Data Processing Agreement (DPA)

Effective date: March 19, 2026  ·  Last updated: April 3, 2026

This Data Processing Agreement (“DPA”) applies to Humagician services provided by Fluenik, LLC (“Processor”) where a customer acts as a controller and Fluenik, LLC processes Customer Personal Data on the customer's behalf under applicable data protection laws (including GDPR and UK GDPR).

Download a copy: Humagician DPA (.md).

1. Scope and Order of Precedence

This DPA is incorporated into the Humagician Terms and governs the processing of Customer Personal Data by Fluenik, LLC while providing Humagician services. If there is a conflict between this DPA and the commercial terms, this DPA controls for data protection matters.

2. Roles

• Customer is the controller (or processor acting on behalf of its controller).
• Fluenik, LLC is the processor for Customer Personal Data submitted by visitors through embedded chat widgets and forms on merchant websites, including chat transcripts, form submissions, visitor contact details, browsing context, shopping cart data, and automation task records.
• Fluenik, LLC acts as an independent controller for account administration, security and abuse-prevention logging, error diagnostics, product usage analytics, billing, compliance, and direct marketing, as described in the Humagician Privacy Policy.
• For data submitted by visitors through merchant websites (chat or form widgets), the merchant customer determines the purposes and means of processing.

3. Subject Matter and Duration

• Subject matter: operation of Humagician operator platform, chat widgets, forms, Conversational AI, Automation Workflows, and related support.
• Duration: for the term of the customer agreement, plus limited retention and deletion windows described in the Humagician Privacy Policy and this DPA.
• Nature: collection, organization, storage, retrieval, consultation, transmission, and deletion of Customer Personal Data.
• Purpose: provide the Humagician services, including chat, forms, AI response generation, automation workflows, and related security, reliability, support, and compliance operations.

4. Categories of Data and Data Subjects

Depending on customer configuration, Customer Personal Data may include:

• Account data (name, email, workspace/profile data).
• Authentication data (password-derived hashes and session tokens).
• Chat conversation transcripts and AI-generated responses.
• Form submission content (visitor name, email, message, merchant-configured fields).
• Visitor profiles (name, email, Shopify customer identifiers).
• Visitor session data (browsing history on merchant site, shopping cart snapshots, IP address).
• Automation task records (workflow execution logs, API request/response payloads).
• AI usage records (token counts, cost tracking, model metadata).
• AI-generated suggestions, recommendations, and conversation state data.
• Knowledge base articles and help center content.
• Notification and alert delivery logs.
• Technical and usage data (IP address, browser metadata, timestamps, event logs).

Data subjects may include customer personnel, merchant end users, and site visitors.

5. Processing Instructions

Customer instructs Processor to process Customer Personal Data only as necessary to:

• Provide the Humagician platform, including operating chat widgets, processing form submissions, and delivering real-time messaging between visitors and operators.
• Transmit chat messages and conversation context to our AI provider (Microsoft Azure OpenAI Service) to generate Conversational AI responses when enabled by Customer.
• Execute Automation Workflows and related actions configured by Customer, including API calls to third-party services authorized by Customer.
• Store and manage Customer content in hosted databases, caches, and object storage.
• Provide technical support and respond to Customer requests.
• Perform security monitoring, error diagnostics, and abuse prevention necessary to operate the service.

Processor shall not process Customer Personal Data for any purpose other than as documented in this DPA, the Humagician Terms, and the Humagician Privacy Policy, or as subsequently instructed in writing by Customer. If Processor believes an instruction infringes applicable data protection law, it will promptly notify Customer.

6. Processor Obligations

• Process Customer Personal Data only on documented instructions from Customer, as described in Section 5.
• Not use Customer Personal Data to train our own generalized AI or machine learning models.
• Ensure personnel with access are bound by confidentiality obligations.
• Implement appropriate technical and organizational safeguards as described in Section 7.
• Assist Customer with data subject requests and regulatory obligations to the extent required by applicable law.
• Notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a confirmed personal data breach affecting Customer Personal Data, including the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
• Delete or return Customer Personal Data at end of services as described in Section 8.

7. Technical and Organizational Security Measures

Processor implements and maintains the following safeguards to protect Customer Personal Data:

• Encryption in transit: all data transmitted between clients and servers, between internal services, and through embedded widget connections is encrypted using HTTPS/TLS.
• Encryption at rest: OAuth tokens, API keys, and other sensitive credentials are encrypted at rest. Database storage uses managed encryption provided by the hosting platform.
• Password security: user passwords are hashed using industry-standard algorithms; plaintext passwords are never stored or logged.
• Access controls: role-based access controls and least-privilege principles are applied to all infrastructure and application access. Chat and form data is scoped to the specific merchant workspace.
• Infrastructure security: application hosting, managed PostgreSQL, and managed Redis run on DigitalOcean App Platform with automated backups. Cloudflare provides DDoS protection, bot management, and CDN services.
• Error monitoring: application errors are monitored through Sentry with access restricted to authorized personnel.
• Subprocessor security: all subprocessors are required to maintain appropriate security measures under their respective data processing agreements.
• Incident response: Processor maintains procedures to detect, investigate, and respond to security incidents.

8. Data Deletion and Return

Upon termination or expiration of the customer agreement:

• Customer may request export of their Customer Personal Data in a standard machine-readable format (such as JSON or CSV) for up to 30 days following account closure. Processor will provide reasonable assistance to fulfill such requests.
• After the 30-day export window (or earlier upon Customer's written request for deletion), Processor will delete Customer Personal Data from active systems within 30 days.
• Customer Personal Data in encrypted backups will be overwritten through normal backup rotation within 30 days of deletion from active systems.
• Processor may retain limited data where required by applicable law or regulation (such as security logs for active investigations or records required for legal compliance), and will inform Customer of any such retention.

9. Subprocessors

Customer authorizes the subprocessors listed at /subprocessors. Fluenik, LLC remains responsible for subprocessors to the extent required by applicable law.

Subprocessor changes: Processor will update the subprocessors page at least 15 days before authorizing a new subprocessor to process Customer Personal Data. Customers who subscribe to subprocessor change notifications (by emailing [email protected] with subject line “Subscribe: Subprocessor Changes”) will receive email notice of changes.

Objection process: If Customer has a reasonable objection to a new subprocessor, Customer may notify Processor in writing within 15 days of the change notice. Processor will make commercially reasonable efforts to address the objection, which may include offering an alternative configuration that avoids use of the objected-to subprocessor. If Processor cannot reasonably accommodate the objection, Customer may terminate the affected services by providing written notice, and Processor will assist with data export and deletion as described in Section 8.

10. International Data Transfers

Humagician infrastructure is primarily hosted in the United States. Customer Personal Data may be transferred to the U.S. or other countries where subprocessors operate.

Where required, transfer mechanisms include adequacy decisions, the EU-U.S. Data Privacy Framework (and UK/Swiss extensions where applicable), and/or Standard Contractual Clauses (including required UK/Swiss transfer addenda and supplementary measures).

11. Audit and Information Rights

Upon reasonable written request (no more than once per year unless required by a supervisory authority or a confirmed data breach), Fluenik, LLC will provide information reasonably necessary to demonstrate compliance with this DPA, taking into account confidentiality, security, and proportionality requirements. This may include responses to written questionnaires, summaries of security practices, and relevant certifications or audit reports where available. On-site audits may be arranged at Customer's expense with reasonable advance notice and subject to confidentiality obligations.

12. Liability

Liability under this DPA is subject to the liability framework and limitations in the applicable customer agreement, except where prohibited by law.

13. Contact

Privacy and DPA requests: [email protected]