Data Processing Agreement

January 2026

Throughout this Data Processing Agreement, certain terms have specific meanings that are important to understand. An Adequate Country refers to any country, territory, or organization that has been recognized by the European Commission as ensuring an adequate level of protection for personal data, meaning that data can be transferred to that country without additional safeguards beyond what is required for domestic processing. The Agreement refers collectively to the Terms of Service and other relevant documents published on our website, together with your order for the purchase or use of services from FlashCloud. The California Consumer Privacy Act, or CCPA, refers to the California Consumer Privacy Act as set forth in California Civil Code Section 1798.100 and following, as amended by the California Privacy Rights Act of 2020, together with any implementing regulations that have been or may be adopted. A Controller means the natural person or legal entity that determines the purposes and means of the processing of personal data. Under this agreement, the customer is the controller of customer data. Customer Data means any personal data that is provided to FlashCloud by or on behalf of the customer through the use of the services. For clarity, personal data that is part of the customer's order for purchase or use of services, such as the customer's own contact and billing information, is not treated as customer data subject to this Data Processing Agreement but is instead processed in accordance with our Privacy Policy. Data Protection Laws means all data protection and privacy laws that are applicable to the processing of personal data under this agreement, including but not limited to the General Data Protection Regulation, UK data protection laws, and the California Consumer Privacy Act. A Data Subject means an identified or identifiable natural person whose personal data is being processed. The EEA refers to the European Economic Area and Switzerland. The GDPR means Regulation 2016/679 of the European Parliament and of the Council, commonly known as the General Data Protection Regulation. The Model Clauses or Standard Contractual Clauses, sometimes abbreviated as SCCs, refer to the standard data protection clauses for the transfer of personal data to third countries as approved by the European Commission. Personal Data means any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified directly or indirectly by reference to an identifier such as a name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. A Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data that is transmitted, stored, or otherwise processed. Processing means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction. A Processor means an entity that processes personal data on behalf of a controller, acting only on the controller's instructions regarding the processing activities. Services means any product or service provided by FlashCloud to the customer pursuant to the agreement between the parties. A Sub-processor means a third party engaged by FlashCloud to assist in fulfilling its obligations with respect to providing services, where that third party will process customer data as part of its engagement. UK Data Protection Laws means the United Kingdom General Data Protection Regulation as retained in UK law following Brexit, together with the Data Protection Act 2018 and any implementing regulations.

This Data Processing Agreement applies where and only to the extent that FlashCloud processes customer data that is subject to applicable data protection laws on behalf of the customer in the course of providing services. The agreement does not apply to processing activities where FlashCloud acts as a controller in its own right, such as processing customer contact information for billing and account management purposes. With respect to customer data processed under this agreement, the customer is the controller, meaning the customer determines the purposes and means of processing the customer data. FlashCloud acts as a processor, processing the customer data only on behalf of the customer and in accordance with the customer's documented instructions. This relationship reflects the nature of hosting services, where customers use FlashCloud's infrastructure to store and process their own data for their own purposes. To the extent the California Consumer Privacy Act applies to the processing of customer data, the customer is a business as defined in that law, and FlashCloud is a service provider acting on behalf of the business. The customer acknowledges and agrees that it will comply with its obligations under applicable data protection laws with respect to any personal data it provides to FlashCloud for processing. The customer represents that it has provided all required notices to data subjects and obtained all necessary consents and rights that are required for FlashCloud to lawfully process customer data in accordance with this agreement and the customer's instructions. The customer shall not provide customer data to FlashCloud where doing so would violate applicable law or the rights of any data subject. FlashCloud will process customer data only for the purposes described in this Data Processing Agreement and in accordance with the customer's documented lawful instructions. This agreement and the underlying services agreement constitute the customer's complete and final instructions to FlashCloud regarding the processing of customer data, and any additional instructions must be agreed to separately in writing. FlashCloud shall inform the customer if, in FlashCloud's opinion, an instruction infringes applicable data protection laws.

The subject matter of the processing under this Data Processing Agreement is the customer data that the customer provides to FlashCloud in connection with the customer's use of the services. The duration of the processing is the term of the agreement between FlashCloud and the customer, plus any post-termination period during which FlashCloud may continue processing customer data for transitional purposes such as providing the customer with access to retrieve their data. This post-termination processing period shall not exceed ninety calendar days. FlashCloud will process customer data for the purposes of providing the services and related technical support to the customer and performing FlashCloud's other obligations under the agreement between the parties. FlashCloud will not process customer data for any other purposes unless specifically instructed to do so by the customer or required to do so by applicable law. The customer may upload personal data to the services pertaining to various categories of data subjects, depending on the customer's use of the services. These may include the customer's own prospects, customers, business partners, vendors, suppliers, and other third parties with whom the customer has relationships. They may also include the customer's employees, agents, advisors, contractors, consultants, and freelancers. They may include employees, officers, or affiliated persons of the customer's business contacts. They may also include users whom the customer authorizes to access the services. The types of personal data that may be included in customer data depend on the customer's use of the services and the data the customer chooses to upload. Categories may include names, addresses, telephone numbers, dates of birth, email addresses, IP addresses, and other personal data as determined and controlled by the customer. FlashCloud does not control what personal data customers choose to process using the services.

The customer agrees that FlashCloud may engage sub-processors to process customer data in connection with the provision of services. FlashCloud will enter into written agreements with sub-processors that contain data protection terms at least as protective of customer data as the terms of this Data Processing Agreement. FlashCloud remains responsible for the acts and omissions of its sub-processors to the same extent FlashCloud would be responsible if performing the services directly. FlashCloud shall provide notice of any updates to its list of sub-processors, including the addition of new sub-processors or the replacement of existing sub-processors, with at least five days' advance notice before using the new sub-processor to process customer data. If the customer does not approve of a proposed new sub-processor and provides written notice of its objection to FlashCloud within the five-day notice period, the customer may terminate the affected services by providing written notice to FlashCloud. A list of FlashCloud's current sub-processors is available upon request by contacting privacy@flashcloud.com. The customer may request to receive automatic notifications of sub-processor changes by subscribing to the sub-processor notification list through the same email address.

FlashCloud implements and maintains technical and organizational measures designed to protect customer data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These measures are appropriate to the nature of the personal data being protected and the risks presented by the processing activities. FlashCloud's security measures include encryption of customer data during transmission using industry-standard transport layer security protocols. FlashCloud maintains ongoing processes to ensure the confidentiality, integrity, availability, and resilience of processing systems and services. FlashCloud has procedures in place to restore access to customer data in a timely manner in the event of a physical or technical incident. FlashCloud regularly tests and evaluates the effectiveness of technical and organizational measures for ensuring the security of processing. FlashCloud ensures that persons authorized to process customer data are subject to appropriate confidentiality obligations, whether by contract or statutory duty, and only process customer data in accordance with the customer's instructions unless processing is required by applicable law. FlashCloud maintains policies governing employee access to customer data and limits such access to personnel who require access to perform their job functions. The customer acknowledges that the customer is responsible for the secure use of the services, including protecting account credentials, properly configuring the services, and ensuring that the customer's use of the services complies with applicable security requirements. The customer is responsible for reviewing information made available by FlashCloud relating to data security and for making an independent determination regarding whether the services meet the customer's needs and comply with the customer's legal obligations. FlashCloud makes no representations or warranties that the services comply with laws or standards applicable to particular industries or data types.

Upon becoming aware of a personal data breach affecting customer data, FlashCloud shall notify the customer without undue delay. FlashCloud shall provide the customer with timely information relating to the breach as it becomes known or as is reasonably requested by the customer. FlashCloud shall take reasonable steps to mitigate the effects of the breach and to prevent additional unauthorized access to customer data. The customer acknowledges that the customer is responsible for determining whether a personal data breach affecting customer data requires notification to supervisory authorities or data subjects, and for making any such notifications in accordance with applicable law. FlashCloud shall cooperate with the customer's reasonable requests for assistance in connection with such notifications.

FlashCloud may transfer and process customer data in the United States, the European Union, the European Economic Area, and other countries where FlashCloud or its sub-processors maintain data processing operations. When customer data that is protected by the GDPR or UK data protection laws is transferred to a country that has not received an adequacy decision from the relevant authority, FlashCloud provides appropriate safeguards for such transfers through legally recognized mechanisms. For transfers of customer data protected by the GDPR, FlashCloud relies on the Standard Contractual Clauses approved by the European Commission. For transfers of customer data protected by UK data protection laws, FlashCloud relies on the International Data Transfer Agreement issued by the UK Information Commissioner's Office. Under these transfer mechanisms, FlashCloud acts as the data importer and the customer acts as the data exporter. The Standard Contractual Clauses as approved by the European Commission are incorporated by reference into this Data Processing Agreement. The Module 2 clauses for transfers from controllers to processors apply to transfers of customer data under this agreement. The customer may request a copy of the applicable Standard Contractual Clauses by contacting privacy@flashcloud.com.

FlashCloud enables customers to access, rectify, restrict processing of, and delete customer data through the functionality of the services, including the ability to delete customer data at any time. Customers are responsible for using these capabilities to respond to requests from data subjects regarding customer data. If FlashCloud receives a request directly from a data subject regarding customer data, FlashCloud shall advise the data subject to submit the request to the customer and shall notify the customer of the request to the extent legally permitted. The customer is responsible for responding to data subject requests, and FlashCloud shall provide reasonable cooperation to assist the customer in fulfilling such requests to the extent required by law and technically feasible.

Upon termination or expiration of the agreement between FlashCloud and the customer, FlashCloud shall, at the customer's election, return or delete all customer data in FlashCloud's possession. Customer data that is archived on backup systems shall be deleted within a maximum period of ninety calendar days following termination. FlashCloud may retain customer data to the extent required by applicable law or valid legal process. In such cases, FlashCloud will implement appropriate measures to protect the confidentiality of the retained data and will delete the data when retention is no longer required.

Upon reasonable written request by the customer, FlashCloud shall provide a summary of audit reports prepared by FlashCloud or third-party auditors demonstrating FlashCloud's compliance with applicable security standards. FlashCloud shall also respond to commercially reasonable written audit questions submitted by the customer. Customers may not submit audit requests more than once per twelve-month period absent a specific, documented security concern. All audit reports and information provided pursuant to this section are subject to the confidentiality provisions of the agreement between the parties and may not be disclosed to third parties without FlashCloud's prior written consent.

To the extent the California Consumer Privacy Act applies to FlashCloud's processing of customer data, the following provisions apply. FlashCloud shall not sell or share any customer data as those terms are defined in the CCPA. FlashCloud shall not retain, use, or disclose customer data for any purpose other than providing the services specified in the agreement between the parties, including providing the services specified in this Data Processing Agreement. FlashCloud shall not retain, use, or disclose customer data outside of the direct business relationship between FlashCloud and the customer. FlashCloud shall provide the same level of privacy protection for customer data as required by the CCPA for personal information processed by service providers. FlashCloud will notify the customer if FlashCloud determines that it can no longer meet its obligations under the CCPA. Upon such notification, the customer may take reasonable and appropriate steps to stop and remediate unauthorized use of customer data, including by terminating the services.

The customer shall indemnify and hold harmless FlashCloud from and against any losses, damages, claims, liabilities, costs, and expenses arising from the customer's non-compliance with applicable data protection laws or the customer's breach of its obligations under this Data Processing Agreement. This indemnification obligation includes liability arising from the customer's failure to provide required notices or obtain required consents from data subjects. FlashCloud's liability under this Data Processing Agreement is subject to the exclusions and limitations of liability set forth in the underlying agreement between the parties. To the extent permitted by applicable law, FlashCloud's total aggregate liability for all claims arising out of or relating to this Data Processing Agreement shall not exceed the amounts paid by the customer to FlashCloud for the services during the twelve months preceding the claim.

This Data Processing Agreement takes effect upon the effective date of the underlying agreement between FlashCloud and the customer and continues in effect until the end of FlashCloud's provision of services to the customer. This agreement terminates automatically upon the deletion of all customer data by FlashCloud following termination of the underlying agreement.

FlashCloud may modify this Data Processing Agreement at any time by posting an updated version on our website. Material changes to this agreement will be notified to affected customers at least ten calendar days before the changes take effect. Continued use of the services following the effective date of changes constitutes acceptance of the modified agreement.

FlashCloud implements the following minimum security measures in connection with the processing of customer data. With respect to personnel security, FlashCloud appoints officers responsible for information security oversight and maintains documented policies governing employee and vendor access to and use of systems containing customer data. FlashCloud conducts background checks on employees with access to customer data where permitted by law and requires employees to enter into confidentiality agreements as a condition of employment. With respect to access controls, FlashCloud secures customer data using role-based access controls and group permissions that limit access to personnel who require it for their job functions. FlashCloud conducts periodic audits of access rights and promptly disables accounts of terminated employees and contractors. With respect to system security, FlashCloud patches servers regularly with security updates and maintains current virus and malware protection. FlashCloud encrypts data in transit using transport layer security protocols and encrypts connections between data center locations using virtual private network technology. With respect to data protection, FlashCloud encrypts stored passwords using industry-standard cryptographic techniques. FlashCloud synchronizes customer data between primary and backup locations to ensure availability and conducts annual third-party IT security audits. With respect to incident response, FlashCloud maintains documented security incident management policies and procedures. FlashCloud provides prompt notification of personal data breaches in accordance with the notification provisions of this agreement.

The Standard Contractual Clauses as approved by the European Commission Decision 2021/914 are incorporated by reference into this Data Processing Agreement. The full text of the Standard Contractual Clauses is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. Under the Standard Contractual Clauses, the customer is the data exporter, identified in accordance with the underlying agreement between the parties. FlashCloud LLC is the data importer. The governing law of the Standard Contractual Clauses shall be the laws of the State of Delaware, United States, to the extent permitted by the clauses themselves. The competent supervisory authority shall be determined based on the data exporter's location in accordance with the rules set forth in the Standard Contractual Clauses.

This schedule applies only where the California Consumer Privacy Act is applicable to customer data processed under this agreement. FlashCloud, acting as a service provider under the CCPA, shall not sell or share customer data. FlashCloud shall not retain, use, or disclose customer data except as permitted by the CCPA for service providers. FlashCloud shall not combine customer data with personal information from other sources except as permitted by the CCPA. FlashCloud shall assist the customer in responding to consumer requests under the CCPA, including requests to know, requests to delete, requests to correct, and requests to opt out. FlashCloud will notify the customer if FlashCloud determines it can no longer meet its obligations under the CCPA.

For questions about this Data Processing Agreement or FlashCloud's data protection practices, please contact us at privacy@flashcloud.com. FlashCloud LLC is located at 2810 N Church St, PMB 859482, Wilmington, Delaware 19802-4447, United States. For more information about FlashCloud and our services, visit https://flashcloud.com.