Data Processing Agreement (DPA)

Effective date: March 25, 2026 · Last updated: April 3, 2026

This Data Processing Agreement (“DPA”) applies to Emvara services provided by Fluenik, LLC (“Processor”) where a customer acts as a controller and Fluenik, LLC processes Customer Personal Data on the customer's behalf under applicable data protection laws (including GDPR and UK GDPR).

1. Scope and Order of Precedence

This DPA is incorporated into the Emvara Terms and governs the processing of Customer Personal Data by Fluenik, LLC while providing Emvara services. If there is a conflict between this DPA and the commercial terms, this DPA controls for data protection matters.

2. Roles

  • Customer is the controller (or processor acting on behalf of its controller).
  • Fluenik, LLC is the processor for Customer Personal Data submitted to Emvara through integrations, AI assistant conversations, and other customer-directed features.
  • Fluenik, LLC acts as an independent controller for account administration, security and abuse-prevention logging, error diagnostics, product usage analytics, billing, compliance, and direct marketing, as described in the Emvara Privacy Policy.
  • Customer determines the purposes and means of processing for customer content submitted to Emvara.

3. Subject Matter and Duration

  • Subject matter: operation of the Emvara AI personal assistant platform, integrations, and related support.
  • Duration: for the term of the customer agreement, plus limited retention and deletion windows described in the Emvara Privacy Policy and this DPA.
  • Nature: collection, organization, storage, retrieval, consultation, transmission, and deletion of Customer Personal Data.
  • Purpose: provide AI assistant services, integration connections, automation workflows, and related support operations.

4. Categories of Data and Data Subjects

Depending on customer configuration, Customer Personal Data may include:

  • Account data (name, email, profile information).
  • Authentication data (password-derived hashes and session tokens).
  • Conversation and chat history data.
  • AI memory data (contextual information extracted from conversations).
  • Integration connection metadata and OAuth tokens (encrypted at rest).
  • Data retrieved from connected third-party services (emails, calendar events, tasks, contacts, issues, and other records).
  • Knowledge base articles and uploaded file attachments.
  • Automation configuration and execution logs.
  • Technical and usage data (IP address, browser metadata, timestamps, event logs).

Data subjects may include customer personnel and customer end users.

5. Processing Instructions

Customer instructs Processor to process Customer Personal Data only as necessary to:

  • Provide the Emvara platform and AI assistant services, including processing conversation messages, maintaining AI memory, and executing automations as configured by Customer.
  • Connect to and retrieve data from third-party services authorized by Customer via OAuth 2.0.
  • Transmit conversation messages and context to AI model providers to generate responses.
  • Store and manage Customer content in hosted databases, caches, and object storage.
  • Provide technical support and respond to Customer requests.
  • Perform security monitoring, error diagnostics, and abuse prevention necessary to operate the service.

Processor shall not process Customer Personal Data for any purpose other than as documented in this DPA, the Emvara Terms, and the Emvara Privacy Policy, or as subsequently instructed in writing by Customer. If Processor believes an instruction infringes applicable data protection law, it will promptly notify Customer.

6. Processor Obligations

  • Process Customer Personal Data only on documented instructions from Customer, as described in Section 5.
  • Not use Customer Personal Data to train our own generalized AI or machine learning models.
  • Ensure personnel with access are bound by confidentiality obligations.
  • Implement appropriate technical and organizational safeguards as described in Section 7.
  • Assist Customer with data subject requests and regulatory obligations to the extent required by applicable law.
  • Notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a confirmed personal data breach affecting Customer Personal Data, including the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
  • Delete or return Customer Personal Data at end of services as described in Section 8.

7. Technical and Organizational Security Measures

Processor implements and maintains the following safeguards to protect Customer Personal Data:

  • Encryption in transit: all data transmitted between clients and servers, and between internal services, is encrypted using HTTPS/TLS.
  • Encryption at rest: OAuth tokens, 2FA secrets, and other sensitive credentials are encrypted at rest. Database storage uses managed encryption provided by the hosting platform.
  • Password security: user passwords are hashed using industry-standard algorithms; plaintext passwords are never stored or logged.
  • Access controls: role-based access controls and least-privilege principles are applied to all infrastructure and application access.
  • Infrastructure security: application hosting, managed PostgreSQL, and managed Redis run on DigitalOcean App Platform with automated backups. Cloudflare provides DDoS protection, bot management, and CDN services.
  • Error monitoring: application errors are monitored through Sentry with access restricted to authorized personnel.
  • Subprocessor security: all subprocessors are required to maintain appropriate security measures under their respective data processing agreements.
  • Incident response: Processor maintains procedures to detect, investigate, and respond to security incidents.

8. Data Deletion and Return

Upon termination or expiration of the customer agreement:

  • Customer may request export of their Customer Personal Data in a standard machine-readable format (such as JSON or CSV) for up to 30 days following account closure. Processor will provide reasonable assistance to fulfill such requests.
  • After the 30-day export window (or earlier upon Customer's written request for deletion), Processor will delete Customer Personal Data from active systems within 30 days.
  • Customer Personal Data in encrypted backups will be overwritten through normal backup rotation within 30 days of deletion from active systems.
  • Processor may retain limited data where required by applicable law or regulation (such as security logs for active investigations or records required for legal compliance), and will inform Customer of any such retention.

9. Subprocessors

Customer authorizes the subprocessors listed at /subprocessors. Fluenik, LLC remains responsible for subprocessors to the extent required by applicable law.

Subprocessor changes: Processor will update the subprocessors page at least 15 days before authorizing a new subprocessor to process Customer Personal Data. Customers who subscribe to subprocessor change notifications (by emailing [email protected] with subject line “Subscribe: Subprocessor Changes”) will receive email notice of changes.

Objection process: If Customer has a reasonable objection to a new subprocessor, Customer may notify Processor in writing within 15 days of the change notice. Processor will make commercially reasonable efforts to address the objection, which may include offering an alternative configuration that avoids use of the objected-to subprocessor. If Processor cannot reasonably accommodate the objection, Customer may terminate the affected services by providing written notice, and Processor will assist with data export and deletion as described in Section 8.

10. International Data Transfers

Emvara infrastructure is primarily hosted in the United States. Customer Personal Data may be transferred to the U.S. or other countries where subprocessors operate.

Where required, transfer mechanisms include adequacy decisions, the EU-U.S. Data Privacy Framework (and UK/Swiss extensions where applicable), and/or Standard Contractual Clauses (including required UK/Swiss transfer addenda and supplementary measures).

11. Audit and Information Rights

Upon reasonable written request (no more than once per year unless required by a supervisory authority or a confirmed data breach), Fluenik, LLC will provide information reasonably necessary to demonstrate compliance with this DPA, taking into account confidentiality, security, and proportionality requirements. This may include responses to written questionnaires, summaries of security practices, and relevant certifications or audit reports where available. On-site audits may be arranged at Customer's expense with reasonable advance notice and subject to confidentiality obligations.

12. Liability

Liability under this DPA is subject to the liability framework and limitations in the applicable customer agreement, except where prohibited by law.

13. Contact

Privacy and DPA requests: [email protected]

← Back to Home

Emvara is an AI-powered software assistant. It is not a human worker or legal employee. Prices, features, and integrations may change before public release. No orders or pre-orders are currently accepted. Integrations listed on this site represent planned or in-development functionality and do not guarantee compatibility, availability, or feature completeness at launch.

All third-party company names, logos, and trademarks referenced on this site are the property of their respective owners and are used solely to describe planned compatibility and supported integrations.