email and suppression-list enforcement on every send.
  • Article 22 (Automated decision-making): the Processor does not engage in solely-automated decision-making producing legal effects. AI-generated content is presented as drafts for human review.

If a Data Subject contacts the Processor directly with a request relating to the Controller's data, the Processor will forward the request to the Controller without undue delay and refrain from responding substantively.

7. Personal data breach notification

The Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Controller Personal Data, providing — to the extent then known —:

  • The nature of the breach, including categories and approximate number of Data Subjects and records concerned;
  • The name and contact details of the Processor's Data Protection Officer;
  • The likely consequences of the breach;
  • The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

Where information cannot be provided at the same time, it may be provided in phases without undue further delay. The Processor shall assist the Controller in complying with its own notification obligations to supervisory authorities (Article 33 GDPR) and Data Subjects (Article 34 GDPR).

8. Audit rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR. This obligation is primarily satisfied by:

  • The long-form Security policy and the public Security overview;
  • The most recent independent penetration test executive summary, available on request under NDA;
  • SOC 2 reports for the Processor's infrastructure Sub-processors (AWS), available on request;
  • Responses to standard security questionnaires (SIG Lite, CAIQ, VSA) on request.

Where the above does not satisfy a legitimate audit request of the Controller or a competent supervisory authority, the Controller may, with at least 30 days' prior written notice and no more than once per twelve-month period (except following a confirmed Personal Data Breach), conduct an audit through an independent third-party auditor reasonably acceptable to the Processor, at the Controller's expense. Audits shall be conducted during normal business hours, shall not unreasonably disrupt the Processor's operations, and shall be subject to confidentiality obligations.

9. Sub-processors

The Controller provides a general written authorization for the Processor to engage Sub-processors, subject to the conditions of this Section. A current list of Sub-processors is maintained at the Security overview page and reproduced in Annex 2.

The Processor shall:

  • Enter a written contract with each Sub-processor imposing data protection obligations substantively equivalent to those set out in this DPA;
  • Remain fully liable to the Controller for the performance of the Sub-processor's obligations;
  • Provide at least 30 days' prior written notice (by email to the workspace owner and via the change notification list at security@fleqra.com) of any intended addition or replacement of Sub-processors;
  • Allow the Controller to object on reasonable grounds within that notice period. If the parties cannot agree on a resolution, the Controller may terminate the affected services without penalty.

10. Term and termination

This DPA takes effect on the “Last updated” date above and continues for as long as the Processor Processes Personal Data on behalf of the Controller. Sections that by their nature should survive termination (including confidentiality, audit, return/deletion, and limitations of liability) shall so survive.

11. Data return and deletion

Upon termination of the services, the Controller may within 30 days request the export of all Personal Data via the platform's data-export tooling. Following that 30-day window — or earlier on the Controller's instruction — the Processor shall:

  • Delete all live Personal Data of the Controller from production systems within 30 days;
  • Delete or overwrite all Personal Data of the Controller from encrypted backups within 90 days of live deletion (as backups roll over);
  • Retain Personal Data only to the minimum extent and for the minimum duration required by applicable law (including tax, accounting, or anti-fraud obligations), keeping such data isolated and protected by the same technical and organizational measures.

On request, the Processor shall provide a written confirmation of deletion.

12. Governing law and jurisdiction

This DPA is governed by the laws of England and Wales, except that the Standard Contractual Clauses and the UK Addendum are governed by the laws specified in Clause 17 of the EU SCCs (Ireland) and the UK Addendum respectively. The English courts have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, except as required by the SCCs or the UK Addendum.

13. Acceptance and execution

By using the Fleqra platform and Processing Personal Data through it, the Controller is deemed to have accepted this DPA on behalf of its organization. A countersigned paper or PDF version is available on request: email legal@fleqra.com with the legal entity name, the workspace ID, and the name and title of the authorized signatory. We countersign within 2 business days of receipt — no negotiation required for the standard form.

Annex 1 — Processing details

Subject matter

Provision of the Fleqra Sales & Marketing platform under the Terms of Service.

Duration

For as long as the Controller maintains an active subscription, plus the deletion windows in Section 11.

Nature and purpose of processing

  • Storage of contacts, leads, deals, and customer records;
  • Sending marketing and transactional emails on behalf of the Controller;
  • Publishing social media posts on connected accounts on behalf of the Controller;
  • Generating AI-assisted draft content (chats, emails, posts, proposals) via Anthropic Claude;
  • Analytics, reporting, and audit logging in support of the platform.

Categories of data subjects

  • The Controller's leads and prospects;
  • The Controller's customers and end users;
  • The Controller's team members and employees;
  • Visitors to the Controller's websites where the AI Sales Agent widget is installed.

Categories of personal data

  • Identifiers: name, email, phone, company, job title;
  • Contact and engagement history: emails sent, replies, calls logged, meetings booked;
  • Technical data: IP address, browser metadata, session identifiers;
  • Account credentials of Controller team members (passwords stored as bcrypt hashes only).

Annex 2 — Authorized sub-processors

See the canonical list at the Security overview page. At the date of this DPA, the authorized Sub-processors are:

Sub-processorPurposeLocation
Amazon Web Services, Inc.Hosting, Postgres, S3, email (SES)United States (us-east-1)
Stripe, Inc.Payment processingUnited States
Anthropic, PBCAI content generation (Claude)United States
Cloudflare, Inc.DNS, edge cachingUnited States

Need this signed? Send to legal@fleqra.com — we'll countersign within 2 business days.