FloWorxIQ Data Processing Addendum (DPA)

Last Updated: September 20, 2025

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (“Agreement”) between FloWorxIQ Inc. (“FloWorxIQ”, “Processor”) and the customer (“User”, “Controller”) (each a “Party”, together the “Parties”).

1. Roles of the Parties

  • Controller: The User, who determines the purposes and means of processing Personal Data.

  • Processor: FloWorxIQ, which processes Personal Data on behalf of the User.

  • Terms like “Personal Data,” “Processing,” “Data Subject,” and “Supervisory Authority” have the meanings given under Applicable Privacy Laws (PIPEDA, Alberta PIPA, GDPR, etc.).

2. Subject Matter & Scope

FloWorxIQ provides AI-powered email automation, classification, and drafting tools. This DPA governs FloWorxIQ’s Processing of Personal Data to provide the Service as described in the Agreement.

3. Duration

This DPA remains in effect for the Term of the Agreement and thereafter until FloWorxIQ deletes or returns all Personal Data in accordance with this DPA.

4. Processor Obligations

FloWorxIQ shall:

  1. Process Personal Data only on documented instructions from the User, unless required by law.

  2. Notify the User if an instruction infringes Applicable Privacy Laws.

  3. Implement appropriate technical and organizational measures to protect Personal Data (see Appendix A).

  4. Ensure staff authorized to Process Personal Data are bound by confidentiality obligations.

  5. Assist the User in responding to Data Subject requests (e.g., access, correction, deletion, portability) where legally required.

  6. Notify the User without undue delay after becoming aware of a Personal Data Breach.

  7. Maintain records of Processing as required by Applicable Privacy Laws.

  8. Delete or return Personal Data after the end of the Service, unless retention is required by law.

5. Controller Obligations

The User shall:

  1. Provide lawful instructions to FloWorxIQ for Processing.

  2. Ensure it has obtained all necessary consents and notices for Processing of Personal Data.

  3. Be solely responsible for the accuracy, quality, and legality of Personal Data.

6. Subprocessors

  1. The User authorizes FloWorxIQ to use subprocessors (e.g., cloud hosting, AI providers) for the provision of the Service.

  2. FloWorxIQ will ensure subprocessors are bound by data protection obligations no less protective than this DPA.

  3. FloWorxIQ will notify the User of new subprocessors and provide an opportunity to reasonably object.

7. International Transfers

FloWorxIQ may transfer Personal Data outside of Canada (and, where applicable, outside the EEA/UK) as necessary to provide the Service.

Such transfers will be made under appropriate safeguards, including Standard Contractual Clauses (SCCs) or other lawful mechanisms.

8. Breach Notification

FloWorxIQ shall notify the User without undue delay after becoming aware of a Personal Data Breach, providing:

  • A description of the breach and likely consequences.

  • Measures taken or proposed to address the breach.

  • Contact details for further information.

9. Audit & Compliance

  1. FloWorxIQ will make available information necessary to demonstrate compliance with this DPA.

  2. The User may request audits or inspections, subject to:

    • Reasonable advance notice,

    • Confidentiality requirements,

    • Minimal disruption, and

    • At most one audit per 12-month period unless required by law.

10. Liability

The Parties’ liability under this DPA is subject to the limitations of liability set forth in the Agreement, unless prohibited by law.

11. Governing Law & Jurisdiction

This DPA shall be governed by the laws of the Province of Alberta and the federal laws of Canada applicable therein. Disputes shall be resolved by the courts of Calgary, Alberta, unless otherwise required by Applicable Privacy Laws.

📎 Appendix A – Data Processing Details

Subject Matter: Provision of the FloWorxIQ Service.

Duration: For the Term of the Agreement and any retention required by law.

Nature/Purpose of Processing: Accessing, storing, classifying, and generating drafts from email content and related data to deliver the Service.

Categories of Data Subjects: User employees, customers, prospects, business contacts, meeting participants, and others whose data is included in connected email accounts.

Types of Personal Data:

  • Identity/Contact: names, emails, phone numbers, job titles.

  • Email Content: subject lines, message bodies, attachments, metadata.

  • Account/Billing: payment details (processed via PCI-compliant providers).

  • Technical: IP addresses, device/browser data, log data.

Appendix B – Security Measures (Illustrative)

FloWorxIQ maintains security measures including:

  • Encryption in transit (TLS) and at rest (AES-256).

  • Role-based access control, multi-factor authentication.

  • Principle of least privilege for staff.

  • Regular backups and secure deletion practices.

  • Hosting on cloud providers with ISO 27001 / SOC 2 compliance.

  • Logging, monitoring, and vulnerability management.

  • Annual third-party penetration testing.