This Data Processing Addendum ("DPA") forms part of the Customer Terms of Use (the "Agreement") between Farodale LTD (Company no. 124250, Gibraltar) ("Processor" or "Faroflow AI") and the customer identified in the Order Form ("Controller" or "Customer").
1. Subject Matter and Duration
- This DPA governs Faroflow AI's processing of personal data on behalf of the Customer.
- Processing will last for the duration of the Agreement, unless otherwise required by law.
2. Roles of the Parties
- Customer is the Controller of personal data.
- Faroflow AI is the Processor that processes personal data only on documented instructions from Customer.
3. Nature and Purpose of Processing
Faroflow AI processes personal data solely to provide the services described in the Agreement, including:
- Enabling AI-powered customer interactions
- Hosting conversation logs as configured by the Customer
- Providing analytics, billing, and support
Faroflow AI does not:
- Sell personal data
- Use personal data for independent purposes
- Collect media uploads or sensitive data unless explicitly provided by Customer
4. Types of Data and Data Subjects
- Data subjects: End users of Customer (e.g. individuals interacting with Customer's AI agent).
- Types of data: Text interactions and business contact details; no biometric, payment card, or health data unless Customer chooses to input such data.
5. Processor Obligations
Faroflow AI shall:
- Process personal data only on documented instructions from Customer.
- Implement appropriate technical and organizational measures to protect data.
- Ensure staff are bound by confidentiality.
- Assist Customer in responding to data subject rights requests (access, correction, deletion, etc.).
- Notify Customer without undue delay of any personal data breach.
- Make available information needed to demonstrate compliance (including audits, subject to reasonable notice).
6. Sub-Processors
- Customer authorizes Faroflow AI to engage sub-processors to deliver the Service.
- Faroflow AI will maintain a public list of sub-processors at www.faroflow.com/legal/subprocessors and notify Customer of material changes.
- Faroflow AI ensures sub-processors are bound by written agreements providing equivalent protections.
7. International Transfers
- Personal data may be transferred outside the UK/EEA (e.g. to the UK, EU, or US).
- Such transfers will be safeguarded by Standard Contractual Clauses (SCCs), UK Addendum, or equivalent mechanisms under applicable law.
8. Customer Responsibilities
Important Customer Obligations:
- Customer is responsible for ensuring lawful collection of personal data and providing required notices to end users.
- Customer must not transmit special categories of data (health, biometric, etc.) unless explicitly agreed in writing.
9. Return or Deletion of Data
Upon termination of the Agreement, Faroflow AI will delete or return Customer personal data within a reasonable period, unless retention is required by law.
10. Governing Law and Jurisdiction
- This DPA is governed by the laws of England and Wales.
- Disputes shall be subject to the exclusive jurisdiction of the courts of London.