This Data Processing Agreement (“DPA”) is entered into by and between:
- Customer: The legal entity signing the Services Agreement with Flowmeets (the “Data Controller” or “Controller”)
- Processor: Wingr AB, Org.nr: 5591888960, Sundbybergs Torg 1, 17237 Sundbyberg, Sweden (“Flowmeets”, the “Data Processor” or “Processor”)
Each a “Party” and together the “Parties”.
This DPA forms part of the Services Agreement between the Parties and governs Flowmeets’ processing of personal data on behalf of the Customer under applicable data protection laws, including Regulation (EU) 2016/679 (the “GDPR”).
1. Definitions
Terms used in this DPA have the meanings given in the GDPR, including but not limited to personal data, data subject, processing, controller, and processor.
2. Purpose and Scope
Flowmeets will process personal data on behalf of the Customer solely to deliver the services described in the Services Agreement (the “Services”) and in accordance with the Customer’s documented instructions, this DPA, and applicable law.
3. Roles and Responsibilities
- The Customer acts as Data Controller for all personal data processed in connection with the Services.
- Flowmeets acts as Data Processor and shall process personal data only on documented instructions from the Customer.
- The Customer is responsible for ensuring it has a valid legal basis for all processing and for providing all required notices to data subjects.
- Consent for recordings and transcriptions: Where audio/video recording or transcription features are enabled, the Customer is solely responsible for obtaining all necessary participant consents.
4. Processor Obligations
Flowmeets shall:
a) Process personal data only in accordance with documented instructions from the Customer;
b) Ensure that persons authorized to process the personal data are bound by confidentiality;
c) Implement appropriate technical and organizational security measures as described in Appendix 2;
d) Assist the Customer, insofar as possible, in fulfilling its obligations to respond to data subject rights requests;
e) Assist the Customer with data protection impact assessments and prior consultations with supervisory authorities where required;
f) Notify the Customer without undue delay of any request from a data subject, supervisory authority, or law enforcement authority relating to personal data processed under this DPA, unless prohibited by law;
g) Maintain records of processing activities in accordance with GDPR Art. 30(2).
5. Subprocessors
- Flowmeets may engage subprocessors to provide the Services.
- The current list of subprocessors is available to the Customer upon request under a non-disclosure agreement (NDA).
- Flowmeets will notify the Customer at least 30 days in advance of adding or replacing a subprocessor, giving the Customer the opportunity to object on reasonable data protection grounds.
- Flowmeets will ensure all subprocessors are bound by written agreements imposing obligations substantially similar to those in this DPA.
- Flowmeets remains fully liable for its subprocessors’ acts and omissions.
6. International Data Transfers
Flowmeets stores and processes all personal data within the EU/EEA.
No transfer to a third country will occur without:
- The Customer’s prior written consent, and
- Compliance with GDPR Chapter V (e.g., Standard Contractual Clauses or an adequacy decision).
7. Security Measures
Flowmeets will implement and maintain technical and organizational measures to protect personal data, taking into account the nature of processing and associated risks. A summary of such measures is provided in Appendix 2.
8. Personal Data Breaches
- Flowmeets will notify the Customer without undue delay and no later than 24 hours after becoming aware of a personal data breach.
- The notification will include all information reasonably available to enable the Customer to comply with its notification obligations under GDPR Articles 33 and 34.
- Flowmeets will take all reasonable steps to mitigate the effects of the breach and prevent recurrence.
9. Assistance with Data Subject Rights
Taking into account the nature of the processing, Flowmeets shall assist the Customer, insofar as possible, in fulfilling its obligation to respond to data subject requests under GDPR Chapter III.
10. Audits
- The Customer may audit Flowmeets’ compliance with this DPA up to once per year, with at least 30 days’ prior written notice, during regular business hours, and without disrupting business operations.
- Audits may be performed by the Customer or a mutually agreed independent auditor bound by confidentiality.
- Flowmeets may satisfy audit requests by providing third-party certifications or audit reports (e.g., ISO 27001, SOC 2) where available.
11. Return and Deletion of Data
Upon termination or expiry of the Services Agreement:
- Flowmeets will make all personal data available for secure download for a period of at least 30 days.
- After this period, Flowmeets will delete personal data from its systems, unless retention is required by law.
- Retention periods: Booking and transcription data are retained as long as the Customer account is active; recordings are retained for up to 3 years unless deleted earlier by the Customer.
12. Liability
Each Party’s liability under this DPA is subject to the limitations of liability in the Services Agreement, except where prohibited by law or in cases of willful misconduct or gross negligence.
13. Term and Termination
This DPA remains in force for as long as Flowmeets processes personal data on behalf of the Customer.
14. Governing Law and Disputes
This DPA is governed by Swedish law. Any dispute shall be resolved in accordance with the dispute resolution clause of the Services Agreement.
Appendix 1 – Personal Data and Processing
Subject matter: Provision of the Flowmeets meeting scheduling, transcription, coaching, and automation services.
Nature and purpose: Storing, organizing, transmitting, and processing meeting-related personal data to provide the Services.
Categories of data subjects: Customer employees, meeting participants, and other individuals invited to meetings.
Categories of personal data:
- Account & contact details (name, email, company)
- Booking details (meeting times, titles, participants, agendas)
- Recordings and transcriptions (with consent)
- Technical metadata (IP addresses, device/browser information)
Duration: For the term of the Services Agreement and applicable retention periods.
Appendix 2 – Security Measures
Flowmeets implements, among others:
- Access control: Role-based access, MFA, least privilege.
- Encryption: TLS 1.2+ in transit, AES-256 at rest.
- Data backup: Daily backups stored in EU/EEA with tested recovery.
- Monitoring & logging: Continuous monitoring for suspicious activity.
- Incident response: Documented plan with defined response times.
- Staff training: Regular security and privacy awareness training.
Appendix 3 – Subprocessors
The list of subprocessors engaged by Flowmeets is available upon request under a non-disclosure agreement (NDA).
