Data Processing Agreement
Last Updated: February 23, 2026
This Data Processing Addendum ("DPA") is incorporated into and forms part of the Terms of Service or other agreement (the "Principal Agreement") between Natural Language Labs Inc. d/b/a Flashpoint.AI ("Data Processor" or "Flashpoint.AI") and the entity agreeing to these terms ("Data Controller" or "Customer"), collectively referred to as the "Parties."
This DPA applies automatically to all Customers whose use of the Services involves the processing of Personal Data subject to Applicable Data Protection Laws. By creating an account or using the Services, Customer agrees to this DPA. In the event of any conflict between this DPA and the Principal Agreement with respect to data protection matters, this DPA shall prevail.
Enterprise customers may request a custom data processing agreement that supersedes this DPA. To discuss custom terms, please contact us at legal@flashpoint.ai.
1. Definitions
In this DPA, the following terms have the meanings set out below:
- "Applicable Data Protection Laws" means the GDPR (Regulation (EU) 2016/679), the UK GDPR, and any other applicable data protection legislation.
- "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller under the Principal Agreement.
- "Processing" means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
- "Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope and Purpose of Processing
2.1. The Processor shall process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law.
2.2. The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Annex 1 to this DPA.
3. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
- Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, pseudonymization, and regular security testing.
- Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller.
- Assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws.
- Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
- At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
- Make available to the Controller all information necessary to demonstrate compliance with obligations and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.
4. Sub-processors
4.1. The Controller provides general written authorization for the Processor to engage sub-processors. The current list of approved sub-processors is set out in Annex 2 and is also available at flashpoint.ai/subprocessors.
4.2. The Processor shall inform the Controller of any intended changes to its sub-processors, giving the Controller the opportunity to object to such changes within 30 days. If the Controller objects and the Processor cannot reasonably accommodate the objection, either Party may terminate the affected services.
4.3. The Processor shall impose data protection obligations on any sub-processor by way of a written contract that provides at least the same level of protection as this DPA.
5. International Transfers
5.1. The Processor shall not transfer Personal Data outside the EU/EEA/UK unless appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms.
5.2. Where SCCs are required, they are incorporated into this DPA by reference and shall be deemed executed by the Parties.
6. Data Breach Notification
6.1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting Personal Data processed under this DPA.
6.2. The notification shall include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
6.3. The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach.
7. Audit Rights
7.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.
7.2. The Controller or its mandated auditor may conduct audits, including inspections, upon reasonable notice (not less than 30 days). Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
7.3. The Processor may satisfy audit requests by providing relevant certifications or audit reports (such as SOC 2 reports) where available.
8. Data Subject Rights
8.1. The Processor shall promptly assist the Controller in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
8.2. If the Processor receives a request directly from a Data Subject, it shall promptly forward the request to the Controller and shall not respond to the Data Subject directly without the Controller's instructions, unless legally required to do so.
9. Data Protection Impact Assessments
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Controller is required to carry out under Applicable Data Protection Laws.
10. Term and Termination
10.1. This DPA shall remain in effect for the duration of the Principal Agreement and shall automatically terminate upon termination or expiration of the Principal Agreement.
10.2. Upon termination, the Processor shall, at the Controller's election, return or securely delete all Personal Data within 30 days, unless retention is required by applicable law. The Processor shall certify deletion in writing upon request.
11. Liability
The liability of each Party under this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement.
12. Governing Law
This DPA shall be governed by and construed in accordance with the laws that govern the Principal Agreement, except where Applicable Data Protection Laws require otherwise.
Annex 1: Details of Processing
Subject Matter of Processing: Provision of AI-powered market research, survey, and behavioral validation services.
Duration of Processing: For the duration of the Principal Agreement plus any retention period required by law.
Nature and Purpose of Processing: Collection, storage, analysis, and reporting of survey responses, behavioral data, and related analytics for market research purposes.
Types of Personal Data: Name, email address, IP address, device identifiers, survey responses, behavioral and interaction data, demographic information, and any other data provided by or about Data Subjects through the Platform.
Categories of Data Subjects: Survey respondents, research panel participants, end users of the Platform, and Customer personnel.
Annex 2: Approved Sub-processors
The following sub-processors are authorized to process Personal Data under this DPA:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | All platform data | United States |
| OpenAI | AI model inference and processing | Survey and research data (anonymized where possible) | United States |
| Anthropic | AI model inference and processing | Survey and research data (anonymized where possible) | United States |
| Stripe | Payment processing | Payment and billing data | United States |
| Auth0 (Okta) | Authentication and identity management | User credentials and profile data | United States |
| Twilio | Communication services (SMS, email) | Contact information and message content | United States |
| Slack | Internal team communication | Incidental personal data in support workflows | United States |
| Sentry | Error tracking and monitoring | Technical data, IP addresses, error context | United States |
| Microsoft | AI research assistant integration (Graph API) | Email data, calendar data, user profile information | United States |
An up-to-date list of sub-processors is maintained at flashpoint.ai/subprocessors. The Controller will be notified of any changes in accordance with Section 4 of this DPA.