Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Teamfluence OÜ ("Processor," "Teamfluence," "we," "us") and the customer using the Teamfluence Services ("Controller," "you," "Customer").

This DPA governs the processing of personal data by Teamfluence on behalf of the Customer when the Customer uses the Teamfluence browser extension and related tools ("Teamfluence Plugin").

Contact: hello@teamfluence.com

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR).

• "Processing" means any operation performed on Personal Data (Art. 4 No. 2 GDPR).

• "Controller" means the Customer, who determines the purposes and means of Processing.

• "Processor" means Teamfluence, which processes Personal Data on behalf of the Controller.

• "Sub-processor" means any third party engaged by Teamfluence to process Personal Data on behalf of the Controller.

• "Data Subjects" means the individuals whose Personal Data is processed.

• "GDPR" means Regulation (EU) 2016/679.

2. Subject Matter and Duration

2.1 Subject Matter

Teamfluence processes Personal Data on behalf of the Customer to provide the Teamfluence Plugin services, including signal detection, activity monitoring, engagement tracking, and AI-powered insights for the Customer's professional networking and sales activities.

2.2 Duration

Processing begins when the Customer activates the Teamfluence Plugin and continues for the duration of the Customer's active subscription. Upon termination, Section 11 applies.

3. Nature and Purpose of Processing

3.1 The Teamfluence Plugin operates locally within the Customer's web browser. The Customer independently authenticates with third-party platforms using their own credentials. Data returned by those platforms is rendered in the Customer's browser and stored in the browser's local memory (cache/DOM).

3.2 Teamfluence reads and processes data exclusively from the Customer's local browser environment — that is, data already present on the Customer's device. Teamfluence does not independently connect to, authenticate with, or extract data from any third-party platform or server.

3.3 The data read from the Customer's browser is processed to:

• aggregate and analyze interaction and engagement signals (e.g., profile views, post engagement, connection activity);

• generate insights, notifications, and recommendations for the Customer;

• provide AI-powered analysis and suggestions where the Customer enables AI features;

• transmit processed results to the Customer's designated systems (e.g., CRM integrations).

3.4 Teamfluence processes data only on the documented instructions of the Controller (Section 5). The Customer's use of the Services and configuration of settings constitute documented instructions.

4. Types of Personal Data and Data Subjects

4.1 Types of Personal Data

• The Customer's own profile and account data (name, headline, position, activity metrics)

• Interaction data generated by the Customer's activity (profile views, post engagement, follower activity, connection requests)

• Publicly displayed information of third parties as rendered in the Customer's browser (name, headline, employer, profile picture)

4.2 Categories of Data Subjects

• The Customer (account holder)

• Third parties whose publicly visible data is rendered in the Customer's browser by the platforms the Customer uses

4.3 Data NOT Processed

Teamfluence does not:

• independently connect to or authenticate with any third-party platform or API;

• scrape, crawl, or systematically extract data from any external server;

• access data that is not already present in the Customer's local browser environment;

• access private messages, restricted fields, or data not rendered in the Customer's browser session;

• create independent databases of third-party profiles for resale or purposes unrelated to the Customer's contracted Services.

5. Instructions of the Controller

5.1 Teamfluence processes Personal Data only on documented instructions from the Controller, unless required by EU or Member State law to which Teamfluence is subject. In such cases, Teamfluence will inform the Controller of that legal requirement before processing, unless the law prohibits this.

5.2 The Customer's instructions are defined by:

• these Terms of Service and this DPA;

• the Customer's configuration of the Teamfluence Plugin settings;

• any additional written instructions agreed between the parties.

5.3 If Teamfluence considers that an instruction infringes the GDPR or other data protection provisions, it will immediately inform the Controller.

6. Confidentiality

6.1 Teamfluence ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.2 This confidentiality obligation survives the termination of this DPA.

7. Technical and Organizational Measures (Art. 32 GDPR)

Teamfluence implements the following measures to ensure a level of security appropriate to the risk:

Encryption

• All data in transit is encrypted using TLS 1.2 or higher.

• Sensitive data at rest is encrypted using industry-standard encryption (AES-256 or equivalent).

Access Controls

• Strict role-based access controls limit employee access to Personal Data on a need-to-know basis.

• Multi-factor authentication is enforced for administrative access to systems processing Personal Data.

Infrastructure Security

• Primary data storage in the European Union.

• Regular security audits and vulnerability scanning.

• 24/7 monitoring for suspicious activity and security incidents.

Authentication

• Secure password hashing for all user accounts.

• OAuth 2.0 for third-party authentication (no storage of third-party passwords).

Data Minimization

• The Teamfluence Plugin reads only data already present in the Customer's local browser environment.

• No background data collection when the Customer is not actively using the Services.

Teamfluence regularly reviews and updates these measures to reflect current best practices and evolving threats.

8. Sub-processors

8.1 General Authorization

The Controller grants Teamfluence general written authorization to engage Sub-processors for the provision of the Services, subject to the conditions in this Section 8.

8.2 Current Sub-processors

Sub-processorPurposeLocationGoogle Cloud (GCP)Hosting and data storageEU / USOpenAIAI-powered insights and analysisUS (SCCs in place)AnthropicAI-powered insights and analysisUS (SCCs in place)Mistral AIAI-powered insights and analysisEU

An up-to-date list of Sub-processors is available upon request at hello@teamfluence.com.

8.3 Changes to Sub-processors

Teamfluence will notify the Controller at least 14 days in advance of any intended addition or replacement of Sub-processors, giving the Controller the opportunity to object. Notification will be provided via email to the address associated with the Customer's account.

If the Controller objects on reasonable data protection grounds, the parties will discuss the concerns in good faith. If no resolution is reached, the Controller may terminate the affected Services without penalty.

8.4 Sub-processor Obligations

Teamfluence imposes on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. Teamfluence remains fully liable to the Controller for the performance of each Sub-processor's obligations.

9. Data Subject Rights (Arts. 15–22 GDPR)

9.1 Teamfluence assists the Controller, by appropriate technical and organizational measures and insofar as possible, in fulfilling the Controller's obligations to respond to requests from Data Subjects exercising their rights under the GDPR, including:

• Right of access (Art. 15)

• Right to rectification (Art. 16)

• Right to erasure (Art. 17)

• Right to restriction of processing (Art. 18)

• Right to data portability (Art. 20)

• Right to object (Art. 21)

9.2 If Teamfluence receives a request directly from a Data Subject, Teamfluence will promptly redirect the request to the Controller, unless otherwise instructed.

10. Breach Notification (Arts. 33–34 GDPR)

10.1 Teamfluence will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach affecting data processed on behalf of the Controller.

10.2 The notification will include, to the extent available:

• a description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;

• the name and contact details of Teamfluence's point of contact;

• a description of the likely consequences of the breach;

• a description of the measures taken or proposed to address the breach and mitigate its effects.

10.3 Teamfluence will cooperate with and assist the Controller in fulfilling its obligations under Arts. 33 and 34 GDPR.

11. Deletion and Return of Data

11.1 Upon termination of the Services or upon the Controller's written request, Teamfluence will, at the Controller's choice:

• return all Personal Data to the Controller in a structured, commonly used, and machine-readable format; or

• delete all Personal Data and confirm deletion in writing.

11.2 Deletion will be completed within 30 days of termination or request. Personal Data in backup systems will be deleted within 90 days as part of the regular backup rotation cycle.

11.3 Teamfluence may retain Personal Data to the extent required by applicable law (e.g., tax or accounting obligations). Such data will be isolated, protected, and not processed for any other purpose.

12. Audit Rights

12.1 Teamfluence will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and this DPA.

12.2 The Controller (or a mandated independent auditor) may conduct audits, including inspections, to verify Teamfluence's compliance with this DPA. Audits will be conducted:

• with at least 30 days' prior written notice;

• during normal business hours;

• in a manner that minimizes disruption to Teamfluence's operations;

• at the Controller's expense (unless the audit reveals material non-compliance).

12.3 Teamfluence may satisfy audit requests by providing relevant certifications, audit reports, or summaries from independent third-party audits, where available.

13. International Data Transfers

13.1 Where Personal Data is transferred outside the European Economic Area, Teamfluence ensures appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with each relevant Sub-processor;

• supplementary measures where required by the assessment of the destination country's legal framework.

13.2 Teamfluence will inform the Controller upon request of the specific transfer mechanisms in place for each Sub-processor.

14. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that neither party excludes or limits liability for breaches of its obligations under this DPA to the extent prohibited by applicable law.

15. Term and Termination

15.1 This DPA takes effect upon the Customer's first use of the Teamfluence Plugin and remains in effect for as long as Teamfluence processes Personal Data on behalf of the Controller.

15.2 The obligations under Sections 6, 7, 11, and 12 survive termination of this DPA.

16. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Estonia, without regard to its conflict of laws provisions. The courts of Tallinn, Estonia, have exclusive jurisdiction, unless mandatory provisions of the Controller's local law provide otherwise.

17. Contact

Teamfluence OÜ Tornimäe tn 5 Harju maakond, Kesklinna linnaosa 10145 Tallinn, Estonia

Email: hello@teamfluence.com Registry Code: 17381325 VAT: EE102936218