Flowvenue – Data Processing Agreement

DPA

Effective Date: June 2026

Preamble

By accepting Flowvenue's Terms and Conditions (available at /en/terms-of-service), of which this Data Processing Agreement ("DPA") forms an integral and substantial part, the user (the "Controller" or the "Company") accesses the services provided by Flowvenue SRL, with registered office at Viale Giorgio Ribotta 11, 00144 Rome, (the "Processor" or the "Provider", and together with the Company, the "Parties") through its platform (the "Platform").

Pursuant to Article 28 of Regulation (EU) 2016/679 (the "GDPR") and, where applicable, the UK General Data Protection Regulation as incorporated by the Data Protection Act 2018 (collectively, the "Applicable Data Protection Laws"), the Parties agree as follows:

1. Definitions

In this DPA:

"Applicable Law" means the GDPR, the UK GDPR, Legislative Decree 196/2003 (as amended by Legislative Decree 101/2018), and any other EU or UK national data protection law, regulation, or guideline in force, including those issued by the Italian Garante or the UK Information Commissioner's Office (ICO).

"Security Measures" means the technical and organizational measures required under Article 32 GDPR and equivalent UK GDPR provisions.

"Sub-Processor" means any third party engaged by the Provider to process personal data on behalf of the Controller.

"Security Incident" means any security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

2. Purpose and Roles

The Controller appoints the Provider as external Data Processor for the processing operations necessary to perform the Contract, within the limits specified in Annex 1.

The Provider shall process Personal Data solely for the purposes and in accordance with the documented instructions of the Controller, ensuring compliance with Applicable Law.

3. Obligations of the Provider

3.1 Purpose and Lawfulness

The Provider undertakes to:

process Personal Data exclusively for the performance of the Contract and according to the Controller's documented instructions;
ensure that processing is lawful, fair, and transparent in accordance with Article 5 GDPR and UK GDPR;
limit processing to data strictly necessary for the specified purpose.

3.2 Security and Confidentiality

The Provider shall:

implement and maintain appropriate Security Measures based on the state of the art and nature of the data;
regularly update such measures in light of technological evolution;
ensure confidentiality and training of all authorized personnel;
adopt procedures for managing Security Incidents and notify the Controller within 24 hours of becoming aware, providing details and corrective measures (in line with Article 33 GDPR and Article 33 UK GDPR).
perform periodic vulnerability assessments and risk evaluations at least once per year, maintain written records of results, and provide such documentation to the Controller upon written request.

3.3 Authorized Personnel

The Provider shall:

designate authorized personnel in writing and ensure they act under its direct authority;
maintain an updated list of authorized personnel and verify compliance annually.

3.4 Data Subject Rights

The Provider shall assist the Controller in fulfilling data subjects' rights under Articles 12–23 GDPR and equivalent UK GDPR provisions.

Any request received directly from a data subject shall be forwarded to the Controller within three (3) business days.

3.5 Data Transfers outside the EEA or the UK

Any transfer of personal data outside the European Economic Area ("EEA") or the United Kingdom shall occur only:

to countries subject to an adequacy decision by the European Commission or the UK Secretary of State; or
under the EU Standard Contractual Clauses (SCCs) or the UK Addendum to the EU SCCs, or any future transfer mechanism recognized under Chapter V GDPR or the UK GDPR.

The Provider shall maintain written records of all such transfers.

3.6 Sub-Processors

The Controller grants a general authorization for the use of Sub-Processors.

The Provider shall notify the Controller of any new or replacement Sub-Processor at least 10 days in advance.

The Controller may object for legitimate reasons within that period. In the absence of objection, the appointment shall be deemed accepted.

The Provider shall ensure that each Sub-Processor is bound by a written agreement equivalent to this DPA and remains fully liable for their performance.

The current list of authorized Sub-Processors is set out in Annex 2. Any updates follow the advance-notice procedure above.

4. Obligations of the Controller

The Controller warrants that it shall:

process personal data lawfully and fairly;
provide compliant privacy notices to data subjects;
ensure a valid legal basis for each processing activity;
provide documented and updated instructions to the Provider;
refrain from processing special categories of data unless expressly agreed in writing.

5. Use of Artificial Intelligence Technologies

The Controller authorizes the Provider to use generative AI and large language models (LLMs) solely for Platform functionalities that require them (conversational assistant, process design, translation assist, and similar use cases).

5.1 LLM inference modes

Depending on the Controller's configuration and subscribed plan, LLM inference may occur through one or more of the following paths:

Provider-managed LLM — the Provider uses approved LLM credentials and Sub-Processors (default provider Anthropic with Claude Sonnet 4.6; alternative OpenAI or Anthropic models among those explicitly supported and allowlisted, where enabled by plan). Relevant LLM Sub-Processors are listed in Annex 2.
Bring Your Own Key (BYOK) — the Controller configures its own credentials for OpenAI, Anthropic, or a compatible endpoint (including dedicated cloud deployments or private/on‑premise LLM infrastructure). In that case LLM inference is performed by the Controller's chosen provider, which is not included in Annex 2 for that inference path; Controller keys are stored encrypted (AES-256-GCM) and used only for configured calls.
External LLM clients via MCP Server — the Controller may connect external LLM clients (e.g. Claude, ChatGPT, Gemini, Copilot with MCP support) to the Provider's inbound MCP Server. LLM inference runs on the Controller's chosen environment; the Provider supplies MCP tools, authorization (OAuth 2.0 with PKCE), scopes, rate limiting, and audit of tool calls.

Commercial details (BeeCoin, model tiers, no BeeCoin charge for BYOK inference) are in the Terms of Service, Section 10.

5.2 Provider warranties

The Provider ensures that the systems above, to the extent inference is performed through the Provider's Sub-Processors or Provider-managed credentials:

comply with principles of transparency, fairness, and non-discrimination;
do not use the Controller's Personal Data to train general-purpose models without the Controller's explicit consent, in accordance with the relevant LLM vendors' terms;
operate in compliance with the EU AI Act and any equivalent UK legislation once in force.

5.3 Controller obligations (BYOK and MCP)

For BYOK and MCP paths with external LLM clients, the Controller is responsible for lawful processing toward its LLM provider or private environment, key and credential security, OAuth consent, and due diligence on adopted LLM vendors. The Provider remains responsible for platform orchestration, process runtime, and MCP controls it operates.

6. Audits and Inspections

The Controller may, with at least 10 business days' prior written notice, carry out (directly or via an independent auditor) audits to verify the Provider's compliance.

Such audits shall not occur more than once per year unless in case of documented incidents.

Audit costs shall be borne by the Controller.

7. Duration and Termination

This DPA remains in force for the duration of the Contract.

Upon termination:

the Provider shall delete or return all personal data within 30 days, unless retention is required by law;
deletion shall be confirmed in writing;
backups shall be securely destroyed within 90 days.

At the Controller's request, data shall be exported in an interoperable format (e.g., CSV, JSON).

8. Liability and Indemnification

Each Party shall be liable for damages arising from processing activities that violate their respective obligations under the GDPR, the UK GDPR, or this DPA.

The Provider shall indemnify and hold the Controller harmless from any claim resulting from a breach attributable to the Provider or its Sub-Processors.

9. Final Provisions

No Additional Compensation: Unless otherwise agreed, the Provider shall not receive additional remuneration for its role as Data Processor.

Governing Law and Jurisdiction:

For Controllers established in the EU, this DPA is governed by Italian law and the GDPR; disputes shall be submitted to the competent court of Rome, Italy.
For Controllers established in the United Kingdom, this DPA is governed by the laws of England and Wales and the UK GDPR; disputes shall be submitted to the exclusive jurisdiction of the courts of London, United Kingdom.

Amendments: Any amendment must be in writing.

Severability: The invalidity of one provision shall not affect the validity of the remaining clauses.

Annex 1 – Description of Processing

Categories of Data Subjects:

☒ Prospects
☒ Clients
☒ Former clients
☒ Agents
☒ Suppliers
☒ Platform/Site users

Categories of Data:

☒ Personal details (name, surname)
☒ Contact details (email, phone, address)
☒ Browsing data (IP, cookies, logs)
☒ Professional data (company, role)
☒ Social data (nickname, profile picture)

Special Categories of Data:

☒ None

Processing Operations:

☒ Collection
☒ Storage
☒ Extraction
☒ Consultation
☒ Use
☒ Communication
☒ Deletion
☒ Destruction

Purpose:

Execution of conversational SaaS services and automation of business processes provided by Flowvenue, including user management, conversations, workflows, omnichannel communications, and AI-assisted features (platform-managed LLM, BYOK, or MCP, according to Controller configuration).

Annex 2 – Authorized Sub-Processors

Where necessary to perform the Contract, the Provider uses the following Sub-Processors (indicative list, updatable with notice under Section 3.6):

Amazon Web Services (AWS) — cloud hosting, databases, and storage (EU region, Milan eu-south-1, unless otherwise agreed contractually).
Auth0 (Okta) — authentication and identity management (tenant in EU region).
Anthropic PBC — LLM inference with Provider-managed credentials (default provider).
OpenAI — LLM inference with Provider-managed credentials, where enabled (Enterprise arrangement where applicable).
Meta Platforms Ireland Ltd — WhatsApp Business and related messaging services, where enabled by the Controller.

Exclusions: for BYOK and MCP with external LLM clients, the LLM provider or inference environment chosen by the Controller (including private or on‑premise stacks) is not included in this list for LLM inference on that path. Additional Sub-Processors (e.g. transactional email, payment providers) may be disclosed on request or in Annex 2 updates.

Compliance documentation for platform-managed LLM vendors: Flowvenue Information Security section.

This Data Processing Agreement is compliant with the General Data Protection Regulation (GDPR) of the European Union, the UK GDPR, and Italian regulations on personal data protection.