Data Processing Agreement

This summary describes how Fluenco Academy acts as a Data Processor for our corporate Clients. The complete Data Processing Agreement, including the Annexes (description of processing, technical and organizational measures, list of sub-processors, EU Standard Contractual Clauses), is available on request to info@fluencoacademy.com and forms part of any B2B order.

When a Client (typically the Client’s employer organization, HR or L&D function) contracts Fluenco to deliver Services to its employees or learners, the Client is the Data Controller of the personal data of those employees/learners, and Fluenco Academy is the Data Processor. Fluenco processes personal data only on the documented instructions of the Client, including with regard to transfers of personal data to a third country.

Fluenco commits to:

• Process personal data strictly on the documented instructions of the Client (including instructions delivered through configuration of the Services), and not for any other purpose;
• Ensure that personnel authorized to process personal data are bound by written confidentiality undertakings;
• Implement and maintain appropriate technical and organizational security measures consistent with our Security Statement and any specifically agreed measures (see Annex II of the full DPA);
• Assist the Client, taking into account the nature of the processing, in responding to data-subject rights requests (access, rectification, erasure, restriction, portability, objection);
• Assist the Client in complying with its security, breach-notification, DPIA, and prior-consultation obligations under GDPR Articles 32–36 and equivalent provisions of the LFPDPPP;
• Notify the Client of any personal-data breach affecting the Client’s data without undue delay, and in any case no later than 72 hours after becoming aware of the breach, with the information required by GDPR Article 33(3);
• Make available all information necessary to demonstrate compliance with these obligations, and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client (subject to reasonable confidentiality and scheduling constraints).

The Client gives general written authorization for Fluenco to engage sub-processors that help us deliver the Services. A current list of sub-processors is maintained in Annex III of the full DPA and includes categories such as cloud hosting (AWS, Vercel), email delivery (Magyar Hosting SMTP), and operational tooling (Airtable for client-portal data, where applicable).

Fluenco will inform the Client of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, giving the Client an opportunity to object on reasonable data-protection grounds. Each sub-processor is bound by data-protection obligations no less protective than those in the DPA.

Where Fluenco transfers personal data originating from the EEA, the UK, or Switzerland to Mexico or to any other country lacking an adequacy decision, the transfer is governed by the EU Standard Contractual Clauses (Module 2 — Controller to Processor) adopted by the European Commission under Decision (EU) 2021/914, supplemented by the UK International Data Transfer Addendum where applicable. These SCCs are incorporated into the full DPA by reference and prevail over any conflicting provision.

Fluenco treats all personal data received from the Client as confidential. We will not disclose it to any third party except (a) to authorized sub-processors under written contract, (b) where compelled by binding legal request — in which case we will, where legally permitted, notify the Client first and challenge overbroad requests — or (c) with the prior written consent of the Client.

Fluenco maintains the technical and organizational measures described in our Security Statement and in Annex II of the full DPA, including encryption in transit and at rest, access controls, audit logging, vulnerability management, and incident response.

If Fluenco receives a request directly from a data subject relating to data processed on behalf of a Client, we will not respond substantively to the request, except on the Client’s documented instructions, and we will forward the request to the Client without undue delay.

Each party’s liability under the DPA is governed by, and capped in accordance with, the underlying master agreement, except where mandatory data-protection law requires otherwise.

Upon expiration or termination of the underlying agreement, Fluenco will, at the Client’s choice, return or securely delete all personal data processed on behalf of the Client (and copies thereof), subject to any legal obligation requiring further storage. Backups containing personal data will be cycled out within 90 days.

This DPA is governed by the laws of the United Mexican States. The courts of Mexico City have exclusive jurisdiction over disputes, without prejudice to (a) any mandatory provision of data-protection law affording protections to data subjects, and (b) the dispute-resolution clauses of the SCCs where the SCCs apply.