Data Protection Agreement
Version 1.0 · Effective Date: May 2026
Global Edition
This Data Protection Agreement (“DPA”) supplements and forms part of the Customer Terms and Conditions or other written master agreement between Flecks, Inc. and the customer entity (“Customer”) governing Customer’s access to and use of the Flecks Platform (the “Agreement”). This DPA applies to the extent Flecks Processes Personal Data on behalf of Customer in connection with the Platform and Professional Services. Capitalized terms not defined in this DPA have the meanings given in the Agreement.
This DPA is designed to comply with applicable data protection laws worldwide, including the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively “CCPA”), and other applicable U.S. state and international privacy laws (collectively, “Applicable Privacy Laws”). In the event of a conflict between this DPA and Applicable Privacy Laws, Applicable Privacy Laws prevail.
Architectural Note. The Flecks Platform is designed around a customer-isolation architecture in which Flecks does not access Customer Personal Data in the ordinary course of operating the Platform. The Client-Side Software processes data locally on Customer’s endpoints and transmits only parsed event-timeline metadata to the Platform. Customer Personal Data within the Platform is stored within Customer-Isolated Environments. Flecks personnel access occurs only through Authorized Access mechanisms described in Section 6. Additional detail regarding Flecks’ technical and organizational measures is set forth in Annex II and in the Flecks Security Practices, available at flecks.ai/security.
1. Definitions
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
“Aggregated Data” means data that has been aggregated and/or de-identified in such a manner that the data no longer relates to an identified or identifiable natural person and cannot reasonably be re-identified by Flecks or any third party using any reasonable means.
“Applicable Privacy Laws” has the meaning set forth in the preamble.
“Authorized Access” has the meaning set forth in Section 6.
“Controller,” “Processor,” “Sub-processor,” “Data Subject,” “Processing,” and “Supervisory Authority” have the meanings given in the GDPR, or if the GDPR does not apply, the equivalent meanings under Applicable Privacy Laws.
“Customer Personal Data” means Personal Data contained within Security Metadata that Flecks Processes on behalf of Customer in connection with the provision of the Platform.
“Customer-Isolated Environment” means the infrastructure environment within the Platform in which Customer Personal Data is stored, with logical separation from other customers’ environments.
“Flecks” means Flecks, Inc., a Delaware corporation, together with its Affiliates that Process Personal Data in connection with the Agreement.
“Personal Data” has the meaning set forth in the Agreement and Applicable Privacy Laws, and refers to information relating to an identified or identifiable natural person.
“Personal Data Breach” has the meaning given in Article 4(12) of the GDPR or the equivalent meaning under Applicable Privacy Laws.
“SCCs” means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time.
“Security Metadata” means parsed, structured event-timeline data generated by the Client-Side Software through analysis of telemetry on Customer Systems, including event timestamps, hostnames, usernames, IP addresses, file paths and names, file hashes, process names and arguments, registry keys, network connection records, browser history records, authentication events, and similar security-relevant indicators. Security Metadata does not include the underlying user-created content of files, the contents of email or messaging bodies, raw memory images, raw disk images, or raw registry hives.
“Sensitive Data” has the meaning set forth in the Agreement, and includes special categories of personal data under Article 9 of the GDPR and other regulated categories of information as further described in the Agreement.
“UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner’s Office.
2. Processing of Customer Personal Data
2.1 Roles
Customer is the Controller of Customer Personal Data, and Flecks is the Processor. Where Customer is itself acting as a Processor on behalf of a third-party controller (such as in a managed security service provider arrangement), Flecks acts as a Sub-processor and the parties shall execute Flecks’ then-current MSSP Addendum, which incorporates Module 3 of the SCCs where applicable. Flecks’ collection of Personal Data directly from individuals is separately governed by the Flecks Privacy Policy.
2.2 Customer Instructions
Flecks shall Process Customer Personal Data only on Customer’s documented instructions, as set out in the Agreement, this DPA, Customer’s use of the Platform configuration controls, and Customer-initiated support requests, except where otherwise required by applicable law. Flecks shall promptly inform Customer if, in Flecks’ reasonable opinion, an instruction infringes Applicable Privacy Laws, except where prohibited from doing so by law.
2.3 Architecture
The Flecks Platform is architected such that the Client-Side Software performs analysis on Customer Systems and transmits only Security Metadata to the Platform. Flecks does not Process raw forensic artifacts on the Platform. Customer Personal Data within the Platform is stored within Customer-Isolated Environments, with the level of isolation varying by Customer subscription tier as further described in Annex II.
2.4 Customer Obligations
Customer represents and warrants that: (a) it has and will maintain a valid legal basis under Applicable Privacy Laws for the Processing of Personal Data described in this DPA; (b) it has provided all required notices to, and obtained all required consents from, Data Subjects; and (c) its instructions to Flecks comply with Applicable Privacy Laws. Customer acknowledges that Security Metadata will routinely contain Personal Data and may incidentally contain Sensitive Data. As set forth in the Agreement, the Platform is not designed for the storage of Sensitive Data, and Customer will not knowingly transmit Sensitive Data to the Platform. Customer is solely responsible for ensuring that any incidental transmission of Sensitive Data is supported by a valid legal basis under Applicable Privacy Laws.
3. Flecks Personnel
Flecks shall implement appropriate security controls designed to ensure that:
- Access to Customer Personal Data within Flecks’ or its Sub-processors’ control is strictly limited to those individuals who need to know or access the relevant Customer Personal Data, and such access occurs only through the Authorized Access mechanisms set forth in Section 6;
- All such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
- Personnel with access to Customer Personal Data receive privacy and security training appropriate to their roles and undergo appropriate background screening, where permitted by law.
4. Security
Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Flecks shall maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including the measures set forth in Annex II and further described in the Flecks Security Practices. In assessing the appropriate level of security, Flecks shall take into account the nature of the data and the Processing activities in assessing the risks posed by a potential Personal Data Breach. Flecks may update its security measures from time to time provided that such updates do not materially diminish the overall level of security.
5. Sub-processors
5.1 General Authorization
Customer authorizes Flecks to use the Sub-processors listed in Annex III and grants Flecks general authorization to engage additional Sub-processors subject to this Section 5. Flecks shall impose data protection obligations on each Sub-processor that are no less protective than those set forth in this DPA, and shall remain liable to Customer for the acts and omissions of its Sub-processors to the same extent as if Flecks were performing those acts itself.
5.2 Changes to Sub-processors
Flecks shall give Customer at least thirty (30) days’ prior written notice (which may be by email or by updating an online sub-processor list to which Customer has subscribed) of the addition or replacement of any Sub-processor. Customer may object to a proposed change on reasonable grounds related to data protection within thirty (30) days of notice. If the objection cannot be resolved, Flecks may, at its option: (a) provide the affected Platform components without the contested Sub-processor; or (b) permit Customer to terminate the affected Platform components by written notice to Flecks, with a pro-rata refund of any prepaid fees for the unused portion of the term as Customer’s sole and exclusive remedy.
6. Authorized Access
Flecks personnel do not have standing access to Customer Personal Data in the ordinary course of operating the Platform. Flecks personnel access to Customer Personal Data occurs only through the following Authorized Access mechanisms:
- Customer-Created Access: Customer creates a Flecks user account with access privileges defined and controlled by Customer.
- Customer Support Request: Access initiated by Flecks personnel in response to Customer’s request for support, scoped to the support need.
- Audit Request Access: Access by Flecks personnel to investigate a specific data event in response to a Customer or regulatory request.
- Maintenance Access: Flecks infrastructure personnel may access systems hosting Customer Personal Data for Platform maintenance and operational continuity. Such access is scoped to system-level operations and is not intended to involve access to decrypted Customer Personal Data. Maintenance access is logged. In the event that decrypted Customer Personal Data is inadvertently accessed during a maintenance activity, such access will be treated as a security event, will be included in the next periodic access log report provided to Customer, and will be assessed by Flecks to determine whether notification under Section 8 (Personal Data Breach) is required.
All Authorized Access is logged. Audit log reports of Flecks personnel access to Customer Personal Data are made available to Customer upon reasonable request.
7. Data Subject Rights
Taking into account the nature of the Processing, Flecks shall:
- Not respond to a Data Subject’s request directly unless required by Applicable Privacy Laws, and shall promptly notify Customer if Flecks receives such a request relating to Customer Personal Data;
- Reasonably assist Customer through appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligation to respond to Data Subject rights requests arising under Applicable Privacy Laws.
8. Personal Data Breach
Flecks shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. “Becoming aware” means the point at which Flecks has a reasonable degree of certainty that a Personal Data Breach has occurred, and does not include preliminary alerts, indicators, or unverified reports under initial investigation. To the extent known, Flecks shall provide Customer with sufficient information to meet Customer’s obligations under Applicable Privacy Laws to report or inform Data Subjects about the Personal Data Breach. Flecks shall cooperate with Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of such Personal Data Breach.
For clarity, security events affecting Flecks infrastructure that do not result in unauthorized access to or disclosure of Customer Personal Data do not constitute Personal Data Breaches under this DPA. Customer is solely responsible for determining whether a Personal Data Breach requires notification to any Supervisory Authority or to affected Data Subjects under Applicable Privacy Laws.
9. Obligations to Assist Customer
Taking into account the nature of the Processing and the information available to Flecks, Flecks shall provide reasonable assistance to Customer with: (a) data protection impact assessments and prior consultations required of Customer by Applicable Privacy Laws; (b) consultation with or requests of a competent data protection authority; and (c) inquiries about Flecks’ Processing of Customer Personal Data. Non-routine assistance may be subject to Flecks’ reasonable fees.
10. Deletion and Retention of Customer Personal Data
10.1 Term Deletion
Within thirty (30) days following expiration or termination of the Agreement, Flecks shall, at Customer’s election expressed in writing within that thirty-day period, either delete or return to Customer all Customer Personal Data, and delete existing copies, unless retention is required by applicable law or permitted under Sections 10.2 or 10.3. Deletion is effected through decommissioning of the Customer-Isolated Environment. Upon Customer’s written request, Flecks shall provide written confirmation that Customer Personal Data has been deleted.
10.2 Customer Legal Hold and Flecks Legal Defense
Customer may request retention of Customer Personal Data beyond the thirty-day deletion period for litigation, regulatory inquiry, or investigations, subject to Flecks’ then-current data retention fees on commercially reasonable terms; provided that where such retention is required solely as a direct result of a confirmed Personal Data Breach caused by Flecks, no retention fees shall apply. Flecks may also retain Customer Personal Data beyond the deletion period to the extent reasonably necessary to assert or defend legal claims, comply with regulatory proceedings, or comply with applicable law, for no more than twelve (12) months following termination except where active legal proceedings require longer retention.
10.3 Aggregated Data
Flecks may retain and use Aggregated Data following termination of the Agreement without limitation under this Section 10. Flecks shall not attempt to re-identify Aggregated Data.
11. Audit Rights
Upon Customer’s written request, Flecks shall make available to Customer information reasonably necessary to demonstrate compliance with Applicable Privacy Laws and this DPA. To the extent required by Applicable Privacy Laws, Flecks shall contribute to audits by Customer or an independent auditor engaged by Customer (that is not a competitor of Flecks), in relation to the Processing of Customer Personal Data. Audits are limited to once per calendar year at Customer’s expense, subject to a written confidentiality agreement, and are conducted with reasonable advance notice and during normal business hours. Where Flecks holds an applicable SOC 2 Type II or ISO 27001 certification, Flecks may satisfy Customer’s audit rights by providing a copy of the most recent summary audit report, subject to confidentiality.
Flecks may exclude from audit scope: source code and proprietary algorithms; data or information belonging to other Flecks customers; Flecks’ internal financial records and pricing; employee personnel records; vendor contracts unrelated to Customer data Processing; and any information the disclosure of which would violate Flecks’ confidentiality obligations to third parties or applicable law.
12. Cross-Border Transfers of Customer Personal Data
At the time of Order placement, Customer has the option to designate the AWS region where Customer Personal Data will be stored. Flecks supports all AWS commercial regions. Where the transfer of Customer Personal Data from Customer to Flecks involves a transfer from the European Economic Area, United Kingdom, or Switzerland to a country that has not received an adequacy decision (“Restricted Transfer”), the SCCs and (where applicable) the UK Addendum apply as set forth below.
12.1 SCC Elections
The parties agree that the SCCs shall apply to Restricted Transfers, with the following elections: Clause 7 (Docking Clause) applies; Clause 9(a) Option 2 (general authorization for Sub-processors) applies with the thirty-day notice period in Section 5.2; Clause 11(a) optional language does not apply; Clause 17 Option 1 (Ireland) applies as governing law; Clause 18 (Choice of Forum) is the courts of Ireland. Annexes I, II, and III to the SCCs are populated by reference to Annexes I, II, and III to this DPA.
12.2 UK and Swiss Transfers
For Restricted Transfers from the UK, the UK Addendum applies, with the parties’ identifiers, the selected SCCs, and Appendix Information populated by reference to this DPA. For Restricted Transfers subject to the Swiss Federal Act on Data Protection, the SCCs apply with the modifications customary for Swiss transfers (references to GDPR are deemed references to the FADP, the Federal Data Protection and Information Commissioner is the competent supervisory authority, Clause 17 governing law is Switzerland, and the SCCs protect Personal Data of legal entities until the FADP no longer protects such data).
12.3 Alternative Transfer Mechanisms
If Flecks adopts an alternative transfer mechanism approved under Applicable Privacy Laws (including certification under the EU-U.S. Data Privacy Framework or Binding Corporate Rules), Flecks may, by written notice to Customer, elect to rely on such mechanism in lieu of the SCCs and UK Addendum to the extent permitted by Applicable Privacy Laws.
12.4 Government Access Requests
If Flecks receives a legally binding request from a public authority for disclosure of Customer Personal Data, Flecks shall: (a) review the legality of the request and, where there are reasonable grounds, challenge the request; (b) provide only the minimum amount of Personal Data necessary to comply with a valid request; and (c) where legally permitted, notify Customer of the request before responding.
13. CCPA and U.S. State Privacy Laws
To the extent Flecks Processes Personal Data of California residents on behalf of Customer, Flecks acts as a “Service Provider” as defined under the CCPA. Where Flecks Processes Personal Data subject to other U.S. state privacy laws, Flecks acts as a “Processor” or equivalent designation. Flecks agrees that Personal Data is disclosed to Flecks solely for the limited and specified business purposes of providing the Platform; Flecks shall not Sell or Share Personal Data; Flecks shall not retain, use, or disclose Personal Data outside the direct business relationship with Customer or for any commercial purpose other than the specified business purposes; Flecks shall not combine Personal Data received from Customer with Personal Data from other sources except as permitted under the CCPA for service providers; Flecks shall provide reasonable assistance to Customer in responding to verifiable consumer requests; and Flecks shall notify Customer if it determines it can no longer meet its obligations under the CCPA. Flecks certifies that it understands and will comply with these restrictions.
14. Artificial Intelligence and Machine Learning
Flecks does not use Customer Personal Data to train, fine-tune, or improve generally applicable artificial intelligence or machine learning models. AI and ML models within the Platform analyze Customer Personal Data for security purposes within Customer-Isolated Environments and do not result in Customer Personal Data being incorporated into models used for other customers. Where Flecks uses third-party AI services to generate summary descriptions or similar outputs, such services receive only Aggregated Data and are identified in Annex III as Sub-processors.
15. General
15.1 Liability
Each party’s liability arising out of or related to this DPA is subject to the exclusions and limitations of liability set forth in the Agreement. Liability under the Agreement and this DPA is treated in the aggregate under the Agreement’s liability cap and is not duplicated. Nothing in this DPA limits liability that cannot be excluded or limited under Applicable Privacy Laws.
15.2 Order of Precedence
Any conflict between the terms of the Agreement and this DPA related to the Processing of Customer Personal Data shall be resolved in the following order of priority: (a) Applicable Privacy Laws; (b) the SCCs and UK Addendum, where applicable; (c) this DPA; and (d) the Agreement.
15.3 Governing Law and Jurisdiction
Except where Section 12.1 (Clause 17 election) provides otherwise, this DPA is governed by and construed in accordance with the governing law set forth in the Agreement, and the parties submit to the choice of forum stipulated in the Agreement for any disputes arising under this DPA.
15.4 Term and Updates
This DPA takes effect on the effective date of the Agreement and continues in force for the duration of the Agreement and thereafter for so long as Flecks Processes Customer Personal Data. Flecks may update this DPA from time to time to address changes in Applicable Privacy Laws, regulatory guidance, or Flecks’ Sub-processor relationships. Flecks shall provide Customer with reasonable advance notice of material changes. Updates that reduce the protections afforded to Customer Personal Data require Customer’s prior written consent, except where required by law.
15.5 Severability
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
15.6 Notices
Notices under this DPA shall be delivered in accordance with the notice provisions of the Agreement. Privacy-specific notices may also be sent to privacy@flecks.ai.
Annex I: Description of Processing
Subject Matter, Nature, and Duration
Subject Matter: Provision of the Flecks Platform, including operationalized threat hunting, digital forensics and incident response support, unified telemetry analysis, autonomous workflows, vulnerability management, and threat intelligence.
Nature: Storage and automated analysis of Security Metadata for security purposes within Customer-Isolated Environments; generation of alerts, reports, and Outputs based on Customer Data; provision of Professional Services where engaged by Customer.
Duration: For the term of the Agreement and as further specified in Section 10 of this DPA.
Categories of Data Subjects
Customer’s employees, contractors, agents, and other end users whose activity is captured in Security Metadata generated from Customer Systems; and, incidentally, third parties whose information appears in Customer’s telemetry.
Categories of Personal Data
Customer determines which categories of Personal Data are transmitted to the Platform through Customer’s configuration of the Platform. Personal Data within Security Metadata typically includes identifiers (usernames, hostnames, IP addresses, device identifiers, account names), activity records (process execution, network connection, authentication and access events, file access, command-line arguments, browser history), and file metadata (file paths, names, hashes, sizes, timestamps). Underlying file content, email content, and messaging content are not transmitted to the Platform.
Sensitive Data
The Platform is not designed for and does not intentionally Process Sensitive Data. Sensitive Data may be incidentally present within Security Metadata as described in Section 2.4 of this DPA.
Frequency of Processing
Continuous, on a real-time or near-real-time basis during the term of the Agreement.
Storage Location
Customer Personal Data is stored in the AWS region selected by Customer at Platform configuration. Flecks supports all AWS commercial regions. Customer security findings, telemetry events, and data-lake records are stored within the Customer-selected region with backups retained in the same region. Operational metadata (Platform configurations, asset inventory, and similar non-content metadata) may be replicated across regions to support availability and disaster recovery.
Standard Retention Period
During the term of the Agreement, Customer Personal Data within the Platform is retained for a default period of three hundred and sixty (360) days from ingestion for Threat Hunting service data. Customer may configure shorter retention periods within the Platform. Upon expiration or termination of the Agreement, data is deleted or returned in accordance with Section 10 of this DPA. Extended retention for legal hold or legal defense purposes is governed by Sections 10.2 and 10.3.
Transfer Mechanism
Where applicable, Customer Personal Data is transferred under the SCCs and UK Addendum as set forth in Section 12 of this DPA.
Annex II: Technical and Organizational Measures
Flecks implements and maintains the technical and organizational measures described below, designed to ensure a level of security appropriate to the risk in accordance with Article 32 of the GDPR. Additional detail regarding these measures is set forth in the Flecks Security Practices document, available at flecks.ai/security or upon request. Flecks may update these measures from time to time provided that such updates do not materially diminish the overall level of security.
| Security Control Category | Description |
|---|---|
| 1. Governance | Flecks assigns appropriate roles for developing, coordinating, implementing, and managing administrative, physical, and technical safeguards designed to protect the security, confidentiality, and integrity of Personal Data. Data security personnel are appropriately trained, qualified, and experienced. |
| 2. Risk Assessment | Flecks conducts periodic risk assessments designed to analyze existing information security risks, identify potential new risks, and evaluate the effectiveness of existing security controls. |
| 3. Information Security Policies | Flecks maintains documented information security policies, approved by management and communicated to relevant personnel. Policies are reviewed at planned intervals or upon significant changes. |
| 4. Human Resources Security | Background screening of personnel is conducted where permitted by law. Personnel receive periodic privacy and security training appropriate to their roles. Confidentiality obligations are contractually imposed. |
| 5. Customer-Isolated Environments | Customer Personal Data is stored within Customer-Isolated Environments using logical separation mechanisms appropriate to the Customer’s subscription tier. Enterprise-tier Customers receive enhanced isolation. |
| 6. Access Controls | Role-based access controls limit access to systems hosting Customer Personal Data on a need-to-know basis. Multi-factor authentication is required for administrative access. Personnel access rights are reviewed periodically. Termination procedures revoke access promptly. Flecks personnel do not have standing access to Customer Personal Data in the ordinary course of operating the Platform; access occurs only through the Authorized Access mechanisms in Section 6 of this DPA. |
| 7. Cryptography | Customer Personal Data is encrypted in transit and at rest using industry-standard methods. Encryption keys are managed through a secure key management system. Flecks reviews and updates its cryptographic practices periodically. |
| 8. Physical Security | Customer Personal Data is hosted in third-party cloud data centers maintaining recognized physical security certifications (including SOC 2 and ISO 27001). Flecks office premises maintain appropriate physical access controls. |
| 9. Operations Security | Periodic network and application vulnerability scanning is performed. Independent third parties conduct periodic penetration testing. Vulnerabilities are documented and remediated based on severity. Proactive network monitoring is in place. |
| 10. Communications Security | Network boundaries are maintained using firewalls and network traffic filtering. Internal segmentation isolates critical systems. |
| 11. System Acquisition, Development, and Maintenance | Secure development lifecycle controls including code review, static analysis, dependency scanning, and security testing are applied prior to production release. Configuration management policies govern system changes. |
| 12. Supplier Relationships | Sub-processors are subject to written data protection agreements imposing obligations no less protective than this DPA. Sub-processors are reviewed for security posture prior to engagement and periodically thereafter. |
| 13. Information Security Incident Management | Flecks maintains automated security monitoring and incident detection capabilities designed to identify unauthorized access and other security events. Documented incident response procedures with defined roles, escalation paths, and communication protocols are in place. The incident response plan is tested at least annually. |
| 14. Business Continuity Management | Backup and recovery procedures support continuity of the Platform. Recovery objectives are documented and tested. Backups of Customer security findings, telemetry events, and data-lake records are retained within the Customer-selected region. |
| 15. Compliance | Flecks maintains procedures designed to ensure applicable statutory, regulatory, and contractual requirements are met. |
| 16. Authorized Access Logging | Flecks maintains immutable audit logs of Flecks personnel access to Customer Personal Data, including query-level detail. Audit log reports are made available to Customer upon reasonable request. |
| 17. Data Minimization, De-identification, and Deletion | The Client-Side Software architecture minimizes data transmitted to the Platform by sending parsed Security Metadata rather than raw forensic artifacts. Aggregation and de-identification techniques are applied where appropriate to the Processing purpose. Deletion is effected through decommissioning of Customer-Isolated Environments. |
Annex III: Authorized Sub-processors
The following Sub-processors are authorized to Process Customer Personal Data on behalf of Flecks. Flecks maintains an up-to-date list and will notify Customer of changes in accordance with Section 5.2.
| Sub-processor | Location | Service Provided |
|---|---|---|
| Amazon Web Services, Inc. | United States (with regional storage as elected by Customer) | Cloud infrastructure hosting, data storage and compute, and key management (AWS KMS) |
| Amazon Web Services, Inc. (AWS Bedrock) | United States (within existing AWS infrastructure) | Generative AI inference for generation of natural-language summary descriptions from Aggregated Data. AWS Bedrock (AWS Nova model family) is configured with zero data retention; no Customer Personal Data or Aggregated Data is retained by AWS following completion of an inference request. AWS Bedrock is an extension of the existing AWS sub-processor relationship. |
| Flecks sp. z o.o. | Poland | Affiliate Processing for Platform development, infrastructure operation, threat research, and Customer support; data access on a no-default-access basis as described in Section 6 |
| Google LLC (Google Workspace) | United States (with data processing per Google’s Data Processing Amendment) | Corporate email (Gmail), documents (Google Docs/Drive), and collaboration tools. Processes Personal Data of Authorized Users and may process Customer Personal Data incidentally present in support correspondence, incident communications, and privacy workflow documentation. |
| Atlassian Pty Ltd (Jira Service Management) | United States and Australia (with data residency options per Atlassian’s DPA) | Service management and ticketing for support requests, vulnerability remediation tracking, and Data Subject Rights request workflows. Processes Customer Personal Data included in support tickets, breach notification records, and DSR intake and fulfillment documentation. |
Note on Telemetry: Flecks operates internal telemetry collection using OpenTelemetry (OTEL) infrastructure. This infrastructure is operated by Flecks and is not provided by a third-party service. No telemetry is transmitted to third-party observability vendors outside of the Sub-processors listed above.
Exhibit B: Standard Contractual Clauses
Where Section 12 of this DPA requires the application of the SCCs and/or the UK Addendum, the parties agree that the SCCs (and where applicable the UK Addendum) are incorporated by reference into this DPA, with the elections set forth in Section 12.1 and the Annexes populated by reference to Annexes I, II, and III to this DPA.