Flowvenue – Data Processing Agreement

DPA

Effective Date: January 2026

Preamble

By accepting Flowvenue's Terms and Conditions (available at /en/terms-of-service), of which this Data Processing Agreement ("DPA") forms an integral and substantial part, the user (the "Controller" or the "Company") accesses the services provided by Flowvenue Srls, with registered office at Viale Giorgio Ribotta 11, 00144 Rome, (the "Processor" or the "Provider", and together with the Company, the "Parties") through its platform (the "Platform").

Pursuant to Article 28 of Regulation (EU) 2016/679 (the "GDPR") and, where applicable, the UK General Data Protection Regulation as incorporated by the Data Protection Act 2018 (collectively, the "Applicable Data Protection Laws"), the Parties agree as follows:

1. Definitions

In this DPA:

"Applicable Law" means the GDPR, the UK GDPR, Legislative Decree 196/2003 (as amended by Legislative Decree 101/2018), and any other EU or UK national data protection law, regulation, or guideline in force, including those issued by the Italian Garante or the UK Information Commissioner's Office (ICO).

"Security Measures" means the technical and organizational measures required under Article 32 GDPR and equivalent UK GDPR provisions.

"Sub-Processor" means any third party engaged by the Provider to process personal data on behalf of the Controller.

"Security Incident" means any security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

2. Purpose and Roles

The Controller appoints the Provider as external Data Processor for the processing operations necessary to perform the Contract, within the limits specified in Annex 1.

The Provider shall process Personal Data solely for the purposes and in accordance with the documented instructions of the Controller, ensuring compliance with Applicable Law.

3. Obligations of the Provider

3.1 Purpose and Lawfulness

The Provider undertakes to:

process Personal Data exclusively for the performance of the Contract and according to the Controller's documented instructions;
ensure that processing is lawful, fair, and transparent in accordance with Article 5 GDPR and UK GDPR;
limit processing to data strictly necessary for the specified purpose.

3.2 Security and Confidentiality

The Provider shall:

implement and maintain appropriate Security Measures based on the state of the art and nature of the data;
regularly update such measures in light of technological evolution;
ensure confidentiality and training of all authorized personnel;
adopt procedures for managing Security Incidents and notify the Controller within 24 hours of becoming aware, providing details and corrective measures (in line with Article 33 GDPR and Article 33 UK GDPR).
perform periodic vulnerability assessments and risk evaluations at least once per year, maintain written records of results, and provide such documentation to the Controller upon written request.

3.3 Authorized Personnel

The Provider shall:

designate authorized personnel in writing and ensure they act under its direct authority;
maintain an updated list of authorized personnel and verify compliance annually.

3.4 Data Subject Rights

The Provider shall assist the Controller in fulfilling data subjects' rights under Articles 12–23 GDPR and equivalent UK GDPR provisions.

Any request received directly from a data subject shall be forwarded to the Controller within three (3) business days.

3.5 Data Transfers outside the EEA or the UK

Any transfer of personal data outside the European Economic Area ("EEA") or the United Kingdom shall occur only:

to countries subject to an adequacy decision by the European Commission or the UK Secretary of State; or
under the EU Standard Contractual Clauses (SCCs) or the UK Addendum to the EU SCCs, or any future transfer mechanism recognized under Chapter V GDPR or the UK GDPR.

The Provider shall maintain written records of all such transfers.

3.6 Sub-Processors

The Controller grants a general authorization for the use of Sub-Processors.

The Provider shall notify the Controller of any new or replacement Sub-Processor at least 10 days in advance.

The Controller may object for legitimate reasons within that period. In the absence of objection, the appointment shall be deemed accepted.

The Provider shall ensure that each Sub-Processor is bound by a written agreement equivalent to this DPA and remains fully liable for their performance.

4. Obligations of the Controller

The Controller warrants that it shall:

process personal data lawfully and fairly;
provide compliant privacy notices to data subjects;
ensure a valid legal basis for each processing activity;
provide documented and updated instructions to the Provider;
refrain from processing special categories of data unless expressly agreed in writing.

5. Use of Artificial Intelligence Technologies

The Controller authorizes the Provider to use generative AI and conversational models solely for Platform functionalities that require them.

The Provider ensures that such systems:

comply with principles of transparency, fairness, and non-discrimination;
do not use the Controller's Personal Data to train general-purpose models without explicit consent;
operate in compliance with the forthcoming EU AI Act and any equivalent UK legislation once in force.

6. Audits and Inspections

The Controller may, with at least 10 business days' prior written notice, carry out (directly or via an independent auditor) audits to verify the Provider's compliance.

Such audits shall not occur more than once per year unless in case of documented incidents.

Audit costs shall be borne by the Controller.

7. Duration and Termination

This DPA remains in force for the duration of the Contract.

Upon termination:

the Provider shall delete or return all personal data within 30 days, unless retention is required by law;
deletion shall be confirmed in writing;
backups shall be securely destroyed within 90 days.

At the Controller's request, data shall be exported in an interoperable format (e.g., CSV, JSON).

8. Liability and Indemnification

Each Party shall be liable for damages arising from processing activities that violate their respective obligations under the GDPR, the UK GDPR, or this DPA.

The Provider shall indemnify and hold the Controller harmless from any claim resulting from a breach attributable to the Provider or its Sub-Processors.

9. Final Provisions

No Additional Compensation: Unless otherwise agreed, the Provider shall not receive additional remuneration for its role as Data Processor.

Governing Law and Jurisdiction:

For Controllers established in the EU, this DPA is governed by Italian law and the GDPR; disputes shall be submitted to the competent court of Rome, Italy.
For Controllers established in the United Kingdom, this DPA is governed by the laws of England and Wales and the UK GDPR; disputes shall be submitted to the exclusive jurisdiction of the courts of London, United Kingdom.

Amendments: Any amendment must be in writing.

Severability: The invalidity of one provision shall not affect the validity of the remaining clauses.

Annex 1 – Description of Processing

Categories of Data Subjects:

☒ Prospects
☒ Clients
☒ Former clients
☒ Agents
☒ Suppliers
☒ Platform/Site users

Categories of Data:

☒ Personal details (name, surname)
☒ Contact details (email, phone, address)
☒ Browsing data (IP, cookies, logs)
☒ Professional data (company, role)
☒ Social data (nickname, profile picture)

Special Categories of Data:

☒ None

Processing Operations:

☒ Collection
☒ Storage
☒ Extraction
☒ Consultation
☒ Use
☒ Communication
☒ Deletion
☒ Destruction

Purpose:

Execution of conversational SaaS services and automation of business processes provided by Flowvenue, including user management, conversations, workflows, and omnichannel communications.

This Data Processing Agreement is compliant with the General Data Protection Regulation (GDPR) of the European Union, the UK GDPR, and Italian regulations on personal data protection.