Data Processing Agreement (DPA)
Standard Data Processing Agreement between Fleksa, Inc. and customers
Data Processing Agreement (DPA)
Fleksa, Inc. (Processor) and the Customer (Controller).
Effective: December 2024 Version: current revision of this page
This DPA is incorporated by reference into the Terms & Conditions and applies whenever Fleksa processes personal data on behalf of Customer.
1. Parties
- Processor: Fleksa, Inc., 10900 Research Blvd 160c 1059, Austin, TX 78759, USA
- Controller: the Customer identified in the underlying subscription agreement
2. Subject Matter and Duration
Fleksa processes personal data to provide the Services described in the master agreement. Duration matches the subscription term.
3. Nature and Purpose of Processing
- Collection, storage, structuring, display, transmission, and deletion of personal data submitted by Customer or generated by Customer's end users
- Purpose: performance of the master agreement, security, fraud prevention, and statutory compliance
4. Types of Data and Categories of Data Subjects
| Data type | Data subjects |
|---|---|
| Identification and contact data | Customer's guests, staff |
| Order, reservation, and transaction data | Guests |
| Tokenized payment identifiers | Guests |
| Communication content (incl. SMS, email) | Guests, staff |
| Usage logs and metadata | Staff, end users |
5. Customer Instructions
Fleksa processes personal data only on documented instructions from Customer, including with regard to international transfers, unless required to do otherwise by U.S. or applicable foreign law. If such a law applies, Fleksa shall inform Customer unless the law prohibits notice.
6. Confidentiality
Personnel authorized to process personal data are bound by written confidentiality obligations.
7. Security
Fleksa implements appropriate technical and organizational measures pursuant to Data Protection §4, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access control and MFA
- Logging and monitoring
- Backups and disaster recovery
- Personnel training and background checks
8. Subprocessors
Customer authorizes Fleksa to engage the subprocessors listed at /en/legal/us/subprocessors. Fleksa will provide at least 30 days' advance notice of any new subprocessor materially affecting processing of personal data; Customer may object on reasonable data-protection grounds.
9. International Transfers
Where personal data of EU/EEA, UK, or Swiss data subjects is processed:
- EU SCCs (Implementing Decision 2021/914) — Module 2 (controller → processor) or Module 3 (processor → processor)
- UK International Data Transfer Addendum (IDTA) where applicable
- Swiss FADP module where applicable
- EU-US Data Privacy Framework certification where the recipient is so certified
A Transfer Impact Assessment (TIA) is on file.
10. Data Subject Rights
Fleksa will, taking into account the nature of processing, provide reasonable assistance through appropriate technical and organizational measures, to fulfill Customer's obligations to respond to data subject requests under applicable privacy laws (GDPR, CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, etc.).
11. Breach Notification
Fleksa will notify Customer of a personal data breach without undue delay, and in any event within 48 hours of becoming aware, including all information required under Article 33(3) GDPR or analogous laws.
12. Audits
Fleksa will make available all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by Customer or another auditor mandated by Customer, on reasonable advance notice (at least 30 days), no more than once per 12 months absent a security incident, and subject to confidentiality. Fleksa may satisfy audit obligations by providing SOC 2 / ISO 27001 reports once available.
13. Deletion / Return After Termination
Within 90 days after termination of the master agreement, Fleksa will delete or anonymize personal data, subject to records required for legal, regulatory, or accounting purposes (generally 7 years for U.S. tax records).
14. Liability
Each party's liability under this DPA is subject to the limitations in the master agreement.
15. Conflicts
In case of conflict between this DPA and the master agreement with respect to personal data processing, this DPA controls.
16. Governing Law
State of Texas, USA. Disputes resolved per §15 of the Terms.
Acceptance
By entering into a subscription with Fleksa, Customer is deemed to have accepted this DPA. A counter-signed version is available on request (privacy@fleksa.com).