What’s new in v2026-05: Initial publication of the Flinker Data Processing Agreement pursuant to Art. 28 GDPR.
Table of Contents
- Subject Matter and Term
- Nature and Purpose of Processing
- Categories of Personal Data and Data Subjects
- Obligations of the Processor
- Obligations of the Controller
- Instructions
- Confidentiality
- Technical and Organisational Measures (TOMs)
- Sub-processors
- Assistance with Data Subject Rights
- Personal Data Breach Notification
- Audit Rights and Evidence of Compliance
- Deletion and Return of Data upon Termination
- Transfers to Third Countries
- Final Provisions
Between: Flinker GmbH, Zittelstraße 7, 80796 Munich, Germany,
Amtsgericht München HRB 254870 (hereinafter “Processor”)
and: the customer identified in the Main Contract (hereinafter “Controller”)
This DPA is incorporated into and forms part of the Main Contract between the Parties and becomes effective upon execution of the Main Contract.
§ 1 Subject Matter and Term
1.1 This DPA governs the processing of personal data by the Processor on behalf of the Controller pursuant to Art. 28 GDPR.
1.2 The subject matter is the operation of Flinker’s Microsoft 365-native SaaS applications (IFC Viewer for SharePoint, Teams, Excel, Power BI; SharePoint CDE; Copilot for IFC; SharePoint Protect) used by the Controller under the Main Contract.
1.3 This DPA runs for the duration of the Main Contract and terminates automatically upon its termination, subject to continuing obligations under § 13.
§ 2 Nature and Purpose of Processing
2.1 Nature: Collection, storage, use, and deletion of personal data to the extent strictly necessary for the provision of the contracted services.
2.2 Purpose:
- Authentication and authorisation of users against the Controller’s Microsoft 365 tenant
- Operation and provision of Flinker applications
- Support and consulting services upon request of the Controller
- Anonymised usage analytics for product improvement
2.3 Architecture note: Flinker applications run as SPFx web parts entirely within the Controller’s Microsoft 365 tenant. IFC files, BIM models, and project data never leave the Controller’s tenant at any time. Viewer source code is delivered as static assets via Azure CDN; no content data is transferred in this process.
Exception — Copilot for IFC: IFC files are processed exclusively in the user’s browser. Only chat text (user inputs and AI responses) is transmitted to Microsoft Azure AI (Azure OpenAI Service). No IFC file content leaves the browser.
§ 3 Categories of Personal Data and Data Subjects
Microsoft 365 Tenant ID: Required for authentication and licence verification. Does not directly identify a natural person but enables attribution to the Controller’s tenant.
User email address (optional): Collected only in connection with support requests or where explicitly provided during login. Not collected by default.
Anonymised usage metrics: Aggregated, non-personal data on usage intensity. No inference to natural persons possible.
Chat inputs — Copilot for IFC only: Text-based user inputs processed via Microsoft Azure AI. No IFC file content.
Data subjects: IT administrators and tenant administrators of the Controller; end users (employees) to the extent they use Flinker applications and engage optional features involving personal data.
§ 4 Obligations of the Processor
4.1 Processing only on documented Controller instructions (§ 6), unless required by applicable law. In such cases the Processor informs the Controller prior to processing, unless prohibited by law.
4.2 All persons authorised to process personal data are subject to appropriate confidentiality obligations by contract or by operation of law.
4.3 The Processor implements the technical and organisational measures described in § 8.
4.4 The Processor assists the Controller in fulfilling data subject rights requests and obligations under Art. 32–36 GDPR.
4.5 Data protection contact: privacy@flinker.app
§ 5 Obligations of the Controller
5.1 The Controller is solely responsible for the lawfulness of processing within its sphere of responsibility.
5.2 The Controller issues instructions in writing or documented electronic format.
5.3 The Controller warrants entitlement to transfer personal data to the Processor.
5.4 The Controller notifies the Processor without undue delay upon identifying errors or irregularities in the Processor’s activities.
§ 6 Instructions
6.1 The Processor processes personal data only on documented instructions. The Main Contract and any Statements of Work constitute the initial instructions.
6.2 Instructions by email to: privacy@flinker.app
6.3 If the Processor considers an instruction unlawful, it notifies the Controller without undue delay and may suspend execution.
§ 7 Confidentiality
The Processor binds all employees and service providers with access to the Controller’s personal data to appropriate confidentiality obligations. These obligations survive termination of the relevant employment or service relationship.
§ 8 Technical and Organisational Measures (TOMs)
Full TOM documentation: flinker.app/tom
Pseudonymisation and encryption
- Pseudonymisation where technically feasible and proportionate
- Encryption of all systems storing or processing personal data
- HTTPS / TLS 1.2 or higher for all data transmission
Confidentiality and integrity
- Exclusive use of Microsoft Azure EU infrastructure (Germany, Ireland)
- Production access restricted to authorised Germany-based staff
- Azure AD token-based authentication; no proprietary auth provider
- SPFx web parts execute JavaScript in the user’s browser only
- Azure Authentication Log for access control and monitoring
Availability and resilience
- Regular data backups provided by Microsoft Azure
- Monitoring via Azure Log Analytics
- Option for complete self-hosting within the customer’s Azure tenant
Review and evaluation
- Internal control system for regular TOM review and updating
- Code reviews and integration testing incorporating security requirements
- Agile change management with automated tests before deployment
§ 9 Sub-processors
9.1 The Controller grants general authorisation for the sub-processors listed below. Changes notified at least 30 days in advance. The Controller may object on substantiated data protection grounds within that period.
9.2 Approved sub-processors:
| Provider | Purpose | Location | Products |
|---|---|---|---|
| Microsoft Corporation | Cloud infrastructure (Azure), CDN, authentication (Azure AD), AI processing (Azure OpenAI Service) | EU — Germany, Ireland | All products; Azure OpenAI Service only for Copilot for IFC |
9.3 The Processor enters into Art. 28(4) GDPR contracts with each sub-processor imposing equivalent data protection obligations. Microsoft DPA available at microsoft.com/licensing.
§ 10 Assistance with Data Subject Rights
The Processor assists the Controller in responding to data subject requests under Art. 15–22 GDPR (access, rectification, erasure, restriction, portability, objection). Erasure requests are fulfilled at no additional charge.
§ 11 Personal Data Breach Notification
11.1 Notification within 36 hours of becoming aware, by email to the Controller’s designated contact.
11.2 Notification includes: nature of the breach; categories and estimated number of data subjects affected; likely consequences; remedial measures taken or planned.
11.3 As the Processor relies entirely on Microsoft Azure infrastructure, a security incident can only arise through Microsoft Azure. The Processor notifies the Controller immediately upon becoming aware.
§ 12 Audit Rights and Evidence of Compliance
12.1 The Processor makes available all information necessary to demonstrate Art. 28 GDPR compliance.
12.2 Audits with at least 14 days’ written notice, during business hours, limited to data protection-relevant processing aspects. Costs borne by the Controller.
12.3 Microsoft infrastructure audits are referred directly to Microsoft.
§ 13 Deletion and Return of Data upon Termination
13.1 Upon termination, the Processor deletes all Controller personal data without undue delay, unless a statutory retention obligation applies.
13.2 IFC files and project data remain exclusively within the Controller’s tenant; their deletion is the Controller’s responsibility. The Processor deletes only Processor-side data: Tenant ID, optional email address, usage metrics.
13.3 The Processor provides written deletion confirmation upon request.
§ 14 Transfers to Third Countries
14.1 Processing on EU servers (Germany and Ireland).
14.2 Microsoft third-country transfers are covered by the EU–U.S. Data Privacy Framework (Commission adequacy decision, 10 July 2023) and Standard Contractual Clauses (SCC) pursuant to Implementing Decision 2021/914/EU.
14.3 No other third-country transfers by the Processor.
§ 15 Final Provisions
15.1 This DPA forms part of the Main Contract. In the event of conflict, this DPA prevails on data protection matters.
15.2 Amendments require written form or documented electronic agreement.
15.3 Governed by the laws of the Federal Republic of Germany. Exclusive jurisdiction: Munich.
15.4 Severability: invalidity of any provision does not affect remaining provisions.
15.5 Effective upon execution of the Main Contract. Enterprise customers may download the PDF version for countersignature.