Data Processing Addendum

Last updated: July 12, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service(the "Terms") between you ("Customer") and Phloz and applies to the extent Phloz processes Customer Personal Data on Customer's behalf in providing the Service. It reflects the parties' agreement on the processing of personal data in line with the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and other applicable data-protection laws (together, "Data Protection Laws").

How this DPA takes effect.This DPA is incorporated into the Terms. By accepting the Terms or using the Service where Data Protection Laws apply to Customer's use, Customer agrees to this DPA on behalf of itself and, to the extent required, the controllers it represents. If you require a copy countersigned by Phloz for your records, email legal@phloz.com with your legal entity name and address. In the event of a conflict between this DPA and the rest of the Terms with respect to the processing of personal data, this DPA controls.

1. Definitions

Capitalised terms not defined here have the meaning given in the Terms. "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings given in the GDPR. "Customer Personal Data" means Personal Data contained in Customer Data that Phloz processes as a Processor on Customer's behalf. "Subprocessor" means a third party engaged by Phloz to process Customer Personal Data. "SCCs" means the Standard Contractual Clauses approved by the European Commission (Decision 2021/914).

2. Roles and scope of processing

As between the parties, Customer is the Controller (or a Processor acting on behalf of its own controllers) of Customer Personal Data, and Phloz is the Processor (or Subprocessor). For Personal Data about Phloz's own visitors and account holders, Phloz is an independent Controller as described in the Privacy Policy; that data is outside the scope of this DPA.

The subject matter, duration, nature, and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex 1.

3. Processing on documented instructions

Phloz will process Customer Personal Data only on Customer's documented instructions, including those set out in the Terms, this DPA, and Customer's configuration and use of the Service, unless required to do otherwise by applicable law (in which case Phloz will, where legally permitted, inform Customer first). If Phloz believes an instruction infringes Data Protection Laws, it will inform Customer. Customer is responsible for the accuracy and legality of Customer Personal Data and for having a lawful basis to provide it to Phloz.

4. Confidentiality

Phloz ensures that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and access it only on a need-to-know basis under least-privilege controls.

5. Security

Phloz implements and maintains appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure or access, taking into account the state of the art and the risks of the processing. A current description of those measures is in Annex 2. Phloz may update its measures over time provided the level of protection is not materially reduced.

6. Subprocessors

Customer grants Phloz general authorisation to engage Subprocessors to process Customer Personal Data. Phloz maintains a current list of Subprocessors, with their purpose and location, at phloz.com/legal/subprocessors. Before a new Subprocessor begins processing Customer Personal Data, Phloz will update that list and, where practical, notify workspace owners by email at least 30 days in advance. Customer may object on reasonable data-protection grounds within that period by emailing privacy@phloz.com; the parties will work in good faith to resolve the concern, and if they cannot, Customer may terminate the affected part of the Service. Phloz imposes data-protection obligations on each Subprocessor that are no less protective than those in this DPA and remains responsible for its Subprocessors' performance.

7. International transfers

Customer Personal Data is processed primarily in the United States (see Subprocessors). Where Phloz processes Customer Personal Data subject to the EU or UK GDPR or Swiss law and transfers it to a country without an adequacy decision, the SCCs apply and are incorporated into this DPA by reference:

  • Module Two (Controller to Processor) applies where Customer is a Controller; Module Three (Processor to Processor) applies where Customer is itself a Processor;
  • for UK transfers, the UK International Data Transfer Addendum to the SCCs applies; for Swiss transfers, the SCCs apply with the adjustments required by Swiss law;
  • the clause options are selected consistent with this DPA (docked audits per Section 8, the general subprocessor authorisation in Section 6, and the governing law and forum stated in the Terms to the extent permitted).

8. Audits and assistance

Phloz makes available information reasonably necessary to demonstrate compliance with this DPA — including relevant security documentation and, once available, third-party audit reports (a SOC 2 examination is on our roadmap). Where a Data Protection Law grants an audit right, Customer may exercise it no more than once per year (unless a regulator or a Personal Data Breach requires otherwise) by submitting a reasonable written questionnaire; on-site audits are limited to what the law requires and are subject to confidentiality and Phloz's security policies. Taking into account the nature of the processing, Phloz will also provide reasonable assistance to Customer with data protection impact assessments and prior consultations with regulators.

9. Data Subject requests

The Service gives Customer tools to access, correct, export, and delete Customer Personal Data within its workspace, which Customer can use to respond to Data Subject requests. Taking into account the nature of the processing, Phloz will also provide reasonable assistance to help Customer respond to requests to exercise Data Subject rights. If Phloz receives such a request directly, it will, where legally permitted, direct the Data Subject to Customer rather than respond itself.

10. Personal Data Breach notification

Phloz will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to help Customer meet its own notification obligations. Phloz's notification is not an acknowledgement of fault or liability.

11. Return and deletion

On termination or expiry of the Service, Customer may export Customer Data using the Service's export tools. Phloz will delete or return Customer Personal Data within 30 days after termination, except for copies required to be retained by law or held in routine backups, which are deleted or anonymised on our standard backup cycle and remain protected by this DPA until then. If Customer needs assistance exporting its data, it may contact privacy@phloz.com.

12. Duration and general

This DPA remains in effect for as long as Phloz processes Customer Personal Data. It is governed by the law and subject to the forum stated in the Terms, except where Data Protection Laws or the SCCs require otherwise. If any provision is unenforceable, the remainder stays in effect.

Annex 1 — Description of processing

  • Parties: Customer (Controller/data exporter) and Phloz, Vancouver, BC, Canada (Processor/data importer).
  • Subject matter: provision of the Phloz CRM, work management, and tracking-infrastructure Service.
  • Duration: the term of the Terms plus the return and deletion period in Section 11.
  • Nature and purpose: hosting, storing, organising, displaying, transmitting, and otherwise processing Customer Data to provide and support the Service as instructed by Customer.
  • Types of Personal Data: business-contact and client-relationship data Customer chooses to store — such as names, email addresses, phone numbers, company details, notes, tasks, messages, and tracking-configuration metadata. Customer should not store special-category data or high-risk identifiers (see the Acceptable Use Policy).
  • Categories of Data Subjects:Customer's own clients and their contacts, and Customer's personnel and collaborators.

Annex 2 — Technical and organisational measures

  • Tenant isolation: database row-level security (RLS) enforces per-workspace isolation, backed by application-layer access controls.
  • Encryption: TLS for all data in transit; data at rest is encrypted by our hosting and database providers.
  • Access control: least-privilege, role-based access; short-lived signed authentication tokens; multi-factor authentication available on administrative accounts.
  • Application security: input validation, rate limiting and abuse prevention, and audit logging of privileged and programmatic (API/MCP) actions.
  • Resilience and monitoring: managed, backed-up infrastructure with error and performance monitoring and an incident response process.
  • Organisational: confidentiality obligations, need-to-know access, and secure software-development practices. A SOC 2 examination is on our roadmap.

Annex 3 — Subprocessors

The current list of Subprocessors, their purpose, and their location is maintained at phloz.com/legal/subprocessors.

Contact

Questions about this DPA or to request a countersigned copy? Email legal@phloz.com — Phloz, Vancouver, BC, Canada.