Data Processing Agreement
Last updated: November 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service between GenticFlow ("Processor", "we", "us") and the customer ("Controller", "you") and governs the processing of personal data in connection with the GenticFlow Service.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Data Subject" means the individual to whom Personal Data relates.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "SCCs" means the Standard Contractual Clauses approved by the European Commission for international data transfers.
- "Subprocessor" means any third party engaged by GenticFlow to process Personal Data on behalf of the Controller.
2. Roles and Responsibilities
2.1 Controller
You (the customer) are the Data Controller for:
- Customer Data you upload or input into the Service
- Device Diagnostic Data collected by endpoint agents you deploy
- Personal data of your employees, contractors, and end-users
As Controller, you are responsible for:
- Ensuring lawful basis for processing (consent, legitimate interest, contract, etc.)
- Providing required notices to Data Subjects
- Responding to Data Subject requests (with our assistance)
- Ensuring compliance with applicable data protection laws
2.2 Processor
GenticFlow acts as Data Processor and will:
- Process Personal Data only on your documented instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in responding to Data Subject requests
- Delete or return Personal Data upon termination (at your choice)
- Make available information necessary to demonstrate compliance
3. Data Processing Details
3.1 Subject Matter and Purpose
Processing is performed to provide the GenticFlow IT support and automation platform, including endpoint management, diagnostics, remote support, and workflow automation.
3.2 Duration
Processing continues for the duration of your subscription plus any retention period required by law or as specified in the Terms of Service.
3.3 Categories of Data Subjects
- Your employees and contractors
- End-users of managed endpoints
- IT administrators and technicians
- Your customers (if using client portal features)
3.4 Types of Personal Data
- Contact information (names, email addresses, phone numbers)
- Account credentials and authentication data
- Device identifiers and hostnames
- IP addresses and network information
- System logs and diagnostic data
- User activity within the Service
- Support ticket content and communications
4. Security Measures
GenticFlow implements the following security measures:
4.1 Technical Measures
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Multi-factor authentication for administrative access
- Role-based access controls
- Annual third-party penetration testing
- Intrusion detection and monitoring systems
- Automated vulnerability scanning
- Secure software development lifecycle
4.2 Organizational Measures
- Employee background checks
- Security awareness training
- Confidentiality agreements
- Incident response procedures
- Business continuity and disaster recovery plans
- Vendor security assessments
5. Subprocessors
5.1 Authorization
You authorize GenticFlow to engage Subprocessors to assist in providing the Service. We maintain contracts with all Subprocessors that impose data protection obligations substantially similar to this DPA.
5.2 Current Subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure hosting | EU (Ireland) |
| Stripe | Payment processing | USA (with SCCs) |
| SendGrid (Twilio) | Transactional email delivery | USA (with SCCs) |
| OpenAI | AI features (optional) | USA (with SCCs) |
| Google Cloud | AI features (optional) | EU/USA (with SCCs) |
5.3 Changes to Subprocessors
We will notify you of any intended changes to Subprocessors at least 30 days in advance. You may object to a new Subprocessor by providing written notice within 14 days. If we cannot reasonably accommodate your objection, you may terminate the affected services.
6. International Data Transfers
When Personal Data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:
- Adequacy Decisions: Transfers to countries with EU adequacy decisions require no additional safeguards.
- Standard Contractual Clauses: For transfers to other countries (including USA), we rely on SCCs approved by the European Commission.
- Supplementary Measures: Where required, we implement additional technical and organizational measures to ensure adequate protection.
Upon request, we will provide copies of relevant SCCs and information about supplementary measures.
7. Data Subject Rights
We will assist you in responding to Data Subject requests to exercise their rights under GDPR, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
If we receive a request directly from a Data Subject, we will promptly notify you unless prohibited by law.
8. Data Breach Notification
In the event of a Personal Data breach, GenticFlow will:
- Notify you without undue delay (and in any event within 72 hours) after becoming aware of the breach
- Provide information about the nature of the breach, categories of data affected, and approximate number of Data Subjects
- Describe likely consequences and measures taken or proposed to address the breach
- Cooperate with your investigation and regulatory notifications
- Document all breaches, including facts, effects, and remedial actions
9. Audits and Compliance
9.1 Audit Rights
Upon reasonable notice, you may audit our compliance with this DPA. Audits shall be conducted during normal business hours, no more than once per year (unless required by regulatory authority), and subject to confidentiality obligations.
9.2 Certifications
GenticFlow maintains the following certifications and attestations (as available):
- SOC 2 Type II (planned)
- ISO 27001 (planned)
- Annual penetration testing reports
We will provide relevant audit reports and certifications upon request under NDA.
10. Data Retention and Deletion
10.1 During Subscription
We retain Personal Data for the duration of your subscription as necessary to provide the Service.
10.2 Upon Termination
Upon termination of your subscription, we will:
- Provide you with the ability to export your data for 30 days
- Delete Personal Data within 90 days of termination, unless retention is required by law
- Provide written certification of deletion upon request
10.3 Backup Retention
Backup copies may be retained for up to 180 days for disaster recovery purposes, after which they will be securely deleted.
11. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such limitation is not permitted under applicable law.
12. Conflict
In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters. In all other respects, the Terms of Service shall govern.
13. Term and Termination
This DPA remains in effect for as long as GenticFlow processes Personal Data on your behalf. The obligations in this DPA survive termination to the extent necessary to complete deletion of Personal Data and fulfill legal requirements.
14. Amendments
We may update this DPA to reflect changes in law, regulatory guidance, or our processing activities. Material changes will be notified at least 30 days in advance. Continued use of the Service constitutes acceptance of the updated DPA.
15. Contact
For questions about this DPA or to exercise your rights:
Data Protection Officer: [email protected]
Legal: [email protected]
Appendix A: Standard Contractual Clauses
Where required for international data transfers, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference. Module Two (Controller to Processor) applies to transfers of Customer Data.
The following applies to the SCCs:
- Clause 7 (Docking clause): Not used
- Clause 9 (Subprocessors): Option 2 (general authorization with 30-day notice)
- Clause 11 (Redress): Optional clause not used
- Clause 17 (Governing law): Laws of Ireland
- Clause 18 (Forum): Courts of Ireland
A fully executed copy of the SCCs is available upon request.