Last updated: October 30, 2025
Effective date: October 30, 2025
1. Introduction
This Data Processing Addendum ("DPA") forms part of FlyCode Inc.'s Terms of Service and governs FlyCode's processing of personal data on behalf of its customers in connection with the provision of FlyCode services. It is intended to ensure compliance with applicable data protection laws, including the EU General Data Protection Regulation (EU 2016/679) ("GDPR"), the UK GDPR, and the Swiss Federal Act on Data Protection ("FADP").
2. Definitions
For purposes of this DPA:
"Applicable Data Protection Laws" means all laws and regulations relating to the processing of personal data, including the GDPR, UK GDPR, and FADP.
"Customer Personal Data" means any personal data processed by FlyCode on behalf of a customer in connection with the services.
"Data Subject" means an identified or identifiable natural person to whom personal data relates.
"Sub-Processor" means any third party engaged by FlyCode to process personal data on its behalf.
"Personal Data Breach" means any actual or reasonably suspected unauthorized access, loss, or disclosure of personal data.
"Transfer Mechanisms" means the Standard Contractual Clauses (SCCs), the UK Transfer Addendum, or Swiss transfer mechanisms, as applicable.
Other capitalized terms shall have the meanings set out in the GDPR or relevant legislation.
Processing of Personal Data
FlyCode acts as a processor (or sub-processor) when providing services to customers. FlyCode will process Customer Personal Data only to provide the services or as required by law, and will notify customers if any processing required by law conflicts with their written instructions.
4. Personnel and Confidentiality
Access to Customer Personal Data is limited to authorized personnel who have a legitimate need to know. All such personnel are bound by confidentiality obligations and receive ongoing security and privacy training.
5. Security Measures
FlyCode implements and maintains technical and organizational measures to protect personal data as required by Article 32 GDPR. These measures include encryption, access controls, network security, secure development practices, monitoring, and incident response procedures.
6. Sub-Processors
FlyCode may engage third-party sub-processors to assist in delivering services. A current list is maintained in Annex 3. FlyCode ensures that all sub-processors are subject to written data-protection obligations consistent with this DPA and implement equivalent security controls. Customers are notified of material changes at least seven (7) days before the change takes effect.
7. Data Subject Rights
FlyCode assists customers, as controllers, in fulfilling their obligations to respond to data subject requests under applicable law. Requests received directly by FlyCode will be promptly forwarded to the appropriate customer for handling.
8. Personal Data Breaches
In the event of a personal data breach affecting Customer Personal Data, FlyCode shall notify the affected customer without undue delay and within 72 hours of becoming aware of the breach, provide all relevant details, and take appropriate steps to contain, mitigate, and prevent recurrence.
9. Data Retention and Deletion
Upon termination or expiration of the services, FlyCode will delete or return Customer Personal Data within 14 days of request and delete remaining backups within 30 days unless retention is required by law.
10. Audit and Compliance
FlyCode provides documentation and assistance to demonstrate compliance with this DPA. Upon reasonable written request, customers may review FlyCode's data-protection practices through questionnaires, reports, or other supporting materials. On-site audits are permitted only if required by law or a supervisory authority.
11. International Transfers
Where personal data is transferred outside the EEA, UK, or Switzerland, FlyCode relies on approved Transfer Mechanisms, including SCCs, the UK Addendum, and Swiss Addendum. All transfers are governed by these mechanisms to ensure adequate protection.
12. Liability
To the extent permitted by law, FlyCode's aggregate liability under this DPA shall not exceed three (3) times the customer's average monthly subscription fees or such other limit set out in the main service agreement.
13. Governing Law and Jurisdiction
This DPA is governed by the laws of Delaware, United States, and disputes shall be resolved exclusively in the courts of Delaware.
Annex 1 — Data Processing Details
Processor: FlyCode Inc., USA
Contact: privacy@flycode.com
Role: Processor
Purpose: To provide FlyCode services, including billing optimization, payment recovery, and analytics.
Categories of Data Subjects: Customer staff and end users.
Categories of Personal Data: Contact details, billing data, payment identifiers, and usage logs.
Special Categories: None.
Duration: For the duration of the customer's use of the services.
Annex 2 — Security Measures
FlyCode's security program aligns with recognized industry practices (ISO 27001 and NIST SP 800-53). Key measures include written security policies, RBAC, encryption, vulnerability testing, SDLC controls, incident response, and data-center security via Google Cloud Platform (USA). FlyCode may update these measures as long as protection is not reduced.
Annex 3 — Authorised Sub-Processors
OpenAI (AI Models, USA)
Anthropic (AI Models, USA)
Google Cloud Platform (Cloud Infrastructure, USA)
Stripe (Payment Processing, USA)
PostHog (Product Analytics, USA)
Postmark (Email Delivery, USA)
Slack Technologies (Internal Collaboration, USA)
Notion (Knowledge Management, USA)
Retool (Automation & Monitoring, USA)
Cursor Data (Code Infrastructure, USA)
Contact
Questions about this DPA can be directed to privacy@flycode.com.
