Data Processing Agreement (DPA)

Last Updated: March 18, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service and/or any Order Form (the "Agreement") between Flux LLC ("Processor") and the entity agreeing to the Agreement ("Customer" or "Controller").

This DPA applies where Processor processes Personal Data on behalf of Controller in connection with the Services.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person under applicable data protection laws.
"Processing" means any operation performed on Personal Data (e.g., collection, storage, use, disclosure).
"Subprocessor" means any third party engaged by Processor to process Personal Data.
"Data Subject" means an individual to whom Personal Data relates.
"Applicable Data Protection Law" includes the GDPR and other relevant laws.

2. Roles of the Parties

Controller acts as the data controller and determines the purposes and means of Processing.
Processor acts as a data processor on behalf of Controller.
Processor may act as an independent controller for limited purposes such as account management, billing, and legal compliance.

3. Scope of Processing

3.1 Subject Matter

Provision of Flux's user research, A/B testing, and participant interaction platform.

3.2 Nature and Purpose

Processing includes:

Hosting and delivering test experiences
Collecting participant interaction data (e.g., clicks, navigation)
Recording optional audio and generating transcripts
Storing responses to research prompts
Facilitating participant recruitment via third-party providers

3.3 Categories of Data Subjects

Research participants
Customer personnel (users of the platform)

3.4 Categories of Personal Data

May include:

Interaction and behavioral data
Audio recordings and transcripts
Survey responses and feedback
Device and browser metadata

Processor does not intentionally collect direct identifiers such as names, email addresses, or contact information from participants.

3.5 Duration

Processing continues for the duration of the Agreement and until deletion in accordance with Section 8.

4. Processor Obligations

Processor shall:

Process Personal Data only on documented instructions from Controller
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organizational measures
Not sell Personal Data
Inform Controller if an instruction violates applicable law

5. Security Measures

Processor implements industry-standard safeguards, including:

Encryption in transit (TLS/HTTPS)
Role-based access controls
Logical data isolation
Secure cloud infrastructure (Google Cloud Platform)
Monitoring and logging
Backup and disaster recovery procedures

6. Subprocessors

6.1 Authorized Subprocessors

Controller authorizes the use of:

Google Cloud Platform (hosting and infrastructure)
Prolific (participant recruitment, where applicable)
Stripe (payment processing)
OpenAI (question generation and summary of results)

6.2 General Authorization

Controller provides general authorization for Processor to engage additional Subprocessors, provided that:

Processor imposes data protection obligations consistent with this DPA
Processor remains responsible for Subprocessor performance

7. Data Subject Rights

Taking into account the nature of Processing, Processor shall:

Provide reasonable assistance to Controller in responding to Data Subject requests
Not respond directly to Data Subjects unless legally required

8. Data Retention and Deletion

Personal Data is retained only as necessary to provide the Services
Upon termination or request, Processor will delete or return Personal Data within a reasonable period, unless required by law
Backup copies may persist temporarily in accordance with standard retention cycles

9. Security Incident Notification

Processor will notify Controller without undue delay after becoming aware of a Personal Data breach affecting Customer Data and will provide relevant information as reasonably available.

10. International Data Transfers

Controller acknowledges that Personal Data may be transferred to and processed in the United States and other jurisdictions.

Where required, such transfers are governed by Standard Contractual Clauses (SCCs), which are incorporated by reference into this DPA.

11. Audits

Controller may request information reasonably necessary to demonstrate compliance
Audits are limited to once per year with reasonable notice
Audits must not unreasonably disrupt Processor operations

12. Liability

Liability under this DPA is subject to the limitations of liability set forth in the Agreement.

13. Conflict

In the event of a conflict between this DPA and the Agreement, this DPA shall control with respect to data protection matters.

14. Governing Law

This DPA shall be governed by the governing law specified in the Agreement, unless otherwise required by Applicable Data Protection Law.

Annex I – Processing Details

Controller: Customer

Processor: Flux LLC

Processing Activities:

Hosting research studies
Collecting participant responses
Generating research outputs

Data Types:

Behavioral interaction data
Audio recordings and transcripts
Survey responses

Data Subjects:

Research participants
Customer users

Annex II – Security Measures

TLS encryption in transit
Access controls and authentication
Secure cloud infrastructure (GCP)
Logging and monitoring
Backup and recovery processes

Annex III – Subprocessors

Google Cloud Platform
Prolific
Stripe
OpenAI

End of DPA