FlashIQ - Data Processing Agreement

Effective Date – 15.11.2025

1 Definitions

Unless otherwise defined in this DPA, all capitalised terms have the meaning set out in Regulation (EU) 2016/679 ("GDPR"). In particular:

This Data Processing Agreement ("DPA") forms an integral part of the service provided to the customer.

"Personal Data", "Processing", "Data Subject", "Personal Data Breach" and "Supervisory Authority" have the meanings given in GDPR Article 4.

"Services" means the FlashIQ meeting assistant SaaS product delivered by Processor under the Agreement.

"Sub‑processor" means any third party engaged by Processor to Process Personal Data on behalf of Controller.

“Processor”, the legal processing entity is Sinni Solutions Oy (3441131-8), hereinafter referred to as “FlashIQ” the brand and product name providing the service.

“Customer” is the FlashIQ customer who utilizes the FlashIQ Services.

“User”, is the one who uses FlashIQ solution in his or her work from Customer organization,

“Admin” is the person from the Customer organization who might be the User or a separate Admin who can configure knowledge base data that the solution uses to provide accurate answers for Customer questions.

2 Relationship of the Parties

  • 2.1 The parties acknowledge and agree that with regard to the processing of Personal Data, Customer may act either as a controller or processor and, except as expressly set forth in this DPA or the Agreement, FlashIQ is a processor.
  • Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause FlashIQ to be in breach of the Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to FlashIQ by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to FlashIQ regarding the processing of such Personal Data.
  • 2.2 FlashIQ shall not process Personal Data for purposes other than to provide the service for the Customer.
  • 2.3 The subject matter, nature, purpose, and duration of this processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in the 3. Section of this document.
  • 2.4 Processing commences on the effective date of the Start of the Service and continues for its term until the end of service and until all Personal Data is deleted or returned. Following completion of the Services, FlashIQ shall delete Customer’s Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If destruction is impracticable or prohibited by law, rule or regulation, FlashIQ shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control.
  • 2.5 European Privacy Laws. The Parties acknowledge and agree that the processing of personal information or personal data is subject to the EU privacy laws.

3 Nature & Purpose of Processing

Processing is carried out solely for the provision of the FlashIQ service, which:

  • Captures live meeting captions from the desktop audio.
  • Generates AI‑based help and responses based on the live captions data (FlashIQ’s customers’s customer questions).
  • Creates AI-generated research from publicly available facts about the meeting participants and companies they work for.
  • The solution stores transcripts (if opted-in), meeting summaries, list of participants, and other related artifacts from the meetings.
  • Provides user administration tools to the Controller.

ActivityNature of OperationPurposeUser registrationCollection & storage of name, business e‑mail, role, and authentication tokens for the calendar.To create and manage user accounts for access to the FlashIQ portal and service.Calendar accessAuthorizes FlashIQ to read the user’s calendar for tracking upcoming meetings.To provide FlashIQ information about the meetings and their participants to create meeting preparation materials.Meeting captureRecording of desktop audio during the meeting.To generate AI responses, transcripts and summaries for the Customer/User.Content uploadStorage of customer‑supplied documentsTo surface them during meetings and enrich transcripts.System loggingCollection of IP address, user agent, timestampsTo maintain an audit trail, security, reliability, and provide support.

4 Categories of Personal Data

  • Account signup data (user/admin)– name, corporate e‑mail address, role/department.
  • Meeting participation data – names and e‑mail addresses of meeting attendees.
  • Uploaded content – use case descriptions, product material, case studies, technical documentation, customer references which may contain personal identifiers (names, e‑mail addresses, contact details)
  • Generated content – Transcripts, AI‑generated research materials and meeting summaries, and action items.
  • System logs & monitoring data – IP address, device/user‑agent string, authentication timestamps.

The processor does not intentionally collect or require special‑category data (GDPR Art 9).

5 Categories of Data Subjects

  • Employees and contractors of Controller who use the Services.
  • Third‑party meeting participants (prospects, customers, partners) invited by the Controller to the meeting.

6 Processor Obligations

  1. Scope of Processing and documented instructions The Processor shall not Process Personal Data for any purpose other than those expressly set forth in this DPA.
  2. Limitation of Access. The Processor shall ensure that access to Personal Data is strictly limited to those personnel who require such access to perform the Services.
  3. Confidentiality. The Processor shall impose appropriate obligations upon its personnel engaged in the Processing of Personal Data, including obligations regarding confidentiality, data protection, and data security. The Processor shall ensure that such personnel are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements that survive the termination of their employment or engagement.
  4. Security of Processing. The Processor shall implement and maintain the technical and organisational measures described in FlashIQ Security Description (available upon request) to ensure a level of security appropriate to the risk and shall take steps to ensure that any natural person acting under its authority who has access to Personal Data does not Process them except on instructions from the Controller.
  5. Assistance to Controller Taking into account the nature of Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data‑Subject rights, and to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR.
  6. Personal Data Breach Notification The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach, providing sufficient information to enable the Controller to meet any obligations to report or inform Data Subjects or Supervisory Authorities.
  7. Processing for Legitimate Purposes. Notwithstanding the foregoing, the Processor may Process Personal Data for legitimate business purposes, including archiving, back‑up and disaster recovery, cyber‑security, operation, control, improvement and development of the Services, fraud and service‑misuse prevention, and the establishment, exercise or defence of legal claims.
  8. Records and Audit Support The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, in accordance with Section 9 of this DPA.

7 Controller Obligations

The Controller shall, in its use of the Services, at all times process Personal Data—and provide instructions for the processing of Personal Data—in compliance with applicable Data‑Protection Laws. The Controller shall ensure that the processing of Personal Data in accordance with its instructions will not cause the Processor to be in breach of such laws intentionally or

The Controller is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to the Processor by or on behalf of the Controller, (ii) the means by which the Controller acquired that Personal Data, and (iii) the instructions it provides to the Processor regarding the processing of that Personal Data. And legal rights, to collect that data in the customer calls, which the Processor will use to provide the Service.

The Controller shall not provide or make available to the Processor any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify and hold the Processor harmless from all claims and losses arising in connection therewith.

8 Authorized Subprocessors

The Controller grants the Processor a general authorisation to engage the Sub-processors listed below:

AssemblyAI - Transcription - Cloud provider for transcription.

Google Cloud - Cloud provider - Main cloud infrastructure: databases, authentication, APIs, logging

Google Vertex AI - AI API - AI features such as research & note generation.

Groq, Inc - AI API - AI features such as research & note generation.

MongoDB Atlas - Database provider

OpenAI - AI API - AI features such as research & note generation.

Pinecone - Database Provider

Sentry - Cloud monitoring

Stripe, Inc. - Payment processor

WorkOS - Authentication (SSO)

At least fifteen (15) days before enabling any third party other than existing authorised Sub-processors to access or participate in the processing of Personal Data, FlashIQ will add such third party to the list and notify the Controller (e.g. via email or other notification channel).

The Controller may object in writing to such an engagement within ten (10) days of receiving the notice, provided the objection is based on reasonable data-protection grounds. FlashIQ and the Controller will work together in good faith to resolve any reasonable concerns.

The Controller acknowledges that certain Sub-processors are essential to providing the Services, and that objecting to the use of an essential Sub-processor may prevent FlashIQ from offering the Services to the Controller.

9 Audit & Cooperation

  1. Data‑protection impact assessments. Taking into account the nature of the Processing and the information available to it, the Processor shall provide the Controller with reasonable cooperation and assistance, upon request, to enable the Controller to conduct data‑protection impact assessments or otherwise demonstrate compliance with its obligations under Data‑Protection Laws, where the relevant information is not otherwise accessible to the Controller. The Controller shall be responsible, to the extent legally permitted, for any costs and expenses arising from such assistance.
  2. Consultation with Supervisory Authorities. Likewise, the Processor shall provide the Controller with reasonable cooperation and assistance, upon request, with respect to the Controller’s cooperation or prior consultation with any Supervisory Authority or other regulatory agency, where required by Data‑Protection Laws. The Controller shall be responsible, to the extent legally permitted, for any costs and expenses arising from such assistance.
  3. Records and audit support. The Processor shall maintain records of Processing activities under its responsibility and make them available to the Controller on request. Where such documentation is insufficient to demonstrate compliance with this DPA, the Controller may, at its own cost, conduct (or mandate a reputable independent auditor to conduct) an on‑site or remote audit of the Processor’s facilities and technical environment relevant to the Processing of Personal Data. Any audit shall:
  • be subject to thirty (30) days’ prior written notice;
  • occur no more than once per twelve (12)‑month period unless triggered by a confirmed Personal Data Breach or a request from a Supervisory Authority;
  • take place during normal business hours and not unreasonably disrupt the Processor’s business operations; and
  • be limited in scope to data‑processing facilities and documentation reasonably necessary to verify compliance with this DPA.
  1. Confidentiality. All information and reports generated in connection with an audit constitute Confidential Information and may be used solely for the purpose of meeting the Controller’s audit requirements under Data‑Protection Laws.

10 Return / Deletion of Data

  1. Deletion on termination. Within thirty (30) days after the termination or expiry of the Agreement—or earlier at the written request of the Controller—the Processor shall delete all Personal Data in active production systems.
  2. Back‑ups. Encrypted back‑ups maintained for business‑continuity purposes will be overwritten in the ordinary course of the Processor’s backup cycle and shall be fully deleted within ninety (90) days. During this period, the Processor shall ensure continued confidentiality and shall not restore or otherwise Process the data, except as required for disaster recovery.

11 Contact Points

For any data protection-related topics or requests, please contact dataprotection@flashiq.ai

FlashIQ

product

pricinghelp centerdownload

use cases

deal accelerationfaster onboardingAI solutions engineer

company

blogabout us

legal

privacy policyterms of servicedpa

© 2025 FlashIQ

info@flashiq.ai