Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between FluxDiagram LLC ("FluxDiagram," the data Processor) and you, the customer ("Controller"). This DPA applies where FluxDiagram processes personal data on your behalf in connection with the FluxDiagram service, as required by the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent applicable data protection laws.

This DPA supplements and is incorporated into the FluxDiagram Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding data processing, this DPA takes precedence.

For business customers who require a signed DPA, contact legal@fluxdiagram.com. This self-service DPA is effective for all customers upon acceptance of the Terms of Service.

In this DPA, the following terms have the meanings given below:

• "Personal Data" means any information relating to an identified or identifiable natural person processed by FluxDiagram on behalf of the Controller in connection with the services.
• "Processing" means any operation performed on Personal Data, as defined in applicable data protection law.
• "Controller" means the customer who determines the purposes and means of processing Personal Data.
• "Processor" means FluxDiagram, which processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by FluxDiagram to process Personal Data in connection with the services.
• "Data Subject" means the individual to whom Personal Data relates.
• "Security Incident"or "Personal Data Breach" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

FluxDiagram processes Personal Data to provide the FluxDiagram AI animation generation service, including: receiving animation description inputs, generating animated visuals via AI models, storing generated Outputs, managing authentication sessions, processing billing transactions, delivering email communications, and producing usage analytics.

FluxDiagram may process the following categories of Personal Data on behalf of the Controller:

• Identification data: Email address, account username, authentication identifiers (OAuth sub, Supabase user ID)
• Animation description inputs: Text entered by users when describing animated visuals. These may incidentally contain personal references depending on the context of use.
• Usage and behavioral data: Feature usage logs, generation timestamps, export actions, session data, IP address
• Payment metadata: Stripe customer ID, billing tier, subscription status (full payment card data is processed by Stripe directly, not by FluxDiagram)
• Communication data: Email correspondence with support

FluxDiagram does not intentionally process special categories of personal data (as defined in Article 9 GDPR), financial data beyond payment metadata, or government-issued identification numbers.

The Data Subjects whose Personal Data is processed are the Controller's end users who access and use the FluxDiagram service through the Controller's account (where applicable in enterprise or API integration scenarios) and individuals whose data may be incidentally included in animation description inputs.

FluxDiagram shall process Personal Data only on documented instructions from the Controller, including as set out in the Terms of Service and this DPA, unless required to do so by applicable law. The primary processing purpose is to deliver the FluxDiagram animated visual generation service as described in the Terms of Service.

FluxDiagram will promptly notify the Controller if, in its reasonable opinion, an instruction from the Controller violates applicable data protection law.

The Controller authorizes FluxDiagram to engage the following sub-processors. FluxDiagram will ensure each sub-processor is bound by contractual obligations equivalent to those in this DPA:

• Supabase, Inc. (US / EU) — Authentication, database, user data storage
• Stripe, Inc. (US) — Payment processing, subscription management
• Cloudflare, Inc. (US) — Object storage (R2) for exported animated visual files
• PostHog, Inc. (US / EU) — Product analytics, event tracking
• Resend, Inc. (US) — Transactional and marketing email delivery
• Anthropic, PBC (US) — AI model processing of animation description inputs (Premium tier)
• OpenAI, LLC (US) — AI model processing of animation description inputs (Standard tier)
• Google LLC (US) — AI model processing (where applicable, Premium tier)
• Sentry, Inc. (US) — Error monitoring, may receive incidental Personal Data in error logs
• Vercel, Inc. (US) — Application hosting, infrastructure
• Amazon Web Services, Inc. (US) — Cloud infrastructure (via Supabase and Remotion Lambda)

FluxDiagram will notify the Controller of any intended changes to sub-processors (additions or replacements) by updating this DPA at least 14 days before the change takes effect. The Controller may object to a new sub-processor by contacting legal@fluxdiagram.com within 14 days of the notification. If FluxDiagram cannot accommodate the objection, the Controller may terminate the relevant services.

FluxDiagram implements the following technical and organizational security measures to protect Personal Data:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of Personal Data at rest using AES-256 (managed by Supabase and Cloudflare)
• Access controls with principle of least privilege
• Authentication required for all access to Personal Data, with multi-factor authentication available for administrative access
• Regular security reviews and vulnerability assessments
• Error monitoring via Sentry with PII scrubbing configured
• Data isolation between customers
• Audit logs for administrative data access

In the event FluxDiagram becomes aware of a confirmed Personal Data Breach affecting the Controller's data, FluxDiagram will notify the Controller without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach.

Breach notifications will include, to the extent available at the time: the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of Personal Data records concerned, contact information for further inquiries, likely consequences, and measures taken or proposed to address the breach.

The Controller is responsible for notifying affected Data Subjects and relevant supervisory authorities as required by applicable law.

FluxDiagram will assist the Controller in fulfilling its obligations to respond to Data Subject requests for: access, rectification, erasure, restriction of processing, data portability, and objection to processing. FluxDiagram will refer any Data Subject requests it receives directly to the Controller promptly.

Where the Controller cannot fulfill a Data Subject request without FluxDiagram's technical assistance, FluxDiagram will provide such assistance within a reasonable timeframe, subject to any additional service fees agreed in writing.

Upon termination of the service agreement, or upon the Controller's written request, FluxDiagram will delete or return all Personal Data within 30 days, except where retention is required by applicable law.

Tier-based export file retention applies during the active service period: 7 days (Free), 30 days (Starter), 90 days (Pro), as described in the Terms of Service.

Payment records are retained for 7 years to comply with financial record-keeping laws, even after account deletion or service termination.

Where Personal Data is transferred from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of data protection, FluxDiagram relies on Standard Contractual Clauses (SCCs) adopted by the European Commission, or equivalent mechanisms, as the legal basis for such transfers.

The Controller may, upon 30 days' written notice and no more than once per year (unless a Security Incident requires otherwise), request an audit of FluxDiagram's processing activities relevant to this DPA. FluxDiagram will provide reasonable assistance in the form of documentation, security certifications, and written responses to audit questionnaires. On-site audits are subject to mutual agreement regarding scope, timing, and cost.

FluxDiagram ensures that personnel authorized to process Personal Data under this DPA are subject to a duty of confidentiality (whether contractual or statutory) with respect to such data.

To execute a signed DPA, raise a data processing concern, or request deletion of your data, contact legal@fluxdiagram.com.