Data Processing Addendum (DPA)
Effective as of May 1, 2026
[PLACEHOLDER LEGAL] Pending legal reviewThis DPA applies if your use of FlorioIn means we process personal data subject to GDPR, LGPD, LFPDPPP, or similar regulations. [PLACEHOLDER LEGAL] Final version requires review by privacy counsel.
1. Roles
You are the Controller (you decide the purpose and means of processing). FlorioIn is the Processor (we process per your documented instructions, expressed through the product config and this DPA).
2. Nature and purpose
We process personal data as needed to deliver the service described in the Terms: hosting tasks, documents, messages; executing AI functions; aggregated analytics.
3. Sub-processors
We maintain a public, current sub-processor list. We notify you 30 days before adding a sub-processor. You may object.
[PLACEHOLDER LEGAL] List in final version.
4. International transfers
Cross-jurisdiction transfers happen under Standard Contractual Clauses (EU), the Mexico-US safe-transfer mechanism, or equivalents as applicable.
5. Security
We apply technical and organizational measures described at /security: encryption, multi-tenant RLS, audit logs, mandatory MFA for staff, least-privilege.
6. Breach notification
We notify breaches affecting personal data within 72 hours of detection, with the information required by applicable regulation.
7. Data subject rights
We support you in responding to data subject requests (access, correction, deletion, portability). Self-service tools available in the dashboard.
8. Audit
We permit reasonable audits by you or an independent auditor under NDA, with 30 days' notice, no more than once per year except for breach or regulatory requirement.
9. Deletion on termination
On contract end, we delete personal data within 30 days except where legal retention is required (audit logs, billing).
10. DPO contact
dpo@florioin.com