Back to Home

Data Processing Addendum (DPA)

Effective Date: February 18, 2026
Version: 1.0

This Data Processing Addendum ("DPA") forms part of the agreement between Otoverse Enterprise ("FlowSynk," "Processor") and Customer ("Controller") governing Controller's use of the Services.

1. Purpose and Scope

This DPA applies where FlowSynk processes personal data on behalf of Customer in connection with the Services.

If there is conflict between this DPA and the main agreement regarding personal data processing, this DPA controls.

2. Roles

  1. Customer is the controller (or processor acting on a controller's instructions).
  2. FlowSynk is the processor for Customer Data processed on behalf of Customer.
  3. For account/billing/security operations where FlowSynk determines purposes, FlowSynk may act as independent controller.

3. Processing Instructions

FlowSynk will process personal data only:

  1. On documented instructions from Customer.
  2. As necessary to provide, secure, and maintain the Services.
  3. As required by applicable law.

Customer is responsible for ensuring that its instructions and processing activities comply with applicable law.

4. Confidentiality

FlowSynk will ensure personnel authorized to process personal data are bound by confidentiality obligations.

5. Security Measures

FlowSynk will implement appropriate technical and organizational measures, including as relevant:

  1. Access controls and least-privilege permissions.
  2. Encryption in transit and at rest where appropriate.
  3. Logging and monitoring.
  4. Vulnerability and patch management processes.
  5. Incident response procedures.

FlowSynk may update security measures provided overall protection is not materially reduced.

6. Subprocessors

Customer authorizes FlowSynk to engage subprocessors listed in subprocessors.md and future subprocessors meeting equivalent data protection obligations.

FlowSynk will:

  1. Impose data protection obligations on subprocessors consistent with this DPA.
  2. Remain responsible for subprocessors' processing to the extent required by law.
  3. Provide notice of material subprocessor changes through reasonable means.

7. Data Subject Rights Assistance

Taking into account the nature of processing, FlowSynk will provide reasonable assistance to enable Customer to respond to data subject requests (access, deletion, correction, portability, restriction, objection), to the extent Customer cannot fulfill requests using the Services.

8. Compliance Assistance

FlowSynk will provide reasonable assistance for:

  1. Security assessments.
  2. Data protection impact assessments.
  3. Regulatory consultations.

Assistance may be subject to reasonable fees for substantial additional work.

9. Personal Data Breach

FlowSynk will notify Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Data processed under this DPA.

Notice will include, where available:

  1. Nature of the breach.
  2. Categories of affected data and approximate scope.
  3. Likely consequences.
  4. Measures taken or proposed to mitigate adverse effects.

10. Audits and Information

FlowSynk will make available information reasonably necessary to demonstrate compliance with this DPA.

Where required by law and where written information is insufficient, Customer may request an audit not more than once annually, subject to:

  1. Reasonable notice.
  2. Confidentiality controls.
  3. Scope limitations to avoid service disruption and protect other customers.
  4. Use of independent third-party auditor approved by FlowSynk (not unreasonably withheld).

11. International Transfers

Where personal data transfers require transfer safeguards, the parties will rely on:

  1. Standard Contractual Clauses (SCCs), including relevant modules.
  2. UK Addendum where applicable.
  3. Additional safeguards required by law.

12. Return and Deletion

Upon termination of Services, FlowSynk will delete or return Customer personal data, unless retention is required by law or necessary for legitimate security, compliance, and backup restoration cycles.

13. Liability

Liability under this DPA is subject to the liability framework in the main agreement, unless mandatory law requires otherwise.

14. Governing Law

This DPA is governed by the law and dispute resolution provisions set out in the main agreement, unless mandatory data protection law requires otherwise.

Annex I - Processing Details

A. Subject Matter

Provision of SaaS tools for social media workflow automation, content operations, and team collaboration.

B. Duration

For the duration of Services plus post-termination retention period as described in agreement/policy.

C. Nature and Purpose

Hosting, storage, organization, retrieval, transformation, transmission, and deletion of Customer Data to provide requested functionality.

D. Categories of Data Subjects

  1. Customer users and workspace members.
  2. Customer end users/contacts whose data is processed through connected channels.
  3. Customer prospects and support contacts.

E. Categories of Personal Data

  1. Identity and account data.
  2. Contact details.
  3. Device, log, and usage metadata.
  4. Content data submitted by Customer.
  5. Communication records.

F. Special Categories

Not intentionally required. Customer should avoid uploading special-category data unless strictly necessary and legally permitted.

G. Contact Points

Processor contact: support@flowsynk.com
Security incident contact: support@flowsynk.com