Data Processing Addendum

Effective July 14, 2026 · Version 2026-07-14

This Data Processing Addendum ("DPA") forms part of the Terms of Service between [Operator legal name — to be completed] ("Fynlix", the "Processor") and the Customer (the "Controller"). It applies automatically — without signature — to every Customer workspace, whenever Fynlix processes personal data on the Customer's behalf in the course of providing the Service. It reflects the requirements of Article 28 of Regulation (EU) 2016/679 ("GDPR"). Capitalised terms not defined here have the meaning given in the Terms. A countersigned copy of this DPA is available on request at legal@fynlix.com.

For clarity: this DPA governs End User Data — personal data that the Customer collects and processes through its workspaces (its contacts, leads, buyers and visitors). Personal data of the Customer's own account holders and team members is processed by Fynlix as an independent controller under the Privacy Policy.

1. Roles and scope of processing

1.1 The Customer is the controller (or, where the Customer acts for its own client, a processor acting on that client's documented authority — in which case Fynlix is a subprocessor and the Customer warrants that this DPA is consistent with its obligations to its client). Fynlix is the processor.

1.2 Fynlix will process End User Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law — in which case Fynlix will inform the Customer of that legal requirement before processing, unless the law prohibits it. The Customer's instructions are: (a) the Terms and this DPA; (b) the Customer's configuration and use of the Service (including features the Customer enables and integrations the Customer connects); and (c) further documented instructions agreed between the parties. Fynlix will inform the Customer if, in its opinion, an instruction infringes data-protection law.

1.3 Details of the processing (subject matter, duration, nature and purpose, data categories, data subjects) are set out in Annex 1.

2. Customer responsibilities

The Customer is responsible for: (a) the lawfulness of its collection and processing of End User Data, including a lawful basis, a compliant privacy notice to its End Users, and any required consents (including for cookies, pixels and marketing messages the Customer deploys); (b) the accuracy and quality of the data; (c) not collecting special categories of personal data or data of children through the Service without appropriate additional safeguards and, where doing so, informing Fynlix; and (d) its Users' actions in the workspace.

3. Confidentiality

Fynlix ensures that persons authorised to process End User Data (employees and contractors) are bound by contractual or statutory confidentiality obligations and process the data only as needed for their role.

4. Security

Fynlix implements and maintains appropriate technical and organisational measures to protect End User Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. The current measures are described in Annex 2. Fynlix may update them from time to time, provided the overall level of protection is not reduced.

5. Subprocessors

5.1 General authorisation. The Customer authorises Fynlix to engage the subprocessors listed in Annex 3 and to replace or add subprocessors, subject to this Section.

5.2 Notice and objection. Fynlix will give at least 14 days' notice of intended additions or replacements (by email or in-app, and by updating Annex 3 on this page). If the Customer has reasonable data-protection grounds to object, it must notify Fynlix within that period; the parties will seek a solution in good faith, failing which the Customer may terminate the affected subscription and receive a pro-rata refund of prepaid, unused fees — the Customer's sole remedy.

5.3 Flow-down. Fynlix imposes on each subprocessor data-protection obligations materially equivalent to this DPA and remains fully liable to the Customer for the subprocessor's performance.

6. Assistance

Taking into account the nature of the processing, Fynlix will assist the Customer with appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligations regarding: (a) data-subject requests — the Service provides self-service tools for access, export, correction and deletion of contact records; if a data subject contacts Fynlix directly about a Customer workspace, Fynlix will forward the request to the Customer without undue delay and will not respond substantively except on the Customer's instruction or where legally required; and (b) security, breach notification, data-protection impact assessments and prior consultation (GDPR Articles 32–36), at the Customer's reasonable request; Fynlix may charge reasonable costs for assistance that materially exceeds the Service's built-in capabilities.

7. Personal data breach

Fynlix will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting End User Data, providing (as information becomes available) the nature of the breach, categories and approximate numbers of data subjects and records concerned, likely consequences, and measures taken or proposed. Fynlix's notification is not an acknowledgement of fault or liability. The Customer is responsible for its own notifications to authorities and data subjects.

8. Deletion and return

Upon termination of the Service, Fynlix will, at the Customer's choice, delete or return the End User Data as described in Section 18.4 of the Terms: export tools remain available for 30 days after termination (except termination for serious AUP violations or illegality); thereafter Fynlix deletes the data from production systems, with backup copies deleted as backups rotate out, unless EU or Member State law requires longer storage. Deletion during the term (for example deleting contacts or a workspace) takes effect in production immediately and in backups as they rotate.

9. Audit and information

Fynlix will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR — including, on written request (no more than once per 12 months), completing the Customer's reasonable security questionnaire or providing summaries of relevant policies and measures. Where this does not reasonably suffice, the Customer (or an independent auditor bound by confidentiality, not a Fynlix competitor) may conduct an audit limited in scope, at the Customer's cost, during business hours, on at least 30 days' notice, no more than once per 12 months, without access to other customers' data or systems. Audit findings are confidential.

10. International transfers

End User Data is hosted in the European Union. Where a subprocessor processes personal data outside the EU/EEA (see Annex 3), the transfer is protected by an adequacy decision (including, where applicable, the EU–US Data Privacy Framework) or the European Commission's Standard Contractual Clauses (Module Three, processor-to-processor, or Module Two as applicable), which Fynlix has in place with the relevant subprocessor, plus supplementary measures where appropriate. The Customer authorises such transfers on this basis.

11. Liability and order of precedence

Liability under this DPA is subject to the limitations and exclusions of Section 16 of the Terms, except where mandatory data-protection law provides otherwise (including GDPR Article 82). In case of conflict between this DPA and the Terms regarding the processing of End User Data, this DPA prevails. This DPA is governed by the same law and jurisdiction as the Terms and lasts as long as Fynlix processes End User Data for the Customer.

Annex 1 — Details of processing

  • Subject matter: provision of the Fynlix platform (funnel/page building and hosting, CRM, forms, automations, campaigns, checkout/orders, webinars, courses, media, AI features, API/MCP).
  • Duration: the term of the Customer's subscription plus the deletion period in Section 8.
  • Nature and purpose: hosting, storage, transmission, display, organisation, analysis (for Customer-facing statistics), automation and deletion of End User Data as directed by the Customer through the Service's features; AI processing of content the Customer submits to AI features.
  • Categories of data subjects: the Customer's End Users — visitors, leads, contacts, subscribers, buyers, webinar registrants, course participants, affiliates in the Customer's own programs.
  • Categories of personal data: identification and contact data (name, email, phone, address); order and transaction data (products bought, amounts, delivery details, payment metadata — not full card numbers); communication data (messages, form submissions, survey answers); engagement and technical data (page events, email/SMS engagement, IP address, device/browser data); any further data the Customer chooses to collect via its forms and pages.
  • Special categories: not intended; the Customer must not collect them through the Service without appropriate additional safeguards (Section 2).

Annex 2 — Technical and organisational measures (summary)

  • Encryption of data in transit (TLS) across public interfaces, including published pages and the API.
  • Passwords stored only as salted cryptographic hashes; login rate limiting and lockout; optional multi-factor authentication where available.
  • Logical multi-tenant isolation: every read/write is scoped to the workspace, enforced in the application's authorization layer; scoped API keys with least-privilege permission scopes and rotation.
  • Role-based access control for Customer teams (owner/admin/member roles); administrative access to production restricted to authorised personnel over an encrypted private network.
  • Security logging and monitoring of authentication and administrative events; rate limiting and abuse detection on public endpoints.
  • Regular platform backups with restricted access and rotation; documented deployment process with health checks and rollback capability.
  • Vendor selection with data-protection review; confidentiality obligations for personnel; principle of least privilege for internal tooling.
  • Incident response process covering detection, containment, assessment and notification (Section 7).

Annex 3 — Approved subprocessors

SubprocessorPurposeLocation
[EU hosting provider — to be completed]Cloud infrastructure hosting the Service and Customer dataEuropean Union
Stripe, Inc. / Stripe Payments Europe Ltd.Payment processing for Fynlix subscriptions; Stripe Connect platform services for Customer payment accountsEU / USA
OpenRouter, Inc.AI request routing for AI features (processes content submitted to AI features)USA
AI model providers routed via OpenRouter (e.g. Anthropic, Google, DeepSeek)Generating AI output for content the Customer submits to AI featuresUSA / EU

Third-party services the Customer connects to its workspace (for example the Customer's own Stripe account, shipping carriers, social networks, SMTP servers or tracking pixels) act on the Customer's instructions under the Customer's own agreements with them; they are the Customer's providers, not Fynlix subprocessors.