Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of and supplements the applicable service agreement, proposal, order form, statement of work, or other written agreement between Flogen AI (“Flogen”, “Processor”, “we”, “us”) and the client receiving the Services (“Client”, “Controller”, “you”).

This DPA applies where Flogen processes Personal Data on behalf of Client in connection with the Services.

Last updated: March 2026

1. Definitions

For purposes of this DPA:

  • Personal Data means any information relating to an identified or identifiable individual that is processed by Flogen on behalf of Client.
  • Process, Processing, or Processed means any operation performed on Personal Data, including collection, storage, organization, access, use, transmission, disclosure, or deletion.
  • Controller means the party that determines the purposes and means of processing Personal Data.
  • Processor means the party that processes Personal Data on behalf of the Controller.
  • Subprocessor means any third party engaged by Flogen to process Personal Data on Client’s behalf in connection with the Services.
  • Applicable Data Protection Law means applicable privacy and data protection laws governing the processing of Personal Data under the Services.
  • Services means the automation, AI workflow, chatbot, integration, CRM, reporting, and related implementation or support services provided by Flogen to Client.

2. Role of the Parties

As between the parties, Client acts as the Controller of Personal Data and Flogen acts as the Processor, except where Flogen independently determines the purposes and means of processing, in which case Flogen will act as a separate controller solely to that limited extent.

Client is responsible for ensuring it has all rights, permissions, and lawful bases required to collect, use, and instruct the processing of Personal Data under the Services.

3. Scope and Purpose of Processing

Flogen processes Personal Data solely as necessary to provide the Services to Client, including for purposes such as:

  • WhatsApp sales automation
  • Customer support automation
  • Lead capture and qualification workflows
  • Appointment booking and follow-up automation
  • CRM synchronization and related integrations
  • Order, inquiry, and customer communication handling
  • Retention, re-engagement, and follow-up sequences
  • Performance reporting, analytics, and system troubleshooting
  • Maintenance, support, security, backup, and service improvement activities that are necessary to operate the Services

Flogen will not process Personal Data for purposes materially unrelated to the Services except as required by law or expressly authorized by Client in writing.

4. Categories of Personal Data and Data Subjects

Depending on the Client’s implementation and systems, Personal Data may include:

  • Names
  • Phone numbers
  • Email addresses
  • Messaging and conversation content
  • Appointment and booking information
  • Purchase or inquiry history
  • CRM and pipeline records
  • Business communication content
  • Other customer data made available by Client through connected systems

Categories of data subjects may include:

  • Client’s customers and prospective customers
  • Website visitors
  • Leads and subscribers
  • Client personnel, representatives, or agents, where relevant to the Services

Client shall not provide Flogen with sensitive or special category data unless expressly agreed in writing and only where adequate safeguards are in place.

5. Client Instructions

Flogen shall process Personal Data only on documented instructions from Client, including as set out in the main Service Agreement, order forms, project scope, support requests, technical configurations, or other written communications.

Flogen may refuse or suspend any instruction that, in Flogen’s reasonable opinion, is unlawful, technically unsafe, or materially inconsistent with the Services.

Client remains responsible for reviewing and approving workflow logic, automations, messaging flows, data mappings, and connected third-party tools before deployment or live use.

6. Client Responsibilities

Client is responsible for:

  • Providing lawful instructions and ensuring a valid legal basis for processing
  • Providing accurate notices and obtaining any necessary consents from data subjects
  • Ensuring the content, legality, and accuracy of the data submitted to the Services
  • Determining whether the Services are appropriate for Client’s intended use cases
  • Managing access permissions within Client-controlled tools, channels, and connected systems
  • Responding to data subject requests and regulatory obligations, except to the extent Flogen’s assistance is expressly required under this DPA

7. Confidentiality

Flogen shall:

  • Treat Client Personal Data as confidential
  • Use Client Personal Data only as necessary to perform the Services or comply with law
  • Ensure persons authorized to process Personal Data are subject to appropriate confidentiality obligations
  • Not sell Client Personal Data or use it for unrelated commercial exploitation

These confidentiality obligations survive termination of the Services for so long as Flogen retains Client Personal Data.

8. Security Measures

Flogen shall implement reasonable and appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful access, use, loss, alteration, or disclosure.

Such measures may include:

  • Encryption of data in transit using industry-standard protocols
  • Secure API connections and authenticated service access
  • Role-based or limited access controls
  • Administrative controls restricting internal access on a need-to-know basis
  • Use of reputable infrastructure and software providers
  • Periodic review of technical and organizational safeguards

No system can be guaranteed to be fully secure. Flogen does not warrant that the Services will be completely immune from all security incidents, but will maintain reasonable safeguards appropriate to the nature of the Services.

9. Subprocessors

Client authorizes Flogen to engage Subprocessors as reasonably necessary to provide the Services.

Subprocessors may include providers of:

  • Cloud hosting and infrastructure
  • AI model or AI platform services
  • CRM, workflow, and integration platforms
  • Messaging or WhatsApp Business API services
  • Analytics, logging, support, or monitoring services

Flogen shall impose contractual obligations on Subprocessors that are materially protective of Personal Data in a manner appropriate to the nature of the services performed.

Flogen remains responsible for the performance of its Subprocessors to the extent required by Applicable Data Protection Law, subject to the liability limitations in the main Service Agreement.

10. International Data Transfers

Client acknowledges that Personal Data may be processed in jurisdictions other than the jurisdiction in which it was originally collected, including through cloud, AI, messaging, CRM, and infrastructure providers used to deliver the Services.

Where cross-border transfers are required, the parties shall take commercially reasonable steps to ensure that appropriate safeguards are implemented as required by Applicable Data Protection Law.

11. Data Subject Requests

Taking into account the nature of the processing, Flogen shall provide reasonable assistance to Client in responding to valid requests from data subjects to access, correct, delete, or otherwise exercise rights relating to their Personal Data, to the extent such assistance is legally required and technically feasible.

Unless legally required, Flogen will not directly respond to any data subject request without Client’s authorization. If Flogen receives such a request directly, Flogen may refer the request to Client.

12. Compliance Assistance

Taking into account the nature of processing and the information available to Flogen, Flogen shall provide reasonable assistance to Client with respect to:

  • Security obligations relating to the processing performed by Flogen
  • Personal data breach notification obligations
  • Data protection impact assessments or similar reviews, where reasonably required
  • Consultation with regulators, where legally required and relevant to the Services

Where such assistance requires material additional time, complexity, or cost beyond standard service delivery, Flogen may charge reasonable professional fees.

13. Personal Data Breach

If Flogen becomes aware of a confirmed Personal Data breach affecting Client Personal Data, Flogen shall notify Client without undue delay after becoming aware of the breach.

To the extent reasonably available, such notice may include:

  • A description of the nature of the incident
  • The categories of affected data, if known
  • The likely consequences, if known
  • The measures taken or proposed to address the incident

Flogen’s notification of a breach is not an admission of fault or liability.

14. Retention, Return, and Deletion

Flogen shall retain Personal Data only for as long as reasonably necessary to provide the Services, comply with contractual obligations, resolve disputes, enforce agreements, maintain backups, or comply with legal requirements.

Upon termination of the Services or written request by Client, Flogen shall, subject to technical feasibility and legal obligations:

  • Delete Client Personal Data in Flogen’s possession or control, or
  • Return such data where return is reasonably possible and agreed between the parties

Unless otherwise agreed in writing, deletion will generally occur within 30 days after a valid request or termination, except where longer retention is required by law, technical backup cycles, dispute preservation needs, fraud prevention, or legitimate business recordkeeping obligations.

15. Audit and Information Rights

To the extent required by Applicable Data Protection Law, Flogen shall make available to Client reasonable information necessary to demonstrate compliance with this DPA.

Any audit request must be reasonable, proportionate, limited to information relevant to the Services, and not require access to confidential information of other clients, internal security architecture details beyond what is reasonably necessary, or source code.

Audits may be satisfied through existing documentation, questionnaires, summaries, certifications, or remote review processes. On-site audits, if required, shall be subject to prior written notice, confidentiality obligations, business-hour scheduling, and reimbursement of Flogen’s reasonable costs where legally permitted.

16. No Use for Independent AI Model Training

Flogen shall not use Client Personal Data to train Flogen’s own proprietary AI models for unrelated commercial purposes unless Client has expressly authorized such use in writing.

Client acknowledges, however, that third-party platforms integrated or selected by Client may have their own terms, policies, or data handling practices, and Client is responsible for reviewing and approving those third-party services before use.

17. Third-Party Platforms and Integrations

The Services may involve integrations with third-party tools, platforms, APIs, messaging channels, CRMs, and hosting providers selected by either Flogen or Client.

Flogen is not responsible for the privacy, security, availability, or acts and omissions of third-party platforms except to the extent those platforms act as Flogen’s appointed Subprocessors under this DPA and Applicable Data Protection Law.

Client remains responsible for its own direct relationships, settings, permissions, and compliance obligations relating to third-party tools it selects or controls.

18. Limitation of Liability

Each party’s liability arising from or related to this DPA shall be subject to the exclusions, limitations, disclaimers, and liability caps set out in the main Service Agreement, unless Applicable Data Protection Law requires otherwise.

19. Term and Termination

This DPA takes effect when Flogen first processes Personal Data on behalf of Client and remains in effect for so long as Flogen processes Personal Data in connection with the Services.

Termination or expiry of the main Service Agreement shall automatically terminate this DPA, except for provisions that are intended to survive, including those relating to confidentiality, liability, deletion, and compliance cooperation where applicable.

20. Order of Precedence

In the event of a conflict between this DPA and the main Service Agreement, this DPA will control solely with respect to matters concerning the processing of Personal Data. In all other respects, the main Service Agreement will control.

21. Governing Law

This DPA shall be governed by the governing law and dispute resolution provisions set out in the main Service Agreement, unless otherwise required by Applicable Data Protection Law.

22. Contact

For privacy, data processing, or security-related matters concerning this DPA, Client may contact Flogen at:

Email: contact@flogenai.com
Business Name: Flogen AI

This page is provided for general contractual transparency and operational clarity. It should be read together with Flogen’s Service Agreement and Privacy Policy.