Data Protection Addendum

For personal data processed by the FluxBilling platform on behalf of an instance operator (“Customer”), the parties acknowledge that the Customer is the data controller and FluxBilling is the data processor within the meaning of Regulation (EU) 2016/679 (“GDPR”).

End customers of the Customer’s hosting business — whose names, billing addresses, payment tokens, and service configurations flow through the platform — are the data subjects whose data the Customer entrusts to FluxBilling for processing.

For data FluxBilling collects directly from the Customer (account registration, support communications, telemetry from the Customer’s own use of the dashboard), FluxBilling acts as the controller. The Privacy Policy governs that processing.

Self-Hosted Edition. Where the Customer runs the Self-Hosted Edition, end-customer personal data is stored and processed exclusively on infrastructure operated by the Customer. FluxBilling does not host, access, or process that data and is not a processor for it; the processor obligations in this addendum apply only to the Hosted Edition. The only data a self-hosted instance transmits to FluxBilling is the licensing telemetry described in the Privacy Policy (instance identifiers, aggregate usage counts, and hashed infrastructure identifiers), which contains no end-customer personal data and which FluxBilling processes as a controller for license administration.

The subject matter of processing is the operation of the Hosted Edition of the FluxBilling platform — a multi-tenant SaaS billing platform operated on FluxBilling-controlled infrastructure. Processing continues for the duration of the subscription agreement and any subsequent retention windows required by law.

The nature of processing includes hosting, storage, transmission, indexing, backup, encryption, and orderly deletion of personal data. FluxBilling does not analyze the content of Customer data for its own purposes.

The following categories of personal data may be processed:

• —Identification data — name, email, company, billing address
• —Financial data — payment tokens, invoice history, transaction amounts (no full PAN)
• —Service configuration — usernames, IP addresses assigned, hostnames
• —Communications — support tickets, internal notes
• —Technical data — login timestamps, IP addresses, user-agent strings, audit log entries

Categories of data subjects include the Customer’s own staff and the Customer’s end customers (the natural persons purchasing hosting services from the Customer).

FluxBilling implements measures appropriate to the risk, including:

• —TLS 1.3 in transit; AES-256-GCM encryption at rest for sensitive fields
• —Per-tenant encryption keys for payment credentials and API secrets
• —Per-tenant isolated PostgreSQL databases (no row-level multitenancy)
• —Tenant-scoped Kubernetes namespaces, ingress, and persistent volumes
• —Role-based access control with least-privilege for FluxBilling staff
• —Email-code 2FA available for operator accounts; the operator can require it per role
• —Audit logging of administrative and security-relevant events
• —Scheduled tenant database dumps with documented restoration procedures
• —Internal security reviews on a regular cadence; independent penetration testing planned

A more detailed description is published on the Security page. Material changes are versioned and dated.

The Customer authorizes FluxBilling to engage subprocessors for the limited purposes described above. The current list is maintained in the right-rail summary and on this page; FluxBilling will provide reasonable advance notice of new subprocessors and an opportunity to object on legitimate data-protection grounds.

Each subprocessor is bound by a written contract imposing data-protection obligations no less protective than those in this addendum. FluxBilling remains liable for the acts and omissions of its subprocessors as for its own.

Personal data is primarily processed within the European Economic Area. Where transfers outside the EEA are necessary (e.g., a Customer-selected payment processor), FluxBilling relies on Standard Contractual Clauses adopted by the European Commission, supplementary measures where applicable, and recipients located in jurisdictions covered by an adequacy decision.

When a data subject contacts the Customer to exercise rights under articles 15–22 GDPR, the Customer responds as the controller. FluxBilling will, taking the nature of processing into account, provide reasonable assistance through technical and organizational measures — including data export, search, correction, and deletion tooling within the platform.

When a data subject contacts FluxBilling directly regarding data processed on a Customer’s behalf, FluxBilling will refer the subject to the Customer without undue delay and without acting on the request itself, except where required by law.

FluxBilling will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer data, and in any event within 72 hours where feasible. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and the measures taken or proposed to address it.

The Customer remains responsible for any onward notification to the supervisory authority and to affected data subjects under articles 33–34 GDPR.

On termination or expiry of the subscription, the Customer may, within 30 days, export Customer data in a structured, commonly used, machine-readable format. After this window, FluxBilling will delete or anonymize Customer data, subject to retention obligations imposed by applicable law (e.g., financial records). Backups are purged on the rolling schedule shown in the right-rail summary.

The Customer may, no more than once per twelve-month period and at reasonable notice, request information necessary to demonstrate compliance with this addendum. FluxBilling will respond by providing copies of relevant policies, security documentation, and summaries of independent assessments where available.