Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") supplements the Flokk Terms of Service and governs our processing of personal data on your behalf as defined by the GDPR.

1. Roles

Controller: you (the customer). You determine the purposes and means of processing personal data stored in your Flokk databases.

Processor: Flokk. We process personal data only as necessary to provide the managed PostgreSQL service you have contracted for.

2. Scope of processing

• Subject matter: hosting, operating, backing up, and replicating PostgreSQL databases on your behalf.
• Duration: for the term of your Flokk subscription.
• Nature: automated storage, retrieval, replication, and backup of database contents. We do not access, inspect, or analyse the data you store.
• Categories of data: determined by you. We do not know or control what personal data you choose to store.

3. Data location

All processing takes place in Frankfurt, Germany (UpCloud de-fra1). No personal data is transferred outside the European Economic Area.

4. Sub-processors

Current sub-processors are listed at /legal/sub-processors. We will notify you at least 30 days before engaging a new sub-processor. You may object within that period; if the objection cannot be resolved, you may terminate the affected service.

5. Security measures

• Encryption in transit: TLS 1.3 for all connections.
• Encryption at rest: AES-256 via UpCloud block storage encryption.
• DNS verification: DANE/TLSA records with DNSSEC.
• Tenant isolation: separate PostgreSQL databases, roles, and connection limits per customer.
• Access control: principle of least privilege. No shared superuser access.
• Backup: automated daily backups with plan-based retention.
• Monitoring: real-time alerting on anomalies.

6. Breach notification

We will notify you without undue delay, and in any event within 24 hours, after becoming aware of a personal data breach affecting your data. Notification will include the nature of the breach, likely consequences, and measures taken.

7. Data subject requests

We will assist you in responding to data subject requests (access, erasure, portability, etc.) by providing technical capabilities: pg_dump export, database deletion, and audit logs. We will not respond directly to your end-users' requests unless legally required.

8. Deletion

Upon termination of the service or your written request, we will delete all personal data (databases + backups) within 30 days, except where retention is required by law (e.g. invoices for tax compliance).

9. Audit

You may audit our compliance with this DPA by reviewing our security documentation, penetration test summaries, and SOC 2 / ISO 27001 reports (when available). Dedicated tier customers may arrange on-site audits with reasonable notice.

10. Governing law

This DPA is governed by the same law as the Terms of Service (Norwegian law).

11. Contact

DPA inquiries: privacy@flokk.dev