Data Processing Agreement
Last updated: 6 July 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between the customer organisation (“Controller”) and Innopulse Consulting GmbH (“FLIORE”, “Processor”) for use of the FLIORE service. It governs FLIORE's processing of personal data on the Controller's behalf under the Swiss Federal Act on Data Protection (revFADP) and, where applicable, the EU General Data Protection Regulation (GDPR). Where a signed DPA exists between the parties, that signed version prevails.
1. Roles
The Controller determines the purposes and means of processing the personal data it uploads to FLIORE (its mandates, beneficial owners, documents, transactions and related records). FLIORE processes that personal data solely as Processor, on the Controller's documented instructions, including as set out in this DPA and the service's configuration.
2. Scope & instructions
FLIORE processes personal data only to provide and support the service, and as further instructed by the Controller in writing. FLIORE will inform the Controller if, in its opinion, an instruction infringes applicable data-protection law. FLIORE will not process the data for its own purposes and will never sell it.
3. Categories of data & data subjects
Data subjects may include the Controller's clients, their beneficial owners, directors and related persons. Personal data may include identity data (name, date of birth, nationality), status data (PEP flags, risk classifications), documents and their contents, transaction data, and communications. Special-category data is processed only if the Controller chooses to store it within its documents.
4. Confidentiality
FLIORE ensures that persons authorised to process the personal data are bound by confidentiality and are trained appropriately. Access by FLIORE personnel is limited to what is necessary to operate and support the service, and is logged.
5. Security measures
FLIORE implements appropriate technical and organisational measures, including: mandatory two-factor authentication; row-level security enforcing hard tenant isolation at the database layer; encryption of documents at rest and in transit; short-lived signed URLs for document access; message-body encryption; access logging and a full audit trail; and least-privilege operational access. Measures are reviewed and improved over time.
6. Subprocessors
The Controller authorises FLIORE to engage the subprocessors listed on the Subprocessors page, each bound by data-protection obligations no less protective than this DPA. FLIORE will give reasonable notice of intended changes to its subprocessors so the Controller may object on reasonable data-protection grounds. FLIORE remains responsible for its subprocessors' performance.
7. International transfers
Personal data is hosted in Switzerland. Where a subprocessor processes data outside Switzerland or the EEA, FLIORE relies on a recognised transfer mechanism (adequacy decision, or EU Standard Contractual Clauses together with the Swiss addendum) and applies supplementary measures such as encryption in transit.
8. Assistance to the Controller
Taking into account the nature of processing, FLIORE assists the Controller with: responding to data-subject requests (access, correction, deletion, portability, objection); data-protection impact assessments; and consultations with supervisory authorities, to the extent the Controller cannot reasonably do so itself through the service's own features.
9. Personal-data breach notification
FLIORE notifies the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data, and provides the information reasonably available to help the Controller meet its own notification obligations. FLIORE does not notify supervisory authorities or data subjects on the Controller's behalf unless instructed.
10. Return & deletion
On termination of the service, FLIORE deletes or returns the Controller's personal data in accordance with the agreement, subject to any retention the Controller instructs or that FLIORE is legally required to observe. Back-ups are overwritten on their normal cycle.
11. Audits
FLIORE makes available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality, allows for and contributes to audits, including through third-party reports and questionnaires where appropriate, so as not to disproportionately disrupt the service or compromise other customers' data.
12. Liability & precedence
Liability under this DPA is subject to the limitations in the main agreement. In case of conflict between this DPA and the main agreement regarding data protection, this DPA prevails. This DPA is governed by Swiss law, with jurisdiction in Zug.
This page presents FLIORE's standard data-processing terms for transparency and is not legal advice. A signed DPA, which may be requested at hello@fliore.com, governs the parties' binding obligations. Organisations should have their own counsel review it before relying on it.
