Legal · Data Processing Agreement

CNEX-Flow Data Processing Agreement

Effective1 April 2026Last updated3 April 2026

Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between IDL Creations Limited, trading as CNEX ("CNEX," "we," "us," or "our") and the customer organization ("Customer," "you") that has subscribed to the CNEX-Flow platform ("Platform") under our Terms of Service.

This DPA applies whenever CNEX processes personal data on behalf of Customer as a data processor in the course of providing the Platform. It is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation (GDPR), the UK GDPR, the New Zealand Privacy Act 2020, and equivalent data protection laws.

By using CNEX-Flow, you accept this DPA in its entirety. No additional signature is required — your continued use of the Platform constitutes acceptance. If you require a counter-signed copy for your records, contact admin@cnexflow.com.

1. Definitions

The terms Personal Data, Data Subject, Processing, Controller, Processor, Sub-processor, and Personal Data Breach have the meanings given to them in the GDPR.

For the purposes of this DPA:

  • Customer Data means any Personal Data that you submit, store, or process through the Platform.
  • Applicable Data Protection Laws means the GDPR, the UK GDPR, the New Zealand Privacy Act 2020, and any other data protection laws applicable to the processing of Customer Data.
  • Sub-processor means any third party engaged by CNEX to process Customer Data on its behalf.

For the avoidance of doubt:

  • Customer is the data controller of Customer Data
  • CNEX is the data processor of Customer Data
  • CNEX may also be a controller of separate data it collects directly about Customer (e.g., billing contact, account login data) — that processing is addressed in our Privacy Policy

2. Subject Matter & Duration of Processing

2.1 Subject Matter

CNEX processes Customer Data to provide the Platform to Customer in accordance with the Terms of Service and Customer's instructions.

2.2 Duration

Processing continues for the duration of Customer's subscription, plus any post-termination period required for the 30-day export grace window and any legally-required retention period (see Section 9).

2.3 Nature and Purpose

The nature of processing includes: storage, organization, structuring, retrieval, transmission, deletion, and other operations necessary to deliver the Platform's features (CRM, project management, AI-assisted automation, communications, and related functions).

3. Categories of Data Subjects & Personal Data

3.1 Categories of Data Subjects

Customer Data may relate to:

  • Customer's employees, contractors, and authorized users
  • Customer's clients, leads, contacts, and prospects
  • Other third parties whose personal data Customer chooses to process through the Platform

3.2 Categories of Personal Data

Customer Data may include:

  • Identification data (name, email address, phone number)
  • Professional information (role, organization, work-related details)
  • Communications content (emails, chat messages, voice transcripts)
  • Financial data (invoice, payment, banking — where Customer uses these features)
  • Employment data (salary, leave records, employment contracts — where Customer uses HR features)
  • Any other personal data Customer chooses to enter into the Platform

CNEX does not determine what specific personal data Customer chooses to process. Customer remains responsible for ensuring it has a lawful basis under Applicable Data Protection Laws for the personal data it processes.

3.3 Special Category Data

Customer agrees not to process special category personal data (as defined under GDPR Article 9) through the Platform unless the Platform feature is specifically designed for that purpose (e.g., the HR module). Customer is responsible for the additional safeguards required by Applicable Data Protection Laws when processing special category data.

4. Obligations of CNEX as Data Processor

CNEX agrees to:

  • Process Customer Data only on documented instructions from Customer. Use of the Platform as designed constitutes such instructions. Additional written instructions outside the Platform's standard functionality must be agreed to by both parties.
  • Ensure persons authorized to process Customer Data are bound by confidentiality obligations. CNEX personnel are bound by employment confidentiality terms; Sub-processors are bound by their own contracts as described in Section 5.
  • Implement appropriate technical and organizational security measures as described in Section 7.
  • Engage Sub-processors only with Customer's authorization as described in Section 5.
  • Assist Customer, taking into account the nature of the processing, in fulfilling Customer's obligations to respond to Data Subject rights requests, conduct Data Protection Impact Assessments (DPIAs), and notify Personal Data Breaches.
  • Notify Customer of Personal Data Breaches without undue delay after becoming aware (see Section 8).
  • Return or delete Customer Data at the end of the agreement (see Section 9).
  • Make available to Customer all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws, and to allow for audits as described in Section 10.

5. Sub-processors

5.1 Current Sub-processors

Customer hereby authorizes CNEX to engage the Sub-processors listed in our Privacy Policy §4.2 to process Customer Data. The current list includes Amazon Web Services (AWS), Stripe, Twilio, LiveKit, Deepgram, Anthropic, OpenAI, xAI, and any email or calendar providers you connect (such as Google, Microsoft, Yahoo, or your own IMAP/SMTP server).

5.2 General Authorization for Future Sub-processors

Customer provides general authorization for CNEX to engage additional Sub-processors, subject to the notification and objection process in Sections 5.3 and 5.4.

5.3 Notification of New Sub-processors

CNEX will provide at least 30 days' prior written notice (via email to the Customer's billing contact, or via in-Platform notification) of any new Sub-processor that processes Customer Data.

5.4 Right to Object

Customer may object to a new Sub-processor on reasonable grounds within the 30-day notice period by writing to admin@cnexflow.com. CNEX will work in good faith to address the objection. If the objection cannot be resolved, Customer may terminate the affected services and receive a pro-rata refund for any pre-paid period.

5.5 Sub-processor Obligations

CNEX ensures each Sub-processor is bound by a written contract that imposes data protection obligations no less protective than this DPA. CNEX remains liable to Customer for the acts and omissions of its Sub-processors.

6. International Transfers

6.1 Primary Data Location

Customer Data is stored on AWS infrastructure. Backups are stored in geographically separate AWS regions for disaster recovery.

6.2 Transfer Mechanisms

Where Customer Data is transferred outside the EU/EEA, UK, or other jurisdictions with adequacy decisions, CNEX relies on:

  • EU Standard Contractual Clauses (SCCs) — Module 2 (controller to processor) or Module 3 (processor to processor) as applicable
  • UK International Data Transfer Addendum (UK IDTA) for transfers from the UK
  • Adequacy decisions where applicable (e.g., New Zealand has an EU adequacy decision)

The SCCs and UK IDTA are incorporated into this DPA by reference. Where Customer requires a signed copy, contact admin@cnexflow.com.

6.3 AI Provider Transfers

AI prompts may be processed by providers (Anthropic, OpenAI, xAI) located in the United States. These providers are bound by data processing agreements that include SCCs and that prohibit the use of Customer Data for model training. See Privacy Policy §3 for details.

7. Security Measures

CNEX implements technical and organizational security measures appropriate to the risk, including:

  • Encryption at rest using AES-256-GCM for sensitive data; database-level encryption via AWS-managed keys
  • Encryption in transit using TLS 1.2 or higher for all data transmission
  • Access controls — role-based access within each Customer Organization; internal CNEX access restricted to authorized personnel on a need-to-know basis with audit logging
  • Multi-factor authentication available for all user accounts
  • Backup & disaster recovery — automated backups, geographically distributed, point-in-time recovery with periodic restoration testing
  • Organization-level isolation — each Customer Organization operates in a logically isolated environment with dedicated containerized workspaces
  • Vulnerability management — regular security scanning, dependency monitoring, and timely patching
  • Incident response plan with defined escalation procedures and notification timelines

Detailed security practices are described in our Privacy Policy §5. CNEX may update its security measures from time to time provided that the overall level of protection is not diminished.

8. Personal Data Breach Notification

8.1 CNEX Notification

CNEX will notify Customer without undue delay (and in any event within 48 hours) of becoming aware of any Personal Data Breach affecting Customer Data. The notification will include, to the extent known at the time:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its possible adverse effects
  • The contact point for further information

CNEX will provide updates as additional information becomes available.

8.2 Customer Responsibilities

Customer is responsible for notifying its own Data Subjects and the relevant supervisory authorities as required by Applicable Data Protection Laws. CNEX will provide reasonable assistance to Customer in fulfilling these obligations.

9. Return or Deletion of Data

9.1 Termination Export Period

Within 30 days of the termination or expiry of Customer's subscription, Customer may export Customer Data through the Platform's export features or by written request to admin@cnexflow.com.

9.2 Deletion from Primary Systems

After the 30-day export period, CNEX will delete Customer Data from primary systems within a further 30 days, except for:

  • Data CNEX is legally required to retain (see Privacy Policy §6.3 for retention requirements under tax, employment, and other applicable laws)
  • Aggregated, anonymized data that cannot identify any individual or Organization

9.3 Deletion from Backups

Customer Data in backups will be purged within 90 days of deletion from primary systems, in accordance with CNEX's standard backup rotation.

9.4 Certification of Deletion

Upon Customer's written request, CNEX will provide certification of deletion within a reasonable time.

10. Audits & Records of Processing

10.1 Records

CNEX maintains records of its processing activities as required by GDPR Article 30(2) and equivalent provisions of Applicable Data Protection Laws.

10.2 Audit Rights

Customer may audit CNEX's compliance with this DPA no more than once per 12-month period (more frequently if a Personal Data Breach has occurred or if required by a competent supervisory authority). Audits are subject to:

  • At least 30 days' prior written notice
  • Reasonable scheduling that minimizes business disruption
  • A confidentiality undertaking signed by Customer and any third-party auditor engaged by Customer
  • Customer paying CNEX's reasonable costs of supporting the audit

10.3 Audit Reports in Lieu

To minimize disruption, CNEX may provide its most recent SOC 2 or equivalent third-party security audit report (when available) in lieu of an on-site audit, where such report reasonably addresses the matters Customer wishes to audit.

11. Liability

The liability provisions in the Terms of Service apply to this DPA. To the extent permitted by Applicable Data Protection Laws, CNEX's aggregate liability for breaches of this DPA is limited as set out in the Terms of Service.

Nothing in this DPA limits any liability that cannot be excluded under Applicable Data Protection Laws.

12. Order of Precedence

In the event of any conflict between this DPA and the Terms of Service or any other agreement between Customer and CNEX, this DPA prevails with respect to matters governing the processing of Customer Data.

13. Changes to This DPA

CNEX may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, processing activities, or business practices. Material changes will be notified to Customer at least 30 days before the changes take effect, via:

  • Email to the Customer's billing contact
  • A prominent notice within the Platform

Customer's continued use of the Platform after the effective date of any update constitutes acceptance of the updated DPA. If Customer does not agree to a material change, Customer may terminate the affected services as set out in the Terms of Service.

14. Contact

For DPA-related enquiries, breach reports, or to exercise rights under this agreement:

IDL Creations Limited (trading as CNEX)

  • Email: admin@cnexflow.com
  • Website: https://cnexflow.com

This DPA is offered as a standard self-executing agreement. By using CNEX-Flow, Customer accepts these terms. For a counter-signed copy or for negotiated enterprise terms, contact admin@cnexflow.com.