Floa Logo

Data Processing Addendum (Public, Self-Serve Version)

Last updated: October 8, 2025

This public Data Processing Addendum ("DPA") is incorporated by reference into the Terms of Service between Floa Software Solutions Ltd ("Floa," "we," "us," "Processor") and any customer that uses Floa's services ("Customer," "Controller").

0) How this DPA is executed (Self-Serve)

By creating an account, clicking "I agree," or using the Services, Customer is deemed to have executed this DPA as of that date (the "Effective Date").
No signatures are required. This DPA applies whenever Floa processes Customer Personal Data on Customer's behalf.

  • Annex I (Processing Details) and Annex II (Technical & Organisational Measures) form part of this DPA.
  • Subprocessors list: maintained live (this satisfies "Annex III").
  • EU SCCs and UK Addendum are incorporated by reference and deemed executed with Annexes populated by Annex I–II and the Subprocessors page.

1) Definitions

"Applicable Data Protection Laws": All data protection and privacy laws applicable to a party, including the UK GDPR and Data Protection Act 2018, EU GDPR (where applicable), Swiss FADP (where applicable), and the CCPA/CPRA (to the extent applicable).

"Customer Personal Data": Personal Data processed by Floa on behalf of Customer under the Agreement.

"Personal Data," "Processing," "Controller," "Processor," "Subprocessor," "Supervisory Authority," "Personal Data Breach" have the meanings in the UK/EU GDPR.

"SCCs": EU Commission Standard Contractual Clauses (2021/914, Modules 2 & 3).

"UK Addendum": ICO International Data Transfer Addendum (IDTA/Addendum B1.0).

Capitalised terms not defined here have the meaning in the Agreement/Terms.

2) Roles & Scope

  • Customer is the Controller (or, if Customer acts as a processor for a third-party controller, then Customer is a processor and Floa is a Subprocessor).
  • Floa is the Processor with respect to Customer Personal Data.
  • This DPA governs Floa's Processing of Customer Personal Data in delivering the Services.

3) Processing Instructions

  • Floa will Process Customer Personal Data only:
    1) to provide, maintain, secure, and support the Services;
    2) as documented in the Agreement, this DPA (including Annexes), and Customer's instructions via the Services; and
    3) as required by law.
  • If Floa becomes aware that an instruction violates Applicable Data Protection Laws, Floa will notify Customer (unless prohibited by law).
  • Processing details (subject-matter, nature/purpose, duration, categories, types) are in Annex I.

4) Confidentiality

Floa ensures persons authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations.

5) Security

  • Floa implements and maintains appropriate technical and organisational measures (TOMs) designed to protect Customer Personal Data, as described in Annex II.
  • Customer remains responsible for its own systems, endpoints, configurations, and use of security features offered by the Services (e.g., MFA, role-based access, API keys).

6) Subprocessors

  • General authorisation: Customer authorises Floa to appoint Subprocessors.
  • Floa will impose data-protection obligations on Subprocessors that are no less protective than those in this DPA and remains responsible for their performance.
  • Live list & change notice: here.
  • Objection: Customer may object on reasonable data-protection grounds within 10 days of notice by emailing privacy@getfloa.com. If unresolved, Customer may suspend the affected feature or terminate the impacted Services (pro-rata refund of prepaid, unused fees where applicable).

7) International Transfers

  • Where Customer Personal Data is transferred from the EEA to a country lacking an adequacy decision, the SCCs (Module 2: C→P; and, if Customer is a processor, Module 3: P→P) are incorporated by reference and apply.
  • For UK transfers, the UK Addendum is incorporated and applies alongside the SCCs.
  • For Switzerland, the SCCs are adapted for FADP; the competent authority is the FDPIC.
  • Floa applies supplementary measures (e.g., TLS in transit, encryption at rest, access controls, need-to-know, TRAs) appropriate to the transfer.

SCC/UK Addendum selections (public defaults):

  • SCC Clause 17 (Governing law): Ireland.
  • SCC Clause 18 (Forum & jurisdiction): Courts of Dublin, Ireland.
  • UK Addendum Governing law & venue: England & Wales; Courts of London.
  • Docking clause (Clause 7): Enabled.
  • Clause 9(a): General authorisation for Subprocessors.

8) Assistance

  • Data Subject Requests: Taking into account the nature of Processing, Floa provides reasonable assistance for Customer to respond to rights requests (access, rectification, erasure, restriction, portability, objection, automated decisions). If a request is made directly to Floa, we will direct the Data Subject to Customer where feasible.
  • DPIAs & Consultations: Floa provides information reasonably necessary to assist with DPIAs and prior consultations where related to the Services and not otherwise available to Customer.

9) Personal Data Breach

Floa will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information available to Floa to enable Customer to meet notification obligations. Floa will take reasonable steps to contain, investigate, and remediate the breach.

10) Audit & Information

  • Upon request, Floa will make available information reasonably necessary to demonstrate compliance (e.g., security overviews, policy summaries, pen-test or audit summaries).
  • Audit right: Once per 12 months, upon reasonable notice, Customer (or an agreed independent auditor) may conduct a remote or on-site audit limited to systems/facilities used to Process Customer Personal Data, during normal hours, subject to confidentiality and safety requirements. Customer bears audit costs. Material non-compliance will be remediated within a reasonable timeframe.

11) Return & Deletion

Upon termination/expiry of the Services:

  • 1) Floa will make Customer Personal Data available for export for 30 days (standard portable formats); then
  • 2) Floa will delete Customer Personal Data from active systems within 60 days, and from backups per standard retention cycles (typically up to 180 days), unless retention is required by law. On Customer request, Floa will use reasonable efforts to expedite deletion.

12) CCPA/CPRA (if applicable)

For California Personal Information processed on behalf of Customer, Floa acts as a Service Provider/Contractor and will:

  • Process solely to provide the Services and as permitted by CPRA;
  • Not sell or share Personal Information;
  • Not combine Personal Information with data from other sources except as permitted (e.g., security/incident detection, maintaining/improving the Services);
  • Assist with verifiable consumer requests reasonably and as applicable;
  • Flow down obligations to authorised Subprocessors.

13) Service Improvement; AI Model Use

Floa may Process service-generated telemetry (logs, performance, security events) and aggregated/de-identified data to operate, secure, and improve the Services.
Floa does not use Customer Personal Data to train third-party foundation models without Customer's explicit consent.

14) Liability; Precedence

  • Each party's liability under this DPA is subject to the limitations/exclusions in the Agreement, except where prohibited by law.
  • If there is a conflict between this DPA and the Agreement, this DPA controls for data-protection matters. If there is a conflict between this DPA and the SCCs/UK Addendum, the SCCs/UK Addendum prevail for international transfers.

15) Changes; Governing Law

  • Floa may update this public DPA to reflect changes in law or Subprocessors. Material adverse changes to Customer's rights will be notified with reasonable advance notice (e.g., in-app/email and change log).
  • Governing law (DPA): England & Wales (as in the Terms). This does not alter the specific law/venue choices embedded in the SCCs/UK Addendum for transfers.

Annex I — Details of Processing

A. Parties

  • Data Exporter (Customer): The Customer entity that accepted the Terms;
  • Data Importer (Processor: Floa): Floa Software Solutions Ltd, 167–169 Great Portland Street, London, W1W 5PF, UK; privacy@getfloa.com

B. Description of Processing

  • Subject-matter: Processing of Customer Personal Data to deliver the Services.
  • Duration: Term of the Agreement and data-export/deletion windows in Section 11.
  • Nature & purposes: Hosting/storage, AI processing/generation, messaging (email/SMS/other), analytics, support, security, and operations needed to provide and improve the Services.
  • Categories of Data Subjects: Customer's end-users; prospects/leads; students/members; Customer personnel (admins, staff); any individuals whose data Customer submits.
  • Types of Personal Data:
    - Identifiers (name, email, phone),
    - Account data (user IDs, roles, login timestamps),
    - Content data (prompts, files, generated outputs, metadata),
    - Communications (tickets, messages),
    - Usage/telemetry (IP, device/browser info, events),
    - Billing data (invoicing details; payment tokens via processors),
    - Special categories: Not intended; any such data is processed only if submitted by Customer and at Customer's sole discretion/responsibility.
  • Frequency: Continuous/as initiated by Customer.
  • Retention: As per Section 11 and the Privacy Policy.

C. Competent Supervisory Authority

  • EU SCCs: The authority where the Customer (or its EU representative) is established (or otherwise per SCC rules).
  • UK Addendum: ICO (UK).
  • Switzerland: FDPIC.

D. Subprocessing

As per Section 6 and the live Subprocessors page: here.

Annex II — Technical & Organisational Measures (TOMs)

Floa maintains the following TOMs (non-exhaustive and subject to continuous improvement):

  • 1. Security Governance — documented policies; executive oversight; risk assessments; change management.
  • 2. Access Control — role-based access (RBAC); least privilege; MFA/SSO for admins; timely provisioning/deprovisioning; strong credential hygiene.
  • 3. Encryption — TLS for data in transit; encryption at rest for primary stores and backups; controlled key access.
  • 4. Network/Infra Security — segmented VPC/VNet; security groups/firewalls; WAF/CDN where applicable; hardened baselines; regular patching.
  • 5. AppSec — secure SDLC; code review; dependency scanning; SAST/DAST; secret management; OWASP-aligned controls.
  • 6. Logging/Monitoring — centralised logs; SIEM/alerting; anomaly detection; time-synced systems; audit trails for privileged actions.
  • 7. Vuln & Incident Management — periodic scanning and remediation; third-party penetration tests; incident response plan; post-incident reviews.
  • 8. BC/DR — backups with restore testing; multi-AZ/region strategies where applicable; appropriate RPO/RTO targets.
  • 9. Physical Security — data centres with ISO 27001/SOC 2 certified providers; access logging; CCTV; visitor policies.
  • 10. Personnel Security & Training — background checks where lawful; confidentiality agreements; onboarding and annual security/privacy training.
  • 11. Data Minimisation & Retention — retention schedules; data classification; pseudonymisation/anonymisation where appropriate.
  • 12. Vendor/Subprocessor Management — due diligence, contractual flow-downs, ongoing monitoring, reassessment.
  • 13. Privacy by Design/Default — DPIA support; feature reviews; opt-outs/granular controls where feasible.
  • 14. Customer Controls — admin consoles for access/roles; data export; logs; API rate limits; webhook signing.

We value your privacy

We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept All", you consent to our use of cookies. Learn more