Data Processing Agreement

Effective date: 21 April 2026

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between you ("Controller" or "Customer") and DigitX B.V., a company registered in the Netherlands (Chamber of Commerce 82240264, Jonkerbosplein 52, 6534 AB Nijmegen), trading under the brand name Floynk ("Processor", "DigitX", or "Floynk"), regarding the processing of personal data in connection with Floynk's marketplace management services.

1. Definitions

For the purposes of this DPA:

"Applicable Data Protection Law" means all applicable laws and regulations relating to data protection and privacy, including the GDPR and the Dutch UAVG, and other relevant national legislation
"Data Subject" means an identified or identifiable natural person whose personal data is processed
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council
"Personal Data" means any information relating to an identified or identifiable natural person
"Processing" means any operation performed on personal data
"Supervisory Authority" means an independent public authority established by an EU Member State (for DigitX: the Dutch Autoriteit Persoonsgegevens)

2. Scope and Applicability

2.1 Scope of Processing

This DPA applies to the processing of personal data by DigitX on behalf of the Customer in connection with the provision of the Floynk marketplace management services.

2.2 Role of the Parties

Customer acts as the Data Controller
DigitX (Floynk) acts as the Data Processor
This DPA governs DigitX's processing activities as a processor

2.3 Precedence

This DPA supplements and forms part of the Terms and Conditions. In case of conflict regarding data processing matters, this DPA takes precedence.

3. Processing Details

3.1 Categories of Personal Data

The personal data processed may include:

Customer contact information (names, email addresses, phone numbers)
Business representative information
End customer data from marketplace transactions (order addresses, order identifiers)
Order and transaction data
User account and authentication data
Technical data (IP addresses, device information)

3.2 Categories of Data Subjects

Customer employees and authorised users
End customers of the Customer's business
Website visitors and prospects

3.3 Purpose of Processing

Personal data is processed for the following purposes:

Providing the Floynk marketplace management services
User authentication and account management
Customer support and communication
Service analytics and improvement
Compliance with legal obligations

3.4 Duration of Processing

Personal data will be processed for the duration of the service agreement and retained according to our data retention policy as specified in our Privacy Policy.

4. Customer Obligations as Controller

4.1 Lawfulness of Processing

Customer warrants that:

It has a lawful basis for processing personal data
It has obtained necessary consents from data subjects
It complies with all applicable data protection laws
It provides appropriate privacy notices to data subjects

4.2 Instructions to Processor

Customer provides clear, lawful instructions for processing
Processing is limited to what is necessary for service provision
Customer ensures instructions comply with applicable law

4.3 Data Subject Rights

Customer is responsible for:

Responding to data subject requests
Providing necessary information for DigitX to assist with requests
Ensuring accuracy of personal data provided to DigitX

5. DigitX's Obligations as Processor

5.1 Processing Instructions

DigitX will:

Process personal data only on documented instructions from Customer
Ensure processing is limited to the purposes specified in this DPA
Not process personal data for its own purposes

5.2 Personnel

DigitX ensures that:

Personnel processing personal data are bound by confidentiality
Personnel receive appropriate data protection guidance
Access to personal data is limited to authorised personnel

5.3 Technical and Organisational Measures

DigitX implements appropriate technical and organisational measures to:

Ensure security of personal data
Protect against unauthorised or unlawful processing
Protect against accidental loss, destruction, or damage

See our Security Measures page for a current description of these measures.

6. Security Measures

6.1 Security Standards

DigitX maintains security measures including:

Encryption of personal data in transit (TLS 1.3) and at rest (AES-256)
Application-layer encryption of sensitive fields such as API keys and marketplace credentials
Access controls and multi-factor authentication on all operator accounts
Regular vulnerability scanning (OpenVAS) and intrusion detection (CrowdSec)
Network-level firewalls
Layered backup strategy (Supabase point-in-time recovery, Hetzner snapshots, weekly offline pg_dump stored in Hetzner Object Storage)

A full description is available in our Security Measures page.

6.2 Security Incidents

In case of a personal data breach, DigitX will:

Notify Customer without undue delay, and in any event within 72 hours of becoming aware
Provide available information about the breach
Assist Customer in meeting notification obligations under Article 33 GDPR
Take measures to contain and mitigate the breach

7. Sub-Processors

7.1 Authorised Sub-Processors

DigitX engages sub-processors to assist in providing the services. The current list of sub-processors is published at /sub-processors and forms part of this DPA.

7.2 Sub-Processor Requirements

All sub-processors are:

Bound by a written Data Processing Agreement
Required to provide adequate guarantees for data protection
Subject to data-protection obligations equivalent to this DPA

7.3 Changes to Sub-Processors

DigitX announces new sub-processors on the sub-processors page at least 30 days before the effective date
Customers who wish to receive direct email notifications may subscribe via legal@floynk.com
Customer may object to a new sub-processor on reasonable data-protection grounds
If the parties cannot agree on a resolution, Customer may terminate the affected services without penalty

8. Data Transfers

8.1 International Transfers

Personal data is primarily stored and processed within the European Economic Area (Germany — Hetzner compute in Falkenstein/Nuremberg; Supabase managed PostgreSQL in AWS Frankfurt). Where a sub-processor is based outside the EEA, DigitX ensures that transfers are governed by Standard Contractual Clauses (2021/914) and accompanied by a Transfer Impact Assessment.

8.2 Transfer Mechanisms

DigitX may rely on:

European Commission adequacy decisions
Standard Contractual Clauses
Binding Corporate Rules (where applicable)
Other transfer mechanisms approved under Applicable Data Protection Law

9. Data Subject Rights

9.1 Assistance with Rights Requests

DigitX will assist Customer in responding to data subject requests for:

Access to personal data
Rectification of inaccurate data
Erasure of personal data
Restriction of processing
Data portability
Objection to processing

9.2 Technical and Organisational Assistance

DigitX provides reasonable assistance through:

Technical measures to facilitate rights fulfilment
Provision of relevant personal data
Implementation of requested changes where technically feasible

10. Data Protection Impact Assessments

DigitX will assist Customer in conducting Data Protection Impact Assessments when:

Required by Applicable Data Protection Law
Processing activities pose a high risk to data subjects
Requested by Customer for legitimate reasons

11. Audits and Compliance

11.1 Audit Rights

Customer may audit DigitX's compliance with this DPA through:

Review of compliance documentation and the Security Measures page
Third-party audit reports of DigitX's sub-processors (for example, Supabase's SOC 2 Type II)
On-site inspections by reasonable prior written notice, limited in frequency to what is necessary, and subject to confidentiality obligations

11.2 Compliance Documentation

DigitX maintains documentation demonstrating:

Implementation of technical and organisational measures
Incident response procedures
Sub-processor management

12. Data Retention and Deletion

12.1 Retention Period

Personal data is retained:

For the duration of the service agreement
As specified in our data retention policy
As required by Applicable Data Protection Law

12.2 Data Return and Deletion

Upon termination of services, DigitX will:

Return personal data to Customer (if requested, in a commonly used electronic format)
Delete personal data from its systems, subject to backup rotation schedules
Provide confirmation of deletion on request
Retain data only where required by law

13. Cooperation with Supervisory Authorities

DigitX will:

Cooperate with supervisory authority investigations
Provide requested information and assistance
Notify Customer of any supervisory authority contact relating to Customer's data
Assist Customer in responding to supervisory authority requests

14. Liability and Indemnification

14.1 Data Protection Liability

Each party is liable for compliance with its respective data protection obligations under Applicable Data Protection Law.

14.2 Indemnification

Customer indemnifies DigitX against claims arising from:

Customer's breach of Applicable Data Protection Law
Customer's unlawful processing instructions
Customer's failure to obtain necessary consents

By mutual written agreement of the parties
To comply with changes in Applicable Data Protection Law
To reflect changes in processing activities

17. Contact Information

For data protection matters, contact:

DigitX B.V. (trading as Floynk) Jonkerbosplein 52, 6534 AB Nijmegen, the Netherlands KvK 82240264

General privacy enquiries: privacy@floynk.com
Legal and DPA enquiries: legal@floynk.com

Last updated: 21 April 2026.