Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data.
• "Controller" means the entity which determines the purposes and means of Processing.
• "Processor" means the entity which processes Personal Data on behalf of the Controller.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by Processor to process Personal Data.

2. Processing of Personal Data

2.1 Processor's Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data have committed to confidentiality
• Implement appropriate technical and organizational measures to ensure security
• Not engage another processor without prior specific or general written authorization
• Assist the Controller in responding to Data Subject requests
• Delete or return all Personal Data after the end of services

2.2 Controller's Obligations

The Controller shall:

• Ensure that the processing is lawful
• Provide clear instructions for processing
• Ensure accuracy of Personal Data provided
• Comply with applicable data protection laws

3. Details of Processing

3.1 Subject Matter

Processing of Personal Data in connection with the FlowMind pulse survey and team analytics platform.

3.2 Duration

For the duration of the Terms of Service plus any retention period required by law or as specified in the service configuration.

3.3 Nature and Purpose

• Collection and analysis of employee pulse survey responses
• Generation of team analytics and insights
• Integration for Slack for survey distribution and collection
• AI-powered analysis of team health metrics

3.4 Categories of Data Subjects

• Controller's employees
• Controller's contractors and consultants
• Other Slack workspace members

3.5 Categories of Personal Data

• Name and email address
• Slack user ID and profile information
• Survey responses and feedback
• Usage data and interaction logs
• Team and role information

4. Security Measures

The Processor implements the following technical and organizational measures:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Logging and monitoring of access to Personal Data
• Incident response and breach notification procedures
• Regular backups and disaster recovery plans
• Employee training on data protection

5. Sub-processors

5.1 Authorized Sub-processors

The Controller agrees to the use of the following sub-processors:

• Railway - Cloud hosting and database services (USA)
• OpenAI - AI analysis services (USA)
• MongoDB Atlas - Database services (Multi-region)
• AWS - Infrastructure services (Multi-region)

5.2 New Sub-processors

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests for:

• Access to their Personal Data
• Rectification of inaccurate data
• Erasure of Personal Data
• Restriction of processing
• Data portability
• Objection to processing

7. Personal Data Breach

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach, providing:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8. Audit and Inspection

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to:

• Reasonable notice of at least 30 days
• During regular business hours
• Subject to confidentiality agreements
• At the Controller's expense

9. International Transfers

Any transfer of Personal Data to third countries shall be subject to appropriate safeguards:

• EU-US Data Privacy Framework (where applicable)
• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules
• Other mechanisms recognized by applicable law

10. Return and Deletion of Data

Upon termination of the services, the Processor shall, at the choice of the Controller:

• Delete all Personal Data and certify such deletion
• Return all Personal Data in a standard format
• Retain Personal Data only as required by applicable law

11. Liability and Indemnification

Each party's liability arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set out in the Terms of Service. Each party shall indemnify the other against all damages arising from its breach of this DPA.

12. Governing Law

This DPA shall be governed by the same law as the Terms of Service. Any disputes arising from this DPA shall be resolved according to the dispute resolution provisions in the Terms of Service.