DATA PROCESSING AGREEMENT

(FLOGEN AI)

This Data Processing Agreement (“DPA”) forms part of the Services Agreement between:

Flogen AI
(“Service Provider” / “Processor”)

and

The Client identified in the Service Agreement
(“Client” / “Controller”).

This DPA governs the processing of personal data by Flogen AI in connection with the provision of AI-powered WhatsApp automation systems.

1. Roles of the Parties

1.1 The Client acts as the Data Controller.

1.2 Flogen AI acts as the Data Processor, processing personal data solely on behalf of the Client.

1.3 Flogen AI shall not determine the purposes or means of processing personal data.

2. Scope of Processing

Flogen AI processes personal data for the purpose of:

• WhatsApp sales automation
• Customer support automation
• Lead qualification workflows
• CRM synchronization
• Retention and follow-up automation
• Performance reporting

Processing occurs only in connection with active automation systems implemented for the Client.

3. Categories of Data Processed

Depending on Client use, data may include:

• Customer names
• Phone numbers
• WhatsApp message content
• Appointment data
• Purchase history
• CRM records
• Email addresses
• Business communication content

Flogen AI does not intentionally collect sensitive personal data unless provided by Client systems.

4. Confidentiality

4.1 Flogen AI shall:

• Treat all Client data as confidential
• Use data solely for providing the Services
• Not sell, share, or commercially exploit Client data

4.2 All personnel with access to Client data are bound by confidentiality obligations.

4.3 Confidentiality obligations survive termination of services.

5. Security Measures

Flogen AI implements appropriate technical and organizational measures including:

• Encryption of data in transit (TLS 1.2+)
• Secure API connections
• Role-based access controls
• Limited internal access to client systems
• Use of reputable third-party infrastructure providers

Security measures are reviewed periodically.

6. Subprocessors

Flogen AI may engage third-party service providers, including but not limited to:

• WhatsApp Business API providers
• OpenAI or other AI model providers
• CRM integration platforms
• Cloud hosting providers

All subprocessors are contractually obligated to maintain appropriate data protection standards.

7. Data Subject Rights

Flogen AI shall assist Client, where reasonably required, in responding to:

• Access requests
• Deletion requests
• Correction requests

Flogen AI will not directly respond to data subject requests unless instructed by Client.

8. Data Retention

8.1 Personal data is retained only for the duration necessary to provide Services.

8.2 Upon termination:

• Client may request deletion of stored data
• Data will be deleted within 30 days unless legally required to retain

9. Personal Data Breach

9.1 Flogen AI shall notify Client without undue delay upon becoming aware of a data breach affecting Client data.

9.2 Flogen AI shall cooperate in investigating and mitigating such breach.

10. No AI Model Training

Flogen AI shall not use Client data to train proprietary AI models unless expressly authorized in writing.

11. Liability

Liability related to data processing shall be governed by the main Service Agreement.

12. Governing Law

This DPA shall be governed by the laws specified in the Service Agreement.