The DPA
your legal team will read.

1. Parties and scope

This Data Processing Agreement ("DPA") is entered into between Flowix B.V. ("Processor") and the customer ("Controller") that subscribes to Snimio. It forms part of the Terms of Service and applies whenever Flowix processes personal data on behalf of the Controller.

2. Subject matter and duration

The Processor processes personal data only as needed to provide the Snimio service. The DPA remains in force for as long as the Controller's subscription is active and for the retention periods set out in section 7.

3. Nature and purpose

• Nature: hosting, syncing, AI-assisted summarisation and reply drafting.
• Purpose: delivering the contracted Snimio service to the Controller and its users.

4. Categories of data and data subjects

• Data subjects: Controller's employees, contractors, customers, and their email correspondents.
• Data categories: account identifiers (email, name), email metadata (headers, sender, subject) and email content (only in transit through AI inference, never stored).

5. Processor obligations

• Process personal data only on documented instructions from the Controller (the Snimio service settings count as instructions).
• Ensure all personnel handling data are bound by confidentiality.
• Implement appropriate technical and organisational measures (see section 9).
• Notify the Controller without undue delay (within 48 hours) of any personal data breach.
• Assist the Controller with data subject rights requests, DPIAs and supervisory authority consultations.

6. Sub-processors

The Controller authorises the use of the following sub-processors. The Processor will notify the Controller of any changes at least 30 days in advance, and the Controller may object on reasonable grounds.

• Anthropic, AI inference (EU routing, zero-retention API).
• Hetzner Online GmbH, infrastructure hosting in Falkenstein, Germany.
• Stripe, payments (Ireland).
• Postmark, transactional email (EU region).

7. Retention and deletion

Personal data is retained only as long as needed for the service and is deleted (or returned to the Controller in a structured format) within 90 days of termination. See the privacy policy for category-by-category retention.

8. International transfers

The Processor processes all personal data inside the EU/EEA. Where any sub-processor sits outside the EU/EEA, transfers are governed by Standard Contractual Clauses (SCC, 2021/914) plus supplementary measures.

9. Technical and organisational measures

• TLS 1.3 strict for all in-transit data.
• AES-256 encryption at rest for OAuth tokens, account credentials and backups.
• Role-based access control with hardware-key MFA for all production access.
• Quarterly penetration tests by independent third party.
• Annual security training and incident-response drills.
• Audit logging of all production access, retained 12 months.

10. Audit rights

The Controller may audit the Processor's compliance once per year, on 30 days' written notice, during normal business hours. The Processor will also share its current SOC 2 and ISO 27001 reports once available (target Q3 2026 and Q2 2026 respectively).

11. Liability

Liability under this DPA is governed by the Terms of Service. Where the GDPR imposes joint and several liability, the parties' internal allocation follows article 82 GDPR.

12. Signing this DPA

Subscribing to Snimio constitutes acceptance of this DPA. If your legal team requires a signed counter-signature, email legal@flowix.io with your company details, we'll send a signed PDF the same day.

---

For DPA escalations, breach notifications or general questions: legal@flowix.io. Our Data Protection Officer is reachable at dpo@flowix.io.