FLUX Data Processing Agreement (“DPA”)
We use your personal information to provide and improve the Service. By accessing the Service, you consent to the collection and utilization of information as described in this Agreement, and you agree to be bound by its terms. If you do not agree with any of the practices described in this Agreement, please refrain from using our Services.
Interpretation and Definitions
The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
For the purposes of this Agreement:
- Account means a unique account created for You to access our Service or parts of our Service.
- Agreement means the written or electronic agreement between the Customer and FLUX for the provision of Products and/or services by FLUX to the Customer.
- Applicable Data Protection Law means all laws and regulations applicable to and binding on the processing of Customer Data by a party, including, as applicable, the GDPR.
- Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to FLUX Inc., 7F, No.459, Chongyang Rd., Nangang Dist, Taipei, Taiwan.
- Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
- Country refers to Taiwan.
- Device means any device that can access the Service such as a computer, a cell phone or a digital tablet.
- EEA means, for the purposes of this DPA, the European Economic Area, namely the European Union Member States, Iceland, Liechtenstein and Norway.
- Personal Data is any information that relates to an identified or identifiable individual.
- Platform refers to Beam Studio, accessible from https://studio.flux3dp.com/
- Security Incident means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Personal Data on systems managed or otherwise controlled by FLUX.
- Service refers to the Website and Platform you engage.
- Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
- Sub-processor means any processor engaged by FLUX or its Affiliates to assist in fulfilling its obligations under the Agreement. Sub-processors may include third parties or Affiliates of FLUX but shall exclude FLUX employees or consultants.
- Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
- Website refers to FLUX official Website, accessible from https://flux3dp.com/ and FLUX SHOP, accessible from https://shop.flux3dp.com/.
- You (refer to as either “Customer”, “Member” and “User”)mean the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
Rules and Responsibilities
- Parties’ roles. As between FLUX and the Customer, the Customer is the controller of their own Personal Data, and FLUX shall process Personal Data only as a processor acting on behalf of Customer as described in Annex A (Details of Processing) of this Agreement.
- Purpose limitation. FLUX shall process Personal Data only in connection with the arrangements envisaged under this Agreement and in accordance with Customer’s documented lawful instructions, except where otherwise required by applicable law. Customer instructs FLUX and its Sub-processors to process Customer Personal Data as reasonably necessary for the provision of the services contemplated by the Agreement and to perform its obligations under the Agreement.
- Sensitive Data. You are responsible for ensuring that appropriate safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s Uses to transmit or process, any Sensitive Data via the Service. FLUX only collects Personal Data necessary for product shipping, distribution, and re-marketing to our members. Please refrain from providing sensitive data, as we are committed to keeping such data out of our system.
- Customer compliance. You represent and warrant, and shall procure that Users to whom the Personal Data relates represent and warrant that (i) it has complied, and will continue to comply, with all Applicable Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to FLUX; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for FLUX to process Personal Data for the purposes described in the Agreement. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed pursuant to the Agreement, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. FLUX shall have no liability towards the Users, and the Customer shall fully indemnify FLUX against all losses arising as a result of a User bringing an independent claim against FLUX or its Affiliates under or in connection with this Agreement.
- Notification obligations regarding the Customer's instructions. FLUX shall promptly notify the Customer in writing without any obligation to provide legal advice, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any data processing instruction from the Customer violates Data Protection Laws.
- Authorized Sub-processors. The Customer agrees that FLUX may engage Sub-processors to process Personal Data on the Customer's behalf. The Customer further agrees that FLUX may transfer Personal Data to its Affiliates (as such term is defined in the Agreement) solely for the purposes of utilizing shared business functions (e.g. accounting) and for group business performance analysis and always provided that any such transfer is made in accordance with a written data sharing agreement and in compliance with the Data Protection Laws.
- Objection to Sub-processors. The Customer may object in writing to FLUX’s appointment of a new Sub-processor within seven (7) calendar days of receiving notice in accordance with Section 3.1, by email to the main portal user and to the tech portal contact, provided that such objection is based on reasonable grounds relating to data protection. If the Customer does not object to the Sub-processor within seven calendar days of receiving the information, the Customer shall be deemed to have accepted the Sub-processor. If the Customer has raised a reasonable objection to the new Sub-processor, and the parties have failed to agree on a solution within reasonable time, the Customer shall have the right to terminate the Agreement with a notice period determined by the Customer, without prejudice to any other remedies available under law or contract.
- Sub-processor obligations. FLUX shall: (i) enter into a written agreement with each Sub- processor containing data protection obligations that provide equivalent protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this Agreement and for any acts or omissions of such Sub-processor that cause FLUX to breach any of its obligations under this Agreement.
Security of Data Processing
- Security Measures. FLUX shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of Customer Personal Data in accordance with FLUX security standards. The Customer acknowledges and agrees that the Security Measures which are to be implemented by FLUX are appropriate to meet the requirements under applicable Data Protection Laws.
- Confidentiality of processing. FLUX shall ensure that any person who is authorized by FLUX to process Personal Data (including its staff, agents and subcontractors) shall be under an obligation of confidentiality commensurate with the obligations of confidentiality in the Agreement.
- Updates to Security Measures. The Customer is responsible for reviewing the information made available by FLUX relating to data security and making an independent determination as to whether the Licensed Software meets the Customer’s requirements and legal obligations under the Data Protection Laws. The Customer acknowledges that the Security Measures are subject to technical progress and development and that FLUX may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provided to the Customer.
- Security Incident response. Upon becoming aware of a Security Incident, a Party shall: (i) notify the other Party without undue delay after becoming aware of the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by the other Party; and (iii) promptly take reasonable steps to contain and investigate any Security Incident. Notification of or response to a Security Incident under this Section 4.4 shall not be construed as an acknowledgment by such Party of any fault or liability with respect to the Security Incident.
Limitations on International Transfer. Personal Data from EEA, UK, or Swiss Data Controller(s) may only be exported to or accessed by FLUX (or its Affiliates) or its authorized Sub-processors outside the EEA, the UK, or Switzerland, as applicable (“International Transfer”):
- If the recipient, or the country or territory in which it processes or accesses Personal Data, ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data as determined by the European Commission or another regulatory body of competent jurisdiction; or
- In accordance with the Standard Contractual Clauses and Multi-tier Framework as set out in Section 5.2 below.
- The Standard Contractual Clauses apply where (i) there is an International Transfer to a country that does not ensure an adequate level protection of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data as determined by the European Commission or another regulatory body of competent jurisdiction, and/or (ii) there is an International Transfer to a recipient that is not covered by an appropriate safeguard, including, but not limited to, binding corporate rules, an approved industry code of conduct, and individual adequacy decision by a regulatory body of competent jurisdictions, or an individual transfer authorization granted by a regulatory body of competent jurisdiction.
- EEA Data transfers. Where the Standard Contractual Clauses apply: (i) FLUX agrees that it is the "data importer" and the Customer is the "data exporter" under the Standard Contractual Clauses; (ii) Annex A and Annex B of this Agreement shall replace Annexes 1 and 2 of the Standard Contractual Clauses, respectively.
- For Third Country Sub-processors, FLUX shall ensure that such sub-processor has entered into the unchanged version of the Standard Contractual Clauses prior to the Sub-processor’s processing of Customer Personal Data.
- The Data Processor shall, upon written request of the Data Controller prior to transferring Customer Personal Data to Third Country Sub-processors, request the data importer to provide the Data Controller with a written assessment as to whether the law of the third country of destination ensures adequate protection, under Applicable Data Protection Law, of personal data transferred pursuant to the Standard Contractual Clauses, by providing, where necessary, additional safeguards to those offered by those New Standard Contractual Clauses.
- Furthermore, prior to transferring Customer Personal Data to Third Country Sub-processors or processing Customer Personal Data in such third countries, Data Processor must use best efforts to implement appropriate (in particular, but not limited to technical and organisational) guarantees capable of ensuring that data subjects whose personal data are transferred to the third country of destination pursuant to the Standard Contractual Clauses enjoy a level of protection essentially equivalent to that which is guaranteed under Data Protection Laws and Regulations.
Return and Deletion of Data
- Deletion on termination. Upon termination or expiration of the Agreement, FLUX shall (at the Customer's election) delete or return to the Customer all Personal Data (including copies) in its possession or control, except that this requirement shall not apply to the extent FLUX is required by applicable law to retain some or all of the Personal Data, or Personal Data it has archived on back-up systems, which FLUX shall securely isolate, protect from any further processing and eventually delete in accordance with FLUX data retention policies, except to the extent required by applicable law.
Data Subject Right and Cooperation
- Data subject requests. FLUX shall provide reasonable cooperation to assist the Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. In the event that any such request is made to FLUX directly, FLUX shall not respond to such communication directly except as appropriate (for example, to direct the data subject to contact the Customer) or legally required, without the Customer's prior authorization. If FLUX is required to respond to such a request, FLUX shall promptly notify the Customer and provide the Customer with a copy of the request unless FLUX is legally prohibited from doing so. For the avoidance of doubt, nothing in the Agreement (including this Agreement) shall restrict or prevent FLUX from responding to any data subject or data protection authority requests in relation to personal data for which FLUX is a controller.
- Data protection impact assessment. To the extent required under Applicable Data Protection Laws, FLUX shall (at the Customer's expense) provide all reasonably requested information regarding the Licensed Software or other products or services (as applicable) to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
- Subject to this section 8, FLUX shall make available to the Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Personal Data by FLUX or authorized sub-processors.
- Information and audit rights of the Customer only arise under section 8.1 to the extent that the Agreement does not otherwise give the Customer information and audit rights meeting the relevant requirements of Data Protection Law.
Limitation of Liability
- The Customer shall be liable for, and shall indemnify (and keep indemnified) FLUX in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, FLUX arising directly or in connection with Customer’s processing activities that are subject to this Agreement: except to the extent that FLUX is liable under Section 9.3.
- any non-compliance by the Customer with the Data Protection Laws;
- any processing carried out by FLUX in accordance with instructions given by the Customer that infringe the Data Protection Laws; or
- any breach by the Customer of its obligations under the Agreement;
- FLUX shall be liable for, and shall indemnify (and keep indemnified) the Customer in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Customer arising directly or in connection with FLUX processing activities that are subject to this Agreement.
- only to the extent that the same results from FLUX’s breach of, or non-compliance with, this Agreement, the Customer’s instructions, or the Data Protection Laws; and
- not to the extent that the same is, or are contributed to, by any breach of the Agreement by the Customer.
- The Customer shall not be entitled to claim back from FLUX any sums paid in compensation by the Customer in respect of any damage to the extent that the Customer is liable to indemnify FLUX under Section 9.2.
- Any claims against FLUX or its Affiliates under or in connection with this Agreement (including, where applicable, the SCCs) shall be brought solely against the entity that is a party to the Agreement.
- In no event shall any Party limit its liability with respect to any individual's data protection rights under this Agreement or otherwise.
Relationship with the Agreement
- This Agreement shall remain in effect for as long as FLUX carries out Personal Data processing operations on behalf of the Customer or until termination of the Agreement (and all Customer Personal Data has been returned or deleted in accordance with Section 6.1).
- The Parties agree that this Agreement shall replace any existing data processing agreement or similar document that the Parties may have previously entered into in connection with the Agreement.
- No one other than a party to this Agreement, its successors and permitted assignees shall have any right to enforce any of its terms.
- This Agreement shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
Annex A Details of Processing
Personal Data We Collect
While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information includes:
- Email address
- First name and last name
- Phone number
- Address, State, Province, ZIP/Postal code, City
Usage Data We Collect
To enhance the shopping and browsing experience for our users, we automatically collect Usage Data when you use our Service. This Usage Data is stored and logged differently across devices or applications. In general, Usage Data comprises:
- IP address
- Browser type and version
- The specific pages of our Service that you visit
- The date and time of your visits
- The duration of your visits to those pages
- Unique device identifiers
- Other diagnostic data.
When You access the Service by or through a mobile device, We may collect certain information automatically, including,
- The type of mobile device You use
- Your mobile device unique ID
- IP address of Your mobile device
- Your mobile operating system
- The type of mobile Internet browser You use
- Unique device identifiers
- Other diagnostic data.
Use of Your Personal Data
The Company will use Personal Data for the following purposes:
- To provide and maintain our Service, including to monitor the usage of our Service.
- To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
- For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
- For shipping purpose: To fulfill the order, we require the address and ZIP code to be provided in as much detail as possible.
- To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
- To provide You with news, special offers and general information about other goods, services and events which we offer that are similar to those that You have already purchased or enquired about unless You have opted not to receive such information.
- To manage Your requests: To attend and manage Your requests to Us.
- For business transfers: We may use Your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Us about our Service users is among the assets transferred.
- For other purposes: We may use Your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing and Your experience.
We will share Your Personal Data in the following situations:
- With Service Providers: We may share Your personal information with Service Providers to monitor and analyze the use of our Service, to contact You.
- For business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of Our business to another company.
- With business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
- With other users: When You share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside. If You interact with other users or register through a Third-Party Social Media Service, Your contacts on the Third-Party Social Media Service may see Your name, profile, pictures and description of Your activity. Similarly, other users will be able to view descriptions of Your activity, communicate with You and view Your profile.
- With Your consent: We may disclose Your personal information for any other purpose with Your consent.
- Provide a level of security (including appropriate Security Measures relating to the categories or nature of Licensee Data) appropriate to protect against the harm that might result from a data breach, which shall include but not be limited to:
- ensure role-based access is granted only to those individuals needing access for the provision of the Licensed Software,
- ensure that suitable and effective authentication processes are established and used to protect Licensee Data (e.g., 2 factor authentication for privileged access or restricted information),
- back up Licensee Data on a regular basis as required by the Licensee and ensuring that any back up data is subject to appropriate Security Measures as necessary to protect the confidentiality, integrity and availability of Licensee Data,
- encrypt, using industry standard encryption tools and key strengths, all records and files containing Licensee Data that FLUX:
- transmits or sends (including wirelessly) across public networks,
- stores on laptops or storage media, or
- stores on portable devices.
- safeguarding the security and confidentiality of all encryption keys associated with encrypted Licensee Data.
- Establish, maintain and enforce a comprehensive information security program, that includes information security policies, hiring policies, privacy policies and data handling procedures consistent with industry standards and appropriate Security Measures or as mandated by Applicable Law, to protect the security, integrity and confidentiality of Licensee Data against a data breach, which shall include but not be limited to:
- providing information security awareness and training programs covering its policies and practices to all employees’ agents or other personnel that will have access to Personal Data,
- having a comprehensive, up to date and tested business continuity plan in place to protect the confidentiality, integrity and availability of Licensee Data, and
- prohibiting employees, agents or other personnel from accessing or storing Licensee Data remotely (e.g. from home or via their own electronic device or internet portal) other than through a secure electronic network and in accordance with an organizational remote working policy.
- Not use Licensee Data on systems that are in development or are in testing where the security controls are less protective than the controls identified in this Addendum.