Last updated: June 2026. Legal review pending. This template is provided for transparency and procurement review; a signed counterpart is available on request.
Data Processing Agreement
This Data Processing Agreement (DPA) forms part of the agreement between Agentic Fluxus (the “Processor”) and the business customer (the “Controller”) that purchases Fluxus OS or team training, and governs the processing of personal data that the Processor carries out on the Controller’s behalf under Article 28 of the GDPR (Regulation (EU) 2016/679).
1. Roles of the parties
The Controller determines the purposes and means of processing the personal data of its team members and learners. The Processor processes that personal data only on the Controller’s documented instructions, including the instructions set out in this DPA and given through normal use of the platform. For data the Processor collects as a controller in its own right (for example, account and billing data of the purchasing admin), the Privacy Policy applies instead.
2. Subject matter, nature, and duration
The Processor processes personal data to deliver EU AI Act training and compliance tooling: enrolling learners, tracking course progress, issuing certificates, running readiness checks, and producing competency and policy records. Processing lasts for the duration of the agreement and the limited retention periods described below.
3. Categories of personal data and data subjects
- Data subjects: the Controller’s administrators, managers, staff, and learners.
- Data categories: name, work email, role or job title, course progress and completion, certificate records, survey and competency responses, and audit-tool inputs the Controller chooses to submit.
- The platform is not designed for, and the Controller must not submit, special-category data under Article 9.
4. Processing on documented instructions
The Processor processes personal data only on the Controller’s documented instructions, including for international transfers, unless required to do otherwise by EU or member-state law (in which case it informs the Controller first, where legally permitted). The Processor promptly informs the Controller if, in its opinion, an instruction infringes the GDPR.
5. Confidentiality
Personnel authorised to process the personal data are bound by confidentiality and are granted access on a need-to-know basis.
6. Security measures (Article 32)
The Processor implements appropriate technical and organisational measures, including: encryption in transit (TLS) and at rest; row-level security isolating each organisation’s data; least-privilege access and server-side service-role separation; signed and verified payment and email webhooks; audit logging of significant events; and EU-region data residency for the primary database.
7. Sub-processors
The Controller authorises the Processor to engage the sub-processors listed below. The Processor imposes data-protection obligations on each sub-processor no less protective than this DPA and remains liable for their performance. The Processor gives notice of intended changes and the Controller may object on reasonable data-protection grounds.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt, eu-central-1) |
| Vercel | Application hosting and delivery | EU region (fra1) with global edge |
| Stripe | Payment processing and billing | EU / US (SCCs in place) |
| Resend | Transactional and lifecycle email | EU / US (SCCs in place) |
| Anthropic | AI assistant and content features | US (SCCs in place) |
| PostHog | Product analytics (EU cluster, consent-gated) | EU |
8. Assistance to the Controller
Taking into account the nature of processing, the Processor assists the Controller with data-subject requests (access, rectification, erasure, portability, objection) through platform features and support, and with the Controller’s obligations under Articles 32 to 36 (security, breach notification, data-protection impact assessments).
9. Personal data breach
The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, and provides the information the Controller reasonably needs to meet its own notification obligations.
10. Deletion and return of data
On termination, the Processor deletes or returns the Controller’s personal data at the Controller’s choice, except where EU or member-state law requires retention. Certain certification and learning records may be retained in a minimised form as part of the compliance audit trail, as described in the Privacy Policy.
11. Audits and information
The Processor makes available the information necessary to demonstrate compliance with Article 28 and allows for and contributes to reasonable audits, including inspections, subject to confidentiality and reasonable notice.
12. International transfers
The primary database is hosted in the EU. Where a sub-processor processes data outside the EEA, transfers are covered by appropriate safeguards under Chapter V of the GDPR, including the European Commission’s Standard Contractual Clauses.
13. Governing law
This DPA is governed by the laws of the Netherlands and forms part of the main agreement between the parties. Where this DPA conflicts with the main agreement on data protection, this DPA prevails.
Request a signed copy
To execute a signed DPA, contact [email protected]. See also our Privacy Policy and Terms.