Data Processing Agreement
Effective: April 29, 2026 — GDPR Article 28 / UK GDPR / CCPA Service-Provider terms.
1. When This Agreement Applies
This Data Processing Agreement ("DPA") forms part of the Flawk Terms & Conditions and applies whenever a Flawk customer ("Customer") uploads, transmits, or otherwise instructs Flawk to process personal data of identifiable third parties through the Service — for example, when uploading an audience list, customer-match file, or retargeting pixel ("Customer Personal Data"). The DPA applies automatically and without further signature; if a separately signed DPA is required for a Customer's procurement process, contact reports@flawk.com.
For clarity, this DPA does not apply to (a) Customer's own account-holder data, which Flawk processes as an independent controller under the Privacy Policy, or (b) DOOH / CTV viewer-side data described in Section 2A of the Privacy Policy.
2. Roles
For Customer Personal Data, Customer is the "controller" (or, where applicable, "business" under U.S. state privacy law), and Flawk is the "processor" (or "service provider" under U.S. state privacy law). Each party will comply with its obligations under applicable Data Protection Law, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (collectively, "CCPA"), Canada's PIPEDA, and any other applicable data-protection law.
3. Subject Matter, Duration, Nature, and Purpose of Processing
| Element | Description |
|---|---|
| Subject matter | Processing of Customer Personal Data as necessary to provide the Service to Customer. |
| Duration | For the term of the Customer's account, plus the retention periods stated in the Privacy Policy. |
| Nature | Storage, transmission, audience matching, ad targeting, analytics computation, and (where instructed) AI inference. |
| Purpose | Performance of the Service. |
| Categories of data subjects | Customer's own customers, prospects, and audience members whose data Customer uploads or causes to be uploaded. |
| Categories of personal data | Identifiers (hashed email, hashed phone, mobile-advertising identifier), demographic categories supplied by Customer, behavioural attributes supplied by Customer. No special-category data, no government identifiers, no payment-card data. |
4. Customer Instructions
Flawk will process Customer Personal Data only on Customer's documented instructions, which include the Terms, this DPA, and any reasonable Customer instructions delivered through the Service interface. Flawk will inform Customer if, in Flawk's opinion, an instruction infringes Data Protection Law. Flawk will not "sell" or "share" Customer Personal Data within the meaning of CCPA, will not retain it outside the direct business relationship with Customer, and will not combine it with personal information from other sources except as the Service requires.
5. Confidentiality
Flawk requires personnel authorised to process Customer Personal Data to commit to confidentiality (or be under an appropriate statutory obligation of confidentiality) and to receive appropriate training.
6. Security — Annex II Measures
- Encryption in transit — TLS 1.2 or higher for all client-server traffic.
- Encryption at rest — AES-256 for sensitive stores (S3, RDS, EBS).
- Access controls — least-privilege role-based access; multi-factor authentication for staff; audit logs of privileged access.
- Network controls — segmented VPCs, security groups, intrusion detection, WAF on public endpoints.
- Vulnerability management — regular dependency scanning, periodic penetration testing, patching SLA.
- Backup and recovery — daily backups, geographic redundancy, documented disaster-recovery runbooks.
- Personnel — background checks where lawful, written confidentiality obligations, security awareness training.
- Logging — immutable security and access logs retained for at least 13 months.
7. Sub-Processors
Customer authorises Flawk to engage the sub-processors listed in Section 5 of the Privacy Policy, which is incorporated into this DPA. Flawk imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA. Flawk will provide at least 30 days' advance notice before engaging any new sub-processor that processes Customer Personal Data; Customer may object in writing within that period on reasonable data-protection grounds, and the parties will work in good faith to resolve the objection. If the parties cannot resolve the objection, Customer may terminate the affected portion of the Service for cause and receive a pro-rated refund of pre-paid fees attributable to the unused portion.
8. International Transfers
Where Customer Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) Module Two (Controller-to-Processor) by reference, with Flawk as data importer and Customer as data exporter, and the optional clauses (including the docking clause and Option 1 of Clause 17) selected as set out in Annex 1 of this DPA. For UK transfers, the UK International Data Transfer Addendum (version B1.0) is incorporated by reference, with Tables 1–4 completed by reference to the Service description and the parties' contact details on file.
9. Data-Subject Requests
Flawk will, taking into account the nature of the processing, provide reasonable assistance to enable Customer to respond to data-subject requests under applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection). Customer is responsible for verifying the identity of the requestor and for determining whether the request is valid. Where a data subject contacts Flawk directly, Flawk will refer the request to Customer.
10. Personal-Data Breach Notification
Flawk will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting Customer Personal Data. The notification will include, to the extent then known, the nature and likely consequences of the breach, the categories and approximate number of data subjects and records concerned, the measures taken or proposed to address the breach, and a contact point for further information.
11. Audits
Flawk will, on Customer's reasonable written request and not more than once per calendar year (except where required to investigate a specific breach), make available to Customer a summary of Flawk's then-current security posture, including any third-party security audit report (such as SOC 2 Type II or ISO 27001) that Flawk has obtained. On-site audits are available where required by Data Protection Law or where the materials provided under the prior sentence do not address a material concern, on reasonable notice, during business hours, subject to confidentiality, and at Customer's expense.
12. Deletion or Return of Data
On termination of the Service, Flawk will, at Customer's choice, delete or return Customer Personal Data, except to the extent retention is required by applicable law. Customer may export Customer Personal Data via the data-export tool at /account/data-export for 30 days after termination.
13. Liability and Order of Precedence
Each party's liability under this DPA is subject to the limitations set out in Section 11 of the Terms. To the extent of any conflict between this DPA and the Terms with respect to processing of Customer Personal Data, this DPA prevails; otherwise, the Terms prevail. The Standard Contractual Clauses, where they apply, take precedence over any conflicting provision of this DPA.
14. Updates
Flawk may update this DPA from time to time to reflect changes in law, in sub-processors, or in the Service. Updates that materially reduce Customer protection require 30 days' advance notice and Customer's right to terminate the affected portion of the Service for cause if the update is not acceptable.