Data Processing Agreement (DPA)
Appointment contract under Article 28 of Regulation (EU) 2016/679 (GDPR). Version: 2026-04-16. To be validated with legal counsel before the public launch of the service.
1. Parties
Controller: the user registered on Fluenx, as identified by the BusinessProfile in their account area.
Processor: Studio Digitale (P.IVA 03704400831, Via La Farina 21, 98077 Santo Stefano di Camastra (ME), Italia), reachable at studiodigitaleconsulting@gmail.com.
2. Subject matter
The Processor processes, on behalf of the Controller, the personal data of data subjects collected via forms created by the Controller on the Fluenx platform. Data processed: name, email, phone number, form answers, technical metadata (pseudonymised IP, user agent), UTM/GCLID parameters.
3. Purposes
Processing is aimed at:
- Storing the collected data in the platform database
- Delivering the data to integrations configured by the Controller (email, webhook, Meta Conversions API, Telegram)
- Technical support at the Controller's request
4. Duration
The agreement lasts as long as the Controller keeps the account active. Upon termination, all lead data is permanently deleted.
5. Obligations of the Processor
- Process data only on documented instructions from the Controller
- Ensure confidentiality of authorised personnel
- Adopt appropriate technical and organisational security measures (Art. 32 GDPR)
- Assist the Controller with data subject requests (Art. 15-22 GDPR)
- Notify data breaches within 48 hours of detection
- Not transfer data outside the EEA without an adequate legal basis
6. Security measures
- Encryption in transit (TLS 1.3)
- Encryption at rest for sensitive secrets (AES-256-GCM)
- Password hashing with modern algorithms (bcrypt/argon2)
- Access control based on authenticated sessions
- Logging of administrative actions (audit log)
- Regular database backups
7. Sub-processors
The Processor relies on the following authorised sub-processors:
- Vercel Inc. (hosting, CDN) — USA, covered by EU standard contractual clauses
- Neon / Postgres DB provider (database) — EU/USA
- Resend (transactional email) — USA
- Meta Platforms Ireland Ltd. (Facebook CAPI, only if enabled by the Controller) — EU
Material changes to this list will be notified with 30 days' prior notice. The Controller may object in writing; absent a reasoned objection, the sub-processor is considered accepted.
8. Rights of the Controller
- Export all their leads at any time via API or UI
- Request the immediate deletion of the data
- Audit the security measures (with 30 days' prior notice)
9. Liability and limitations
The Processor's liability is limited to cases of wilful misconduct or gross negligence in performing its contractual obligations. For the rest, the mandatory obligations of Article 28 GDPR apply.
10. Governing law
This agreement is governed by the laws applicable at the Processor's registered seat and by Regulation (EU) 2016/679. Place of jurisdiction: Via La Farina 21, 98077 Santo Stefano di Camastra (ME), Italia.