Flowxtra GmbH
Wipplingerstraße 20/18, 1010 Vienna, Austria
(“Processor” or “Flowxtra”)
and
(each individually a “Party” and collectively the “Parties”).
This DPA supplements the Service Agreement between the Parties, and reflects their agreement regarding the processing of personal data under applicable data protection laws.
1.1. This DPA governs Flowxtra’s processing of Personal Data on behalf of the Customer when providing the services defined in the Service Agreement (“Services”).
1.2. Terms such as “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, “Sub-Processor”, and “Supervisory Authority” shall have the meanings ascribed to them under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”).
2.1. Flowxtra will process Personal Data exclusively for providing the Services, as detailed in the Service Agreement.
2.2. This DPA remains in force as long as Flowxtra processes Personal Data on behalf of the Customer.
Flowxtra processes Personal Data to:
Provide recruitment services (e.g., job posting, candidate matching, candidate management).
Improve the platform’s features (AI-enhanced matching, dashboards, analytics).
Ensure system security, monitoring, maintenance, and support.
Types of Personal Data processed may include:
Names, addresses, email addresses, phone numbers
Professional qualifications, employment history, CVs, cover letters
Communication records and application metadata
Login credentials (hashed passwords)
Billing data (for companies via Stripe/SevDesk)
Categories of Data Subjects include:
Job candidates
Company representatives and employees
Platform users (administrators, recruiters)
The Customer:
Shall ensure that it is authorized to disclose Personal Data to Flowxtra.
Is responsible for the accuracy, quality, and legality of Personal Data.
Must inform Data Subjects in accordance with GDPR Art. 13/14.
Flowxtra shall:
6.1. Process Personal Data only on documented instructions of the Customer.
6.2. Ensure confidentiality by obligating personnel to appropriate data protection obligations.
6.3. Implement appropriate technical and organizational security measures, including (but not limited to):
SSL/TLS encryption
Access control systems
Regular penetration testing
Backups and disaster recovery procedures
6.4. Assist Customer with Data Subject requests (access, rectification, deletion, etc.).
6.5. Notify Customer without undue delay after becoming aware of a Personal Data breach.
6.6. Maintain records of processing activities under Article 30 GDPR.
7.1. The Customer grants Flowxtra general authorization to engage Sub-Processors for processing activities. Current Sub-Processors include:
Stripe (payment processing)
SevDesk (invoice management)
Firebase (platform hosting & authentication)
Google Analytics (performance tracking)
Verpex (web hosting)
Mailchimp (email communication)
7.2. Flowxtra ensures that Sub-Processors are bound by written agreements requiring data protection obligations equivalent to those in this DPA.
7.3. Flowxtra shall notify the Customer of any intended changes concerning the addition or replacement of Sub-Processors, allowing the Customer to object.
8.1. Where Personal Data is transferred outside the European Economic Area (EEA) or Switzerland, Flowxtra shall ensure such transfers comply with applicable laws, including by:
Relying on adequacy decisions,
Using Standard Contractual Clauses (SCCs) approved by the European Commission.
9.1. Upon termination of Services, Flowxtra shall delete or return all Personal Data to the Customer, unless European Union, Member State law, or applicable US law requires storage.
9.2. Regular retention periods:
User account data: deleted after 3 years of inactivity (unless legally required otherwise).
Backup data: deleted within 30 days of account closure.
10.1. Flowxtra shall make available all necessary information to demonstrate compliance with this DPA and allow for audits conducted by the Customer (or a designated auditor) upon reasonable notice.
10.2. Audits must not unreasonably interfere with Flowxtra’s business operations and are limited to once per year, unless justified by a material data breach.
Each Party’s liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Service Agreement, unless otherwise required by applicable law.
12.1. Amendments to this DPA must be made in writing.
12.2. If any provision of this DPA is found invalid, the remainder shall remain in effect.
12.3. Governing law and jurisdiction shall be Austrian law, and disputes shall be exclusively settled before the competent courts of Vienna, Austria.
Access Control: Limitation of access to authorized persons only (role-based access, MFA).
Data Encryption: Use of encryption both at rest and during transmission (TLS, HTTPS).
Physical Security: Secured server environments.
Monitoring and Logging: Continuous monitoring of systems.
Incident Response Plan: Formal processes for handling security incidents.
Backup & Disaster Recovery: Regular backups with geographically separated storage.
