Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between Flottix, Inc. ("Flottix," "Processor," "we," "us," or "our") and the Customer ("Controller," "you," or "your") using our IT asset management platform (the "Service").
This DPA reflects the parties' commitment to comply with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, the California Consumer Privacy Act ("CCPA"), and other applicable privacy and data protection laws (collectively, "Data Protection Laws").
By using the Service, the Controller agrees to this DPA on behalf of itself and, to the extent required under Data Protection Laws, on behalf of its affiliates.
Enterprise Customers: If you require a custom DPA or have specific data protection requirements, please contact us at enterprise@flottix.com.
Definitions
- "Controller"
- The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Customer is the Controller.
- "Data Subject"
- An identified or identifiable natural person whose Personal Data is processed.
- "Personal Data"
- Any information relating to an identified or identifiable natural person that is processed by Flottix on behalf of the Controller in connection with the Service.
- "Processing"
- Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Processor"
- A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. For the purposes of this DPA, Flottix is the Processor.
- "Sub-processor"
- Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Security Incident"
- A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- "Standard Contractual Clauses" or "SCCs"
- The contractual clauses annexed to the European Commission's Decision 2021/914 for the transfer of Personal Data to third countries.
Scope and Purpose
Scope of Processing
This DPA applies to the processing of Personal Data by Flottix on behalf of the Controller in connection with the provision of the Service as described in the Agreement.
Purpose of Processing
Flottix shall process Personal Data only for the following purposes:
- Providing, maintaining, and improving the Service
- Providing customer support and technical assistance
- Ensuring the security and integrity of the Service
- Complying with applicable legal obligations
- As otherwise instructed by the Controller in writing
Controller's Responsibilities
The Controller represents and warrants that:
- It has obtained all necessary consents and authorizations to process Personal Data
- It has provided appropriate notices to Data Subjects regarding the processing
- Its instructions to Flottix comply with applicable Data Protection Laws
- It has a lawful basis for the processing of Personal Data
Details of Processing
| Processing Detail | Description |
|---|---|
| Subject Matter | IT asset management services including asset tracking, license management, and inventory audits |
| Duration | For the term of the Agreement, plus any retention period required by law or as specified in the Privacy Policy |
| Nature of Processing | Collection, storage, organization, retrieval, use, disclosure by transmission, and deletion |
| Purpose of Processing | Provision of IT asset management services as described in the Agreement |
| Categories of Data Subjects | Controller's employees, contractors, and other authorized users |
| Categories of Personal Data |
|
| Special Categories of Data | None, unless uploaded by the Controller. The Service is not designed to process special categories of data. |
Obligations of Processor
Flottix shall:
- Process Personal Data only on documented instructions from the Controller, including transfers to a third country, unless required by applicable law
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
- Assist the Controller in responding to requests from Data Subjects exercising their rights
- Assist the Controller in ensuring compliance with security, breach notification, impact assessments, and prior consultation obligations
- At the Controller's choice, delete or return all Personal Data after the end of the provision of services, unless retention is required by law
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
Security Measures
Flottix implements and maintains the following technical and organizational security measures:
Organizational Measures
- Information security policies and procedures
- Security awareness training for all employees
- Background checks for employees with access to Personal Data
- Confidentiality agreements with all personnel
- Incident response procedures and team
- Regular security assessments and reviews
Technical Measures
- Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
- Access Control: Role-based access control (RBAC); principle of least privilege
- Authentication: Multi-factor authentication support; secure password policies
- Network Security: Firewalls, intrusion detection/prevention systems, DDoS protection
- Monitoring: Real-time security monitoring and alerting; audit logging
- Vulnerability Management: Regular vulnerability scanning and penetration testing
- Data Backup: Regular encrypted backups with tested restoration procedures
- Physical Security: Secure data centers with access controls, surveillance, and environmental protections
Certifications and Compliance
Flottix maintains or is working toward the following certifications:
- SOC 2 Type II (in progress)
- ISO 27001 (planned)
Sub-processors
Authorization
The Controller provides general authorization for Flottix to engage Sub-processors to process Personal Data on behalf of the Controller. Flottix shall:
- Maintain an up-to-date list of Sub-processors on our website
- Enter into written agreements with Sub-processors imposing data protection obligations no less protective than those in this DPA
- Remain liable for the acts and omissions of Sub-processors
Notification of Changes
Flottix shall notify the Controller at least 30 days before adding or replacing any Sub-processor by:
- Updating the Sub-processor list on our website
- Sending an email notification to the Controller's designated contact
Objection Right
If the Controller has reasonable grounds to object to a new Sub-processor, the Controller may notify Flottix in writing within 14 days of receiving notice. The parties shall work in good faith to resolve any objection. If no resolution is reached, the Controller may terminate the affected services.
Current Sub-processors
A current list of Sub-processors is available at flottix.com/legal/sub-processors.
Data Subject Rights
Flottix shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure (right to be forgotten)
- Right to restriction of processing
- Right to data portability
- Right to object
- Right not to be subject to automated decision-making
Request Handling
If Flottix receives a request directly from a Data Subject, Flottix shall:
- Promptly notify the Controller of the request
- Not respond to the request directly unless authorized by the Controller or required by law
- Provide reasonable assistance to the Controller in responding to the request
Data Breach Notification
Notification Timeline
Flottix shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Personal Data.
Notification Content
The notification shall include, to the extent known:
- Description of the nature of the Security Incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records affected
- Contact details of Flottix's data protection officer or other contact
- Likely consequences of the Security Incident
- Measures taken or proposed to address the Security Incident
Cooperation
Flottix shall cooperate with the Controller and provide reasonable assistance in:
- Investigating the Security Incident
- Fulfilling the Controller's obligations to notify supervisory authorities and Data Subjects
- Taking measures to mitigate the effects of the Security Incident
Audit Rights
Flottix shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audit Procedures
- The Controller shall provide at least 30 days' written notice for any audit
- Audits shall be conducted during normal business hours
- Audits shall not unreasonably disrupt Flottix's operations
- The Controller shall bear the costs of any audit
- The Controller's auditors shall execute confidentiality agreements
Third-Party Certifications
Where available, Flottix may satisfy audit requirements by providing:
- SOC 2 Type II reports
- ISO 27001 certification
- Third-party penetration test summaries
- Other relevant compliance documentation
International Data Transfers
When Personal Data is transferred to countries outside the European Economic Area (EEA), UK, or Switzerland that have not been deemed to provide an adequate level of data protection, Flottix shall ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement or Addendum
- Any other appropriate safeguard recognized under Data Protection Laws
Transfer Impact Assessments
Flottix shall, upon request, provide information to assist the Controller in conducting transfer impact assessments as required by applicable law.
Data Deletion and Return
Upon termination of the Agreement, at the Controller's written request, Flottix shall:
- Return: Provide the Controller with all Personal Data in a commonly used format
- Delete: Securely delete all Personal Data within 30 days
- Certify: Upon request, provide written certification of deletion
Exceptions
Flottix may retain Personal Data to the extent required by applicable law, provided that:
- The retained data is processed only for the purpose required by law
- Flottix maintains confidentiality of the retained data
- Data is deleted when no longer legally required
Liability
Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement.
Notwithstanding the foregoing, liability for violations of Data Protection Laws shall not be limited to the extent that such limitation would be prohibited by applicable law.
Term and Termination
This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, this DPA shall automatically terminate, subject to the survival of provisions that by their nature should survive termination.
Contact Information
For questions about this DPA or to exercise your rights, please contact us:
Flottix Data Protection Team
Email: dpo@flottix.com
Enterprise Inquiries: enterprise@flottix.com
Address: Flottix, Inc.
123 Tech Street, Suite 100
San Francisco, CA 94105
United States
For EU-specific inquiries, you may also contact our EU representative at eu-dpo@flottix.com.