Data Processing Agreement

Last updated: 23.04.2025

1 Definitions

1.1. Unless otherwise defined in this DPA, all capitalised terms have the meaning set out in Regulation (EU) 2016/679 ("GDPR"). In particular:
1.2. This Data Processing Agreement ("DPA") forms an integral part of the service provided to the customer.
1.3. "Personal Data", "Processing", "Data Subject", "Personal Data Breach" and "Supervisory Authority" have the meanings given in GDPR Article 4.
1.4. "Services" means the FlashIQ real‑time meeting assistant SaaS product delivered by Processor under the Agreement.
1.5. "Sub‑processor" means any third party engaged by Processor to Process Personal Data on behalf of Controller.
1.6. “Processor”, the legal processing entity is Sinni Solutions Oy (3441131-8), hereinafter referred to as “FlashIQ” the brand and product name providing the service.
1.7. “Customer” is the FlashIQ customer who utilizes the solution to get accurate answers to questions asked during live sales calls.
1.8. “User”, is the one who uses FlashIQ solution in his or her work from Customer organization.
1.9. “Admin” is the person from the Customer organization who might be the User or separate Admin who can configure knowledge base data what the solution uses to provide accurate answers for Customer questions.

2 Relationship of the Parties

2.1 The parties acknowledge and agree that with regard to the processing of Personal Data, Customer may act either as a controller or processor and, except as expressly set forth in this DPA or the Agreement, FlashIQ is a processor. Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause FlashIQ to be in breach of the Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to FlashIQ by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to FlashIQ regarding the processing of such Personal Data.
2.2 FlashIQ shall not process Personal Data for purposes other than to provide the service for the Customer.
2.3 The subject matter, nature, purpose, and duration of this processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in the 3. Section of this document.
2.4 Processing commences on the effective date of the Start of the Service and continues for its term until the end of service and until all Personal Data is deleted or returned. Following completion of the Services, FlashIQ shall delete Customer’s Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If destruction is impracticable or prohibited by law, rule or regulation, FlashIQ shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control.
2.5 European Privacy Laws. The Parties acknowledge and agree that the processing of personal information or personal data is subject to the EU privacy laws.

3 Nature & Purpose of Processing

3.1. Processing is carried out solely for the provision of the FlashIQ service, which:
3.1.1. Captures live meeting captions from the Google Meet or Microsoft Teams UI using Chrome Extension.
3.1.2. Generates AI‑based help and responses based on the live captions data (customer questions).
3.1.3. The solution stores transcripts, meeting summaries, list of participants, and related artefacts of the meeting calls.
3.1.4. Provides user administration tools to the Controller.

Activity

Nature of Operation

Purpose

User registration

Collection & storage of name, business e‑mail, role

To create and manage user accounts for access to FlashIQ portal and service.

Meeting capture

Recording of meeting captions, AI transformation**

To generate AI responses, transcripts and summaries for the Customer/User.

Content upload

Storage of customer‑supplied documents

To surface them during meetings and enrich transcripts.

System logging

Collection of IP address, user agent, timestamps

To maintain audit trail, security, reliability and provide support.

**We only access meeting data that is available through the meeting application user interface. We don’t record or store any sound or video. You can learn more about the data which the underlying meeting applications collect from the following links:
Google Meet: https://support.google.com/meet/answer/10382037?hl=en
Microsoft Teams: https://www.microsoft.com/en-us/privacy/data-collection-teams

4 Categories of Personal Data

4.1. Account signup data (user/admin)– name, corporate e‑mail address, role/department.
4.2. Meeting participation data – names and e‑mail addresses of meeting attendees.
4.3. Uploaded content – documents, product material, case studies, technical documentation, customer references which may contain personal identifiers (names, e‑mail addresses, contact details
4.4. Generated content – live captions, transcripts, AI‑generated summaries and action items.
4.5. System logs & monitoring data – IP address, device/user‑agent string, authentication timestamps.

Processor does not intentionally collect or require special‑category data (GDPR Art 9).

5 Categories of Data Subjects

5.1. Employees and contractors of Controller who use the Services.
5.2. Third‑party meeting participants (prospects, customers, partners) invited by Controller to the meeting.

6 Processor Obligations

6.1. Scope of Processing and documented instructions. The Processor shall not Process Personal Data for any purpose other than those expressly set forth in this DPA.
6.2. Limitation of Access. The Processor shall ensure that access to Personal Data is strictly limited to those personnel who require such access to perform the Services.
6.3. Confidentiality. The Processor shall impose appropriate obligations upon its personnel engaged in the Processing of Personal Data, including obligations regarding confidentiality, data protection and data security. The Processor shall ensure that such personnel are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements that survive the termination of their employment or engagement.
6.4. Security of Processing. The Processor shall implement and maintain the technical and organisational measures described in FlashIQ Security Description (available upon request) to ensure a level of security appropriate to the risk and shall take steps to ensure that any natural person acting under its authority who has access to Personal Data does not Process them except on instructions from the Controller.
6.5. Assistance to Controller. Taking into account the nature of Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data‑Subject rights, and to ensure compliance with the obligations pursuant to Articles 32 to 36 GDPR.
6.6. Personal Data Breach Notification. The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach, providing sufficient information to enable the Controller to meet any obligations to report or inform Data Subjects or Supervisory Authorities.
6.7. Processing for Legitimate Purposes. Notwithstanding the foregoing, the Processor may Process Personal Data for legitimate business purposes, including archiving, back‑up and disaster recovery, cyber‑security, operation, control, improvement and development of the Services, fraud and service‑misuse prevention, and the establishment, exercise or defence of legal claims.
6.8. Records and Audit Support. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, in accordance with Section 9 of this DPA.

7 Controller Obligations

7.1. The Controller shall, in its use of the Services, at all times process Personal Data—and provide instructions for the processing of Personal Data—in compliance with applicable Data‑Protection Laws. The Controller shall ensure that the processing of Personal Data in accordance with its instructions will not cause the Processor to be in breach of such laws intentionally.
7.2. The Controller is solely responsible for the accuracy, quality and legality of (i) the Personal Data provided to the Processor by or on behalf of the Controller, (ii) the means by which the Controller acquired that Personal Data, and (iii) the instructions it provides to the Processor regarding the processing of that Personal Data. And legal rights, to collect that data in the customer calls what Processor will use to provide the Service.
7.3. The Controller shall not provide or make available to the Processor any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify and hold the Processor harmless from all claims and losses arising in connection therewith.

8 Sub‑processors & International Transfers

8.1. Authorised Sub‑processors. The Controller grants the Processor a general authorisation to engage the Sub‑processors listed below. The Processor shall maintain an up‑to‑date list of Sub‑processors and will notify the Controller at least fifteen (15) days in advance of any intended addition or replacement in the FlashIQ website: https://flashiq.ai/legal/data-processing-agreement

Sub‑processor

Service Provided

Location of Processing

Google Cloud Platform
(Google Ireland Ltd.)

Cloud infrastructure (compute, storage, networking)

European Economic Area (EEA)

Google Vertex AI
(Google Ireland Ltd.)

Large‑language‑model inference

EEA

Google OAuth2
(Google Ireland Ltd.)

User authentication & identity federation

EEA or United States

8.2. Safeguards for new Sub‑processors. The Processor shall impose on each Sub‑processor the same data‑protection obligations as are set out in this DPA and shall remain fully liable to the Controller for the Sub‑processor’s performance. Objections to a new Sub‑processor must be raised in writing within ten (10) days of notice.

9 Audit & Cooperation

9.1. Data‑protection impact assessments. Taking into account the nature of the Processing and the information available to it, the Processor shall provide the Controller with reasonable cooperation and assistance, upon request, to enable the Controller to conduct data‑protection impact assessments or otherwise demonstrate compliance with its obligations under Data‑Protection Laws, where the relevant information is not otherwise accessible to the Controller. The Controller shall be responsible, to the extent legally permitted, for any costs and expenses arising from such assistance.
9.2. Consultation with Supervisory Authorities. Likewise, the Processor shall provide the Controller with reasonable cooperation and assistance, upon request, with respect to the Controller’s cooperation or prior consultation with any Supervisory Authority or other regulatory agency, where required by Data‑Protection Laws. The Controller shall be responsible, to the extent legally permitted, for any costs and expenses arising from such assistance.
9.3. Records and audit support. The Processor shall maintain records of Processing activities under its responsibility and make them available to the Controller on request. Where such documentation is insufficient to demonstrate compliance with this DPA, the Controller may, at its own cost, conduct (or mandate a reputable independent auditor to conduct) an on‑site or remote audit of the Processor’s facilities and technical environment relevant to the Processing of Personal Data. Any audit shall:
- be subject to thirty (30) days’ prior written notice;
- occur no more than once per twelve (12)‑month period unless triggered by a confirmed Personal Data Breach or a request from a Supervisory Authority;
- take place during normal business hours and not unreasonably disrupt the Processor’s business operations; and
- be limited in scope to data‑processing facilities and documentation reasonably necessary to verify compliance with this DPA.
9.4. Confidentiality. All information and reports generated in connection with an audit constitute Confidential Information and may be used solely for the purpose of meeting the Controller’s audit requirements under Data‑Protection Laws.

10 Return / Deletion of Data

10.1. Deletion on termination. Within thirty (30) days after the termination or expiry of the Agreement—or earlier at the written request of the Controller—the Processor shall delete all Personal Data in active production systems.
10.2. Back‑ups. Encrypted back‑ups maintained for business‑continuity purposes will be overwritten in the ordinary course of the Processor’s backup cycle and shall be fully deleted within ninety (90) days. During this period the Processor shall ensure continued confidentiality and shall not restore or otherwise Process the data, except as required for disaster‑recovery.

11 Contact Points

Any data protection related topics or request, please be in contact to dataprotection@flashiq.ai