Terms and conditions for Flows Systems ApS

These terms and conditions apply to Flows Systems ApS services that are delivered on the Flows.systems platform and the Make.com platform as a managed service. Our terms and conditions are designed to benefit both parties security and clarity about rights when dealing with online services. We will would like to add that we always try to be flexible and find a good one form of cooperation with our customers, without disputes arising.

  1. Company information

    Flow Systems ApS
    VAT no 44369842
    Slotsmarken 18. 1st floor
    2970 Horsholm
    Email: support@flows.systems

    Hereafter called Flows.

  2. General terms and conditions

    2.1 Flows provides integration and automation solutions based on our own iPaaS solution (Flows Forge iPaaS) as well as on third-party solutions such as Make.com, OpenAI and other suitable solutions. Flows negotiates and uses a number of these solutions as part of an overall solution or as an add-on on behalf of the customer. Flows does not offer financial solutions or other similar services, including Uniconta or other financial systems.

    2.2 In connection with these services, Flows has both legal and general ethical rules which must be observed. The following sales and delivery conditions apply to the extent that they are not deviated from by other written agreement between the parties. Flows is not bound by any purchase terms and conditions stated in the customer's order, unless they are in accordance with these conditions.

  3. Ordering and payment

    3.1 Flows' subscription, as well as setup, is billable after the order has been completed, unless otherwise agreed.

    3.2 Subscription is paid via subscription handled in Fenerum / Stripe.

    3.3 Flows accepts payment with these payment cards: Visa/Dankort, Visa, MasterCard, Visa Electron.

    3.4 As long as the subscription exists without cancellation, the chosen subscription will be drawn from the registered card. Payment is made in advance. You can cancel your subscription by contacting us at telephone or e-mail, until the end of a subscription period, with 1 month's notice.

    3.5 After registration, and at each draw, a receipt will be delivered per e-mail to the customer's specified e-mail.

    3.6 If your payment card expires, an e-mail will be sent with a link to renew card information.

    3.7 By signing up for automatic withdrawal, you give permission to store all necessary payment card information for use in automatic debiting of your payment card. This information is deleted when the agreement ends. All card information is handled securely through Stripe, which complies with technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data.

  4. Registration of customer data (personal data policy)

    4.1 When you enter into an agreement with flows.systems, we register the following information: Company name, Name, Address, Telephone number, E-mail address, CVR. no.

    4.2 Flows registers your personal data with the aim of being able to deliver the service to you. You always have the right to contact or object to the registration, cf. the Personal Data Act. Inquiries in this connection should be addressed to: Flows – billing@flows.systems

    4.3 When personal data is collected, we ensure that it always takes place with your consent, so that you are informed about exactly what information is collected and why.

  5. Provision and updating of services

    5.1 Flows will do its utmost to ensure that the services provided are available and function satisfactorily. However, it is a prerequisite for the use of the services that the customer has the necessary technical prerequisites to be able to use the services.

    5.2 Flows reserves the right to make necessary updates and changes to the Services, including changes in functionality and design.

    5.3 Flows is not responsible for any disruptions in the customer's internet connection or other technical conditions that may affect the use of the services.

  6. Support

    6.1 Flows Systems ApS offers support in accordance with the selected support agreement and schedule. Support includes answering questions regarding the Services as well as resolving any technical issues. The customer can contact Flows' support via e-mail. Support for customized solutions will always be paid for.

    Definition of customized Solutions:

    A solution is considered to be a “customized solution” if changes or additions have been made in any of the following areas:

    • Business logic: Any change in the basic logic that controls your company's processes in our system.
    • Mapping: Customization of data fields to match specific needs in your systems.
    • Integrations: Any customization or development of integrations between our system and third party systems.
    • Custom Features: Features developed specifically to meet your unique business requirements.

  7. Limitation of Liability

    7.1 Flows Systems ApS is not responsible for any losses arising from the customer's use of the services or inability to use the services.

    7.2 Flows Systems ApS assumes no responsibility for the customer's loss of data, including loss of data in connection with updates or changes to the services.

  8. Disputes and choice of law

    8.1 Any disputes that may arise in connection with the services must be resolved amicably between the parties.

    8.2 Any disagreement between the parties that cannot be resolved amicably will be settled by the ordinary Danish courts in accordance with Danish law.

  9. Termination and complaint

    9.1 You can cancel your subscription by contacting us at telephone or e-mail, until the end of a subscription period with 1 month's notice.

    9.2 Any complaints or complaints regarding our services must be submitted within a reasonable time after you discover the defect. Complaints are submitted to support@flows.systems and must contain sufficient information to identify the customer, the service and the reason for the complaint.

  10. Completion of solutions

    10.1 When Flows Systems ApS has completed notification of the solution, the customer is responsible for testing the solution and must notify any errors or deficiencies in the solution within 10 days of Flows' notification of completion. If the customer does not report errors or deficiencies within the deadline, the solution is considered approved.

  11. Right of use for customer logo and reference

    11.1 The customer hereby grants Flows Systems ApS the right to use the customer's logo and refer to the customer as a reference in marketing material, including on our website, without prior permission being required. The customer can revoke this permission at any time by written notification to Flows Systems ApS.

  12. Mutual NDA

    12.1 The parties undertake to keep all confidential information that they may become aware of in connection with the collaboration secret and not to disclose it to third parties without prior written consent from the other party.

    12.2 This mutual obligation of confidentiality also applies after the end of the collaboration.

  13. Data processor agreement

    13.1 Standard Contractual Provisions

    Standard contract provisions according to Article 28, paragraph 3, in regulation 2016/679 (the data protection regulation) for the purpose of the data processor's processing of personal data between the "Customer", hereinafter "data controller" and Flows Systems ApS, CVR no. 44369842 hereafter "the data processor".

    13.2 Preamble

    1. These Regulations set out the data processor's rights and obligations when it processes personal data on behalf of the data controller.
    2. These provisions have been designed with a view to the parties' compliance with Article 28, subsection 3, of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (the Data Protection Regulation ).
    3. In connection with the provision of the service in accordance with the EULA, the data processor processes personal data on behalf of the data controller in accordance with these Regulations.
    4. The provisions take precedence over any corresponding provisions in other agreements between the parties.
    5. There are four annexes to these Regulations, and the annexes form an integral part of the Regulations.
    6. Annex A contains detailed information on the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
    7. Annex B contains the data controller's conditions for the data processor's use of sub-processors and a list of sub-processors whose use the data controller has approved.
    8. Annex C contains the data controller's instructions regarding the data processor's processing of personal data, a description of the security measures that the data processor must implement as a minimum, and how the data processor and any sub-processors are supervised.
    9. The provisions with associated annexes must be kept in writing, including electronically, by both parties.
    10. These Provisions do not release the data processor from obligations imposed on the data processor under the data protection regulation or any other legislation.

    13.3 Rights and obligations of the data controller

    1. The data controller is responsible for ensuring that the processing of personal data takes place in accordance with the data protection regulation (see the regulation's article 24), data protection regulations in other EU law or the national law of the member states and these Regulations.
    2. The data controller has the right and duty to make decisions about for which purpose(s) and with which means personal data may be processed.
    3. The data controller is responsible for, among other things, ensuring that there is a processing basis for the processing of personal data that the data processor is instructed to carry out.

    13.4 The data processor acts according to instructions

    1. The data processor may only process personal data in accordance with documented instructions from the data controller, unless required by EU law or the national law of the Member States to which the data processor is subject. These instructions must be specified in Annexes A and C. Subsequent instructions can also be given by the data controller while personal data is being processed, but the instructions must always be documented and stored in writing, including electronically, together with these Regulations.
    2. The data processor shall immediately notify the data controller if, in his opinion, an instruction is in breach of this Regulation or data protection provisions of other EU or national law.

    13.5 Confidentiality

    1. The data processor may only give access to personal data processed on behalf of the data controller to persons who are subject to the data processor's instruction powers, who have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons who have been granted access must be continuously reviewed. Based on this review, access to personal data can be closed if access is no longer necessary, and the personal data must then no longer be available to these individuals.
    2. Upon request from the data controller, the data processor must be able to demonstrate that the persons in question, who are subject to the data processor's instruction powers, are subject to the above-mentioned confidentiality obligation.

    13.6 Processing security

    1. Article 32 of the Data Protection Regulation states that the data controller and the data processor, taking into account the current technical level, the implementation costs and the nature, scope, context and purpose of the processing in question, as well as the risks of varying probability and seriousness to the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of protection appropriate to these risks. The data controller must assess the risks to the rights and freedoms of natural persons posed by the processing and implement measures to address these risks.
    2. According to the regulation's article 32, the data processor must – independently of the data controller – also assess the risks to the rights of natural persons that the processing poses and implement measures to counter these risks. For the purpose of this assessment, the data controller must make the necessary information available to the data processor which enables him to identify and assess such risks.
    3. In addition, the data processor must assist the data controller with his compliance with the data controller's obligation according to Article 32 of the regulation, by e.g. to make the necessary information available to the data controller regarding the technical and organizational security measures that the data processor has already implemented in accordance with Article 32 of the Regulation and all other information necessary for the data controller to comply with its obligation under Article 32 of the Regulation.
    4. If addressing the identified risks – in the data controller's assessment – ​​requires the implementation of additional measures than the measures that the data processor has already implemented, the data controller must indicate the additional measures to be implemented in Annex C.

    13.7 Use of sub-processors

    1. The data processor must fulfill the conditions referred to in the data protection regulation, article 28, subsection 2, and subsection 4, to make use of another data processor (a sub-processor).
    2. Thus, the data processor may not make use of a sub-data processor to fulfill these Regulations without prior general written approval from the data controller.
    3. The data processor has the data controller's general approval for the use of sub-processors. The data processor must notify the data controller in writing of any planned changes regarding the addition or replacement of sub-processors with at least 10 days' notice and thereby give the data controller the opportunity to object to such changes before the use of the sub-processor(s) in question. Longer notice for notification in connection with specific processing activities can be specified in Appendix B. The list of sub-processors that the data controller has already approved appears in Appendix B.
    4. When the data processor makes use of a sub-processor in connection with the performance of specific processing activities on behalf of the data controller, the data processor must, through a contract or other legal document under EU law or the national law of the Member States, impose on the sub-processor the same data protection obligations as those which appears from these Provisions, whereby the necessary guarantees are in particular provided that the sub-data processor will implement the technical and organizational measures in such a way that the processing complies with the requirements of these Provisions and the data protection regulation. The data processor is therefore responsible for requiring the sub-processor to at least comply with the data processor's obligations under these Regulations and the data protection regulation.
    5. Sub-data processor agreement(s) and any subsequent amendments thereto are sent – ​​at the data controller's request – in copy to the data controller, who thereby has the opportunity to ensure that corresponding data protection obligations as a result of these Regulations are imposed on the sub-data processor. Provisions on commercial terms that do not affect the data protection legal content of the sub-data processor agreement must not be sent to the data controller.
    6. The data processor must include the data controller in its agreement with the sub-data processor as a beneficiary third party in the event of the data processor's bankruptcy, so that the data controller can enter into the data processor's rights and assert them against sub-data processors, such as e.g. enables the data controller to instruct the sub-processor to delete or return the personal data.
    7. If the sub-processor fails to fulfill its data protection obligations, the data processor remains fully responsible to the data controller for the fulfillment of the sub-processor's obligations. This does not affect the data subjects' rights that follow from the data protection regulation, including in particular the regulation's articles 79 and 82, vis-à-vis the data controller and the data processor, including the sub-processor.

    13.8 Transfer to third countries or international organizations

    1. Any transfer of personal data to third countries or international organizations may only be carried out by the data processor on the basis of documented instructions to this effect from the data controller and must always be done in accordance with Chapter V of the Data Protection Regulation.
    2. If the transfer of personal data to third countries or international organizations, which the data processor has not been instructed to carry out by the data controller, is required under EU law or the national law of the Member States to which the data processor is subject, the data processor must notify the data controller of this legal requirement before processing, unless the law in question prohibits such notification for reasons of important societal interests.
    3. Without documented instructions from the data controller, the data processor cannot, within the framework of these Regulations:
      • Transfer personal data to a data controller or data processor in a third country or an international organization
      • Entrust the processing of personal data to a sub-processor in a third country
      • Process the personal data in a third country
    4. The data controller's instructions regarding the transfer of personal data to a third country, including the possible transfer basis in Chapter V of the Data Protection Regulation, on which the transfer is based, must be stated in Annex C.6.
    5. These Provisions are not to be confused with standard contract provisions as referred to in Article 46, paragraph 2 of the Data Protection Regulation. XNUMX, letters c and d, and these provisions cannot constitute a basis for the transfer of personal data as referred to in chapter V of the data protection regulation.

    13.9 Assistance to the data controller

    1. The data processor, taking into account the nature of the processing, assists the data controller as far as possible by means of appropriate technical and organizational measures in fulfilling the data controller's obligation to respond to requests for the exercise of the data subject's rights as set out in Chapter III of the Data Protection Regulation. This implies that the data processor must, as far as possible, assist the data controller in connection with the data controller ensuring compliance with:
      • The duty to provide information when collecting personal data from the data subject
      • The duty to provide information, if personal data is not collected from the data subject
      • The right of access
      • The right to rectification
      • The right to erasure (“the right to be forgotten”)
      • The right to restriction of processing
      • The notification obligation in connection with the correction or deletion of personal data or restriction of processing
      • The right to data portability
      • The right to object
      • The right not to be the subject of a decision based solely on automatic processing, including profiling
    2. In addition to the data processor's obligation to assist the data controller in accordance with Provision 6.3., the data processor also, taking into account the nature of the processing and the information available to the data processor, assists the data controller with:
      • The data controller's obligation to report a breach of personal data security to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of it, unless it is unlikely that the breach of personal data security entails a risk to the rights of natural persons or liberties
      • The data controller's obligation to notify the data subject without undue delay of a breach of personal data security when the breach is likely to result in a high risk to the rights and freedoms of natural persons
      • The data controller's obligation to carry out an analysis of the consequences of the intended processing activities for the protection of personal data prior to processing (an impact analysis)
      • The data controller's obligation to consult the competent supervisory authority before processing, if a data protection impact analysis shows that the processing will lead to high risk in the absence of measures taken by the data controller to limit the risk.
    3. The parties must specify in Annex C the necessary technical and organizational measures with which the data processor must assist the data controller and to what extent and extent. This applies to the obligations arising from Clause 9.1. and 9.2.

    13.10 Notification of breach of personal data security

    1. The data processor notifies the data controller without undue delay after becoming aware that a breach of personal data security has occurred.
    2. The data processor's notification to the data controller must, if possible, take place no later than 48 hours after the latter has become aware of the breach, so that the data controller can comply with its obligation to report the breach of personal data security to the competent supervisory authority, cf. Article 33 of the Data Protection Regulation.
    3. In accordance with Provision 9.2.a, the data processor must assist the data controller in reporting the breach to the competent supervisory authority. This means that the data processor must assist in providing the following information, which according to Article 33, paragraph 3, must appear from the data controller's notification of the breach to the competent supervisory authority:
      • The nature of the breach of personal data security, including, if possible, the categories and approximate number of affected data subjects and the categories and approximate number of affected records of personal data
      • The likely consequences of the breach of personal data security
      • The measures that the data controller has taken or proposes to take to deal with the breach of personal data security, including, if relevant, measures to limit its possible harmful effects.
    4. The parties must specify in Annex C the information that the data processor must provide in connection with its assistance to the data controller in his obligation to report breaches of personal data security to the competent supervisory authority.

    13.11 Deletion and return of information

    1. Upon termination of the services relating to the processing of personal data, the data processor is obliged to return all the personal data and delete existing copies, unless EU law or the national law of the Member States prescribes the storage of the personal data.

    13.12 Revision, including inspection

    1. The Data Processor makes all information necessary to demonstrate compliance with Article 28 of the Data Protection Regulation and these Regulations available to the Data Controller and enables and contributes to audits, including inspections, carried out by the Data Controller or another authorized auditor by the data controller.
    2. The procedures for the data controller's audits, including inspections, with the data processor and sub-data processors are detailed in Appendix C.7. and C.8.
    3. The data processor is obliged to give supervisory authorities, who according to current legislation have access to the data controller's or data processor's facilities, or representatives who act on behalf of the supervisory authority, access to the data processor's physical facilities against proper identification.

    13.13 The parties' agreement on other matters

    1. The parties can agree other provisions regarding the service regarding the processing of personal data about e.g. liability, as long as these other provisions do not directly or indirectly conflict with the Regulations or impair the data subject's fundamental rights and freedoms, which follow from the data protection regulation.

    13.14 Entry into force and termination

    1. The provisions enter into force on the date of both parties' signature hereof.
    2. Both parties can require the Terms to be renegotiated if changes in the law or inadequacies in the Terms give rise to this.
    3. The provisions are valid as long as the service relating to the processing of personal data lasts. During this period, the Provisions cannot be terminated, unless other provisions governing the provision of the service regarding the processing of personal data are agreed between the parties.
    4. If provision of the services relating to the processing of personal data ceases and the personal data is deleted or returned to the data controller in accordance with Clause 11.1 and Appendix C.4, the Clauses may be terminated by written notice to both parties.

  14. Entry into force and changes to terms

    14.1 These terms come into force from the date on which the customer accepts them.

    14.2 Flows Systems ApS reserves the right to change these terms without prior notice. The customer will be informed of changes via e-mail or on our website. Continued use of our services after the changes take effect constitutes the customer's acceptance of the changed terms.

  15. Disputes and choice of law

    15.1 Any dispute arising as a result of this agreement must first be attempted to be resolved through negotiations between the parties. If negotiations do not lead to a solution, the dispute must be settled by legal means in accordance with applicable Danish law.

  16. Various provisions

    16.1 Any changes or additions to this agreement must be in writing and signed by both parties to be valid.

    16.2 If a provision in these terms of trade is deemed invalid or unenforceable by a competent authority, this does not affect the validity or enforceability of the other provisions in the terms of trade.

  17. Language and interpretation

    17.1 These trading conditions have been drawn up in Danish. In the event of discrepancies between the Danish version and any translations, the Danish version takes precedence.

  18. Contact info

    18.1 If you have any questions regarding these terms and conditions or flows.systems' services, please contact us using the following contact information:

    Flow Systems ApS
    VAT DK44369842
    Falkoner Allé 1, 3.
    2000 Frederiksberg
    Email: support@flows.systems

Appendix A: Information about the treatment

The purpose of the data processor's processing of personal data on behalf of the data controller: The purpose of processing personal data is to support the customer's integration and automation activities, including, for example, integration between different systems and automation of work processes.

The data processor's processing of personal data on behalf of the data controller primarily concerns (the nature of the processing): The processing of personal data primarily concerns access to the system (login), processing of data related to the customer's operation and the customer's other input into the system according to the purpose (integration and automation activities).

The processing includes the following types of personal data about the registered: General personal data processed: Login: Name, e-mail, telephone number and code; Data information: Name, address, phone numbers, and other necessary information for integration and automation.

The processing includes the following categories of data subjects: The data controller's employees, suppliers, advisers and customers.

The data processor's processing of personal data on behalf of the data controller can begin after these Regulations come into force. The treatment has the following duration: Processing takes place as long as the Terms are valid between the parties. The data processor may delete the personal data upon termination of the service and must delete the personal data no later than 12 months after termination, unless the data processor is required to retain the personal data for a longer period in accordance with legal requirements.

Appendix B: Sub-processors

Approved sub-processors: Upon entry into force of the Regulations, the data controller has approved the use of the following sub-processors:

Upon entry into force of the Regulations, the data controller has approved the use of the above-mentioned sub-processors for the described processing activity. The data processor may not – without the data controller's written approval – use a sub-processor for a processing activity other than the one described and agreed upon or use another sub-processor for this processing activity.

Notification for approval of sub-processors: An updated list of sub-processors will be available at any time here: https://www.flows.systems/underdatabehandlere

Appendix C: Instructions regarding the processing of personal data

Subject of the treatment/instructions: The data processor's processing of personal data on behalf of the data controller takes place by the data processor carrying out the following:

The data processor is instructed to process personal data in connection with the delivery of the system as described above in the End User License, the Terms and the parties' other written agreements. In this connection, the data processor is instructed to process the personal data uploaded to the system at the customer's initiative in order to support the customer's integration and automation activities.

Processing security: The security level must reflect: The processing only includes information covered by Article 6 of the Data Protection Regulation on general categories of personal data, which is why a 'Medium' security level must be reflected in the data processing. The data processor is then entitled and obliged to make decisions about which technical and organizational security measures must be implemented in order to establish the necessary (and agreed) security level. However, the data processor must – in all circumstances and as a minimum – implement the following measures, which have been agreed with the data controller: We refer to the latest version of our statement on our website: https://www.flows.systems/sikkerhed

Assistance to the data controller: The data processor must as far as possible – within the scope and extent below – assist the data controller in accordance with Provisions 9.1 and 9.2 by implementing the following technical and organizational measures:

  • 9.1 (the rights of data subjects): If the data processor technically has the personal data to which the request relates, and the data controller exceptionally does not, the data processor must assist the data controller with the practical part associated with answering the request. Finally, the data processor must provide input for information notices according to Articles 13 and 14, if requested.
  • 9.2 (notification, notification, impact analysis and consultation): At the request of the data controller, the data processor must, at the discretion of the data controller, assist the data controller with the practical part associated with reporting, notification, impact analysis and consultation. The assistance can, for example, consist of providing information or assisting with assessments and participating in meetings. All parts of these activities that can be carried out by the data controller himself cannot be required to be carried out by the data processor. If the assistance is associated with costs for the data processor, the data controller covers these.

Retention period/deletion routine: Upon termination of the service relating to the processing of personal data, the data processor must either delete or return the personal data in accordance with provision 11.1, unless the data controller – after signing these Provisions – has changed the data controller's original choice. Such changes must be documented and stored in writing, including electronically, in connection with the Regulations.

Location of treatment: The processing takes place with the sub-processors listed in these Regulations.

Instructions regarding the transfer of personal data to third countries: The data processor can transfer personal data to secure third countries and to insecure third countries if there is a valid basis for the transfer. The data processor is hereby authorized to, on behalf of the data exporter, enter into an agreement on a suitable transfer basis with a data importer, including by applying the EU's standard contract provisions on transfer (SCC) applicable at any time. The data processor is also authorized to determine any necessary supplementary measures after assessing the level of data protection in the unsafe third country. In addition, it is assumed that the technical and organizational measures described in Annex C are considered to be sufficient to meet any requirement for the determination of supplementary measures.

Procedures for the data controller's audits, including inspections, with the processing of personal data entrusted to the data processor:

  • MAIN RULE: The data processor must once a year at its own expense obtain a declaration/inspection report from an independent third party regarding the data processor's compliance with the data protection regulation, data protection regulations in other EU law or the national law of the member states and these Regulations. In addition, the data controller may require a declaration/inspection report after a breach, if the data controller deems it necessary.
  • SENDING: The declaration/inspection report is made visible/sent without undue delay to the data controller for information.
  • NEW DECLARATION/INSPECTION REPORT: The data controller may dispute the framework and/or method of the declaration/inspection report and may in such cases request a new declaration/inspection report under a different framework and/or using a different method.
  • ADDITIONAL MEASURES: Based on the results of the declaration/inspection report, the data controller is entitled to request the implementation of additional measures in order to ensure compliance with the Data Protection Regulation, data protection provisions in other EU law or the national law of the Member States and these Regulations.
  • COSTS: Possibly costs associated with the additional measures are covered by the data controller by further agreement.
  • PHYSICAL INSPECTIONS: The data controller or a representative of the data controller also has access to carry out inspections, including physical inspections, of the locations from which the data processor processes personal data, including physical locations and systems used for or in connection with the processing. Such inspections may be carried out when the data controller deems it necessary. The assessment must be based on facts and not on feeling. Physical inspection in any case requires prior agreement with the data processor, and with a prior notice of 3 weeks, so that the data processor is prepared to be able to devote the necessary resources to it. The data controller's possible expenses in connection with a physical inspection are borne by the data controller himself. However, the data processor is obliged to allocate the resources (mainly the time) necessary for the data controller to carry out his inspection.
  • ALTERNATIVE FORM OF SUPERVISION: If the parties agree, an alternative form of supervision can be agreed, which must, however, comply with the data protection regulation and data protection regulations in other EU law or the national law of the member states.

Procedures for audits, including inspections, with the processing of personal data entrusted to sub-processors:

  • MAIN RULE: The data controller's duty to supervise the sub-processors takes place through the data processor's supervision of the sub-processors.
  • PROCEDURE: The data processor supervises the sub-processors in the way that the data processor deems appropriate based on the risk assessment of the processing carried out by the sub-data processor.
  • THE RESULTS OF SUPERVISION WITH THE SUB-DATA PROCESSORS: The results of the data processor's supervision of the sub-data processors must appear in the information that must be sent to the data controller as described under point C.7, just as the data controller handles the information as under point C.7.
  • PHYSICAL INSPECTION: If the data controller wishes to physically inspect the sub-processors, the data processor only provides the sub-processor's contact information, after which the physical inspection is outside the responsibility of the data processor.

Receive our newsletter

Contact

Terms and Conditions

Subscription terms and conditions

Support

Flows Systems Make.com Gold Partner badge, demonstrating the company's expertise in workflow automation and Make.com integrations

© 2024. All rights reserved.