This Data Processing Agreement (this "DPA") is incorporated into the agreement between Fluid Posts and Customer referencing this Data Processing Agreement (the "Agreement"). Capitalized terms used but not defined in this DPA (or in another document referenced by this DPA) will be understood to have the meanings given to them in the Agreement.
1. Data Processing, Subject Matter, and Roles
1.1 Data Processing
In the course of providing the Services to Customer pursuant to the Agreement, Fluid Posts may Process Customer Data that constitutes "personal data," "personal information," "personally identifiable information," or an analogous term under applicable law ("Customer Personal Data"). The Parties agree to comply with this DPA and all privacy and data protection laws applicable to the Processing of Customer Personal Data under the Agreement, including, as applicable, those of Singapore (including the Personal Data Protection Act 2012 ("PDPA")), the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States (including the California Consumer Privacy Act or "CCPA") (collectively, "Data Protection Laws").
1.2 Subject Matter
The subject matter, nature, and purpose of the Processing, the types of Customer Personal Data, and the categories of "Data Subjects" (as such term is defined under applicable Data Protection Laws) are set out in Annex I, which is an integral part of this DPA.
1.3 Roles
Customer is a "Controller" or "Business" (as such terms are defined under applicable Data Protection Law) and appoints Fluid Posts as a "Processor" or "Service Provider" (as such terms are defined under applicable Data Protection Law) on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers and Businesses. If Customer is a Processor on behalf of a Controller for which Customer is a Processor ("Third-Party Controller"), then Customer (i) is the single point of contact for Fluid Posts, (ii) must obtain all necessary authorizations from such Third-Party Controller, and (iii) undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.
For purposes of the PDPA, Customer is the organization responsible for Customer Personal Data and Fluid Posts is processing Customer Personal Data on Customer's behalf.
2. Processing Instructions
Fluid Posts shall Process Customer Personal Data on behalf of and only in accordance with Customer's documented instructions for the following purposes: (i) Processing in accordance with the DPA, Agreement, and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
3. Personnel
Fluid Posts will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.
4. CCPA Limitations on Processing
Except as permitted by applicable Data Protection Law or this DPA, Fluid Posts is prohibited from: (a) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purposes of performing the Services and in accordance with Customer's documented instructions; (b) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the Parties; (c) combining Customer Personal Data with Customer Personal Data obtained from, or on behalf of, sources other than Customer; and (d) "Selling" or "Sharing" (as such terms are defined under applicable Data Protection Laws) Customer Personal Data.
5. Security and Security Incident
5.1 Security
Fluid Posts will implement reasonable and appropriate technical and organizational measures designed to ensure a level of security appropriate to the risks presented by the Processing of Customer Personal Data in accordance with the measures set forth in Annex II.
5.2 Security Incident Notification
Fluid Posts will notify Customer without undue delay after becoming aware of any actual or reasonably suspected unauthorized access to, or other Processing of, Customer Personal Data ("Security Incident"). If Fluid Posts' notification of a Security Incident is delayed, it will be accompanied by reasons for the delay.
5.3 Security Incident Response
Fluid Posts will take reasonable measures in response to a Security Incident, including (i) taking measures designed to mitigate any Security Incident and prevent the recurrence of the Security Incident, (ii) providing Customer with reasonable information relating to the Security Incident known to Fluid Posts, and (iii) providing other commercially reasonable assistance to Customer in complying with its obligations under applicable Data Protection Laws.
5.4 Vulnerability Testing
Fluid Posts will perform vulnerability scanning of Fluid Posts' software-as-a-service platform used to provide the Services.
5.5 Encryption
Fluid Posts will encrypt Customer Personal Data in accordance with industry accepted standards, strong encryption techniques, and current security protocols.
6. Subprocessing
6.1 Subprocessors
Customer hereby authorizes Fluid Posts to engage any Processor that processes Customer Personal Data on behalf of Fluid Posts ("Subprocessor"). A list of Fluid Posts' current Subprocessors is listed in Annex III.
6.2 Subprocessor Agreements
Fluid Posts will enter into a written agreement with all Subprocessors which imposes substantially similar obligations on the Subprocessors as the obligations imposed on Fluid Posts under this DPA.
6.3 Subprocessor Changes
Fluid Posts will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds that the appointment of such Subprocessor will result in a material violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Fluid Posts' notification of the intended change. Customer and Fluid Posts will work together in good faith to address Customer's objection. If Fluid Posts chooses to retain such new Subprocessor, Fluid Posts will inform Customer at least thirty (30) days before authorizing such Subprocessor to Process Customer Personal Data, and either party may immediately discontinue providing or using the relevant parts of the Services that uses such Subprocessor, as applicable, and may terminate the relevant parts of the Services that uses such Subprocessor within thirty (30) days.
7. Assistance
7.1 Assistance
Taking into account the nature of the Processing, and the information available to Fluid Posts, Fluid Posts will provide reasonable assistance, including in connection with implementing appropriate technical and organizational measures, to Customer designed comply with Data Subject or "Consumer" (as such term is defined under applicable Data Protection Laws) requests, reply to inquiries, complaints, and investigations, and conduct data protection impact assessments, data protection assessments, and prior consultations with regulators.
8. Audit
Upon Customer's reasonable written request, Fluid Posts will provide reasonable documentation regarding Fluid Posts' applicable controls and compliance with this DPA, taking into account the nature of the Services and the need to protect confidentiality and security (for example, policies, summaries, and security questionnaires). Customer may use such documentation only for the purposes of meeting Customer's regulatory audit requirements and confirming compliance with the requirements of the DPA.
9. International Data Transfers
9.1 European Data Transfers
Fluid Posts will obtain Customer's specific prior written authorization for any transfer of Customer Personal Data subject to European Data Protection Law that is not subject to an adequacy decision by the European Commission ("International Data Transfer"). Customer hereby authorizes Fluid Posts to conduct International Data Transfers outside the EEA or Switzerland:
- to any country subject to a valid adequacy decision of the European Commission;
- on the basis of an organization's binding corporate rules approved by EEA Supervisory Authorities; and
- to any data importer with whom Fluid Posts has entered into standard contractual clauses ("SCCs") or other legally recognized transfer mechanisms, as applicable.
9.2 European Transfer Mechanisms
To the extent the SCCs are required for International Data Transfers subject to European Data Protection Law, the Parties may incorporate the SCCs by reference or otherwise enter into the SCCs.
9.3 UK Data Transfers
Customer hereby authorizes Fluid Posts to perform International Data Transfers outside the UK subject to the requirements:
- to any country subject to a valid adequacy decision issued by the UK Government;
- on the basis of an organization's binding corporate rules approved by the UK Information Commissioner; and
- to any data importer with whom Fluid Posts has entered into other standard contractual clauses or other legally recognized transfer mechanisms issued or recognized by the UK Information Commissioner, as appropriate.
9.4 UK Transfer Mechanism
To the extent required for International Data Transfers outside the UK, the Parties may enter into standard contractual clauses or other legally recognized transfer mechanisms issued or recognized by the UK Information Commissioner, as appropriate.
10. Return and Deletion
Following the date of expiration or earlier termination of the Agreement, Fluid Posts will promptly return or delete all Customer Personal Data; provided, however, that that Fluid Posts may retain copies of Customer Personal Data as expressly agreed by the parties or as required by applicable law or contained in standard backups that will remain subject to the protections of this DPA.
Annex I: Description of the Transfer
A. List of Parties
Data exporter:
- Name: Customer (as defined above)
- Activities relevant to the data transferred under these Clauses: Customer receives Fluid Posts' services as described in the Agreement and Customer provides Personal Data to Fluid Posts in that context.
- Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller
Data importer:
- Name: Fluid Posts (as defined above)
- Activities relevant to the data transferred under these Clauses: Fluid Posts provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context.
- Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller
B. Description of International Data Transfer
| Field | Description |
|---|---|
| Categories of Data Subjects whose Customer Personal Data is transferred | Customer's customers; Customer's personnel, staff and contractors |
| Categories of Customer Personal Data transferred | Name; Contact details |
| Sensitive data transferred (if applicable) | N/A |
| Frequency of the International Data Transfer | On a continuous basis |
| Nature of the processing | The Customer Personal Data will be processed and transferred as described in the Agreement |
| Purpose(s) of the International Data Transfer and further Processing | The Customer Personal Data will be transferred and further processed for the provision of the services as described in the Agreement |
| Retention period | Customer Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law |
| For International Data Transfer to (Sub)Processors | For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement |
C. Competent Supervisory Authority
- The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of Ireland.
- The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
- The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.
Annex II: Technical and Organizational Measures
Fluid Posts will implement security safeguards designed to protect Customer Personal Data from unauthorized access, acquisition, or disclosure, destruction, alteration, accidental loss, misuse, or damage using reasonable and appropriate technical and organizational measures.
Annex III: List of Subprocessors
Customer authorizes Fluid Posts to engage the following Subprocessors:
| Name | Location of Processing | Nature and Purpose of Processing |
|---|---|---|
| OpenAI | United States | AI Model Service Provider |
| Anthropic | United States | AI Model Service Provider |
| United States | AI Model Service Provider / User authentication services | |
| Cloudflare | United States | Content delivery network provider |
| Neon | United States | Database |
| Inbound | United States | Email sending |
| PostHog | United States | Analytics, Logging, and Error tracking |
| Stripe | United States | Payment Processing |
| GitHub | United States | User authentication services |
| Discord | United States | User authentication services |
| Apollo | United States | Customer Support |