Data Processing Agreement (DPA)

Last Updated: April 28, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Flintlark Ltd. ("Processor"), headquartered at Dubai Silicon Oasis, Dubai, UAE. It outlines the Processor's obligations when processing personal data on behalf of the Controller, in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Scope and Duration

This DPA applies to all data processing activities performed by Flintlark Ltd. in connection with the Services. It remains in force for the duration of your use of the Services.

2. Roles and Responsibilities

The Controller determines the purposes and means of the processing of personal data. The Processor shall only process personal data on documented instructions from the Controller, unless required to do so by law.

3. Subprocessors

Flintlark Ltd. uses the following subprocessors to fulfill its service obligations. You will be notified if any new subprocessors are added or removed:

  • OpenAI, Anthropic, Google, Groq, Mistral – AI processing
  • Stripe – payment processing
  • Google Analytics – performance insights (anonymized)
  • Vercel – hosting and serverless functions
  • Supabase – database, storage, and authentication

Flintlark ensures that each subprocessor is contractually bound to data protection obligations consistent with this DPA.

7. International Transfers

Where data is transferred outside the EEA, Flintlark shall ensure such transfers are lawful under applicable privacy regulations using mechanisms like Standard Contractual Clauses. If you would like more information about these transfers and the safeguards in place, please contact us.

4. Security Measures

Flintlark implements appropriate technical and organizational security measures, including:

  • Encryption of data in transit
  • Access controls based on role and need
  • Authentication protocols and logging
  • ISO 27001 certification (if applicable)

5. Data Subject Rights

Flintlark shall, to the extent possible, assist the Controller in fulfilling its obligation to respond to data subject requests under GDPR, including rights of access, rectification, deletion, restriction, and portability.

6. Data Breach Notification

In the event of a data breach affecting personal data, Flintlark will notify the Controller without undue delay and provide all information necessary for compliance with applicable data protection laws.

7. International Transfers

Where data is transferred outside the EEA, Flintlark shall ensure such transfers are lawful under applicable privacy regulations using mechanisms like Standard Contractual Clauses.

8. Return or Deletion of Data

Upon termination of the Services, Flintlark will delete or return all personal data within 60 days unless legally required to retain it.

9. Audits

Upon request, Flintlark will make available documentation necessary to demonstrate compliance and, once per year, permit audits by the Controller or its authorized auditor during normal business hours.

10. Liability

Liability under this DPA is subject to the limitation of liability provisions outlined in the Terms of Service.

11. Governing Law

This DPA is governed by and construed in accordance with the laws of the UAE. Disputes are subject to the jurisdiction of the courts in Dubai.

12. Contact

Email: team@flintlark.com
Address: Flintlark Ltd., Dubai Silicon Oasis, Dubai, UAE