# GDPR Flopsar is an **on-premise** software product. It is installed, configured, and operated by the customer within the customer's own infrastructure. No telemetry, configuration data, user data, or any other operational data ever leaves the customer's environment as part of normal product operation. This basic fact about the product determines the entire shape of its relationship to Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and is the reason why much of what customers might expect from a SaaS or cloud vendor — sub-processor lists, international transfer mechanisms, data processing agreements — does not apply here. This page sets out that relationship in detail. ## Summary * **Flopsar Technology Sp. z o.o. does not process any personal data in connection with the operation of a customer's Flopsar deployment.** The product is on-premise; no data is transmitted to Flopsar Technology Sp. z o.o. * **Flopsar Technology Sp. z o.o. is therefore neither a controller nor a processor** within the meaning of Article 4(7) and Article 4(8) GDPR in respect of data processed by a customer's deployment. * **No data processing agreement** under Article 28 GDPR is required between the customer and Flopsar Technology Sp. z o.o. in respect of the on-premise product. * **No international transfer** of personal data occurs as a result of using Flopsar; the question of Chapter V GDPR (transfer mechanisms, Standard Contractual Clauses, adequacy decisions) does not arise. * **The customer is the sole controller** of any personal data that happens to be processed by their Flopsar deployment — for example, the customer's own administrator accounts, or any incidental personal data captured from the customer's own instrumented applications. The remainder of this page elaborates on each of these points and explains the limited contexts in which Flopsar Technology Sp. z o.o. does act as controller — namely, direct interactions with the company such as support requests or vulnerability reports. ## Roles under GDPR for the on-premise product Article 4 GDPR distinguishes between: * the **controller**, who determines the purposes and means of the processing of personal data; and * the **processor**, who processes personal data on behalf of the controller. For an on-premise Flopsar deployment: * The **customer** decides whether to install Flopsar, what to instrument, who has access, what to retain, and for how long. The customer determines the purposes and means of all processing carried out by the deployment, and therefore is the **controller** for any personal data that the deployment processes. * **Flopsar Technology Sp. z o.o.** does not have access to the customer's deployment, does not instruct the deployment to process data, does not receive data from the deployment, and does not exercise any control over the processing carried out within the deployment. Flopsar Technology Sp. z o.o. is consequently **neither a controller nor a processor** in respect of that processing. This is not an interpretation peculiar to Flopsar; it follows directly from Article 4(8) GDPR, which defines a processor as an entity that "processes personal data **on behalf of** the controller". Where the software vendor does not process the data on the customer's behalf at all — because the software is operated solely by the customer on the customer's own systems — there is no processor relationship to begin with. The European Data Protection Board has confirmed this position in Guidelines 07/2020 on the concepts of controller and processor under GDPR, point 22, which states that "**the provider of an on-premise software product is not, by virtue of providing the software, a processor**" of the data processed by the deployed instance. ## Consequence: no Article 28 DPA is required Article 28 GDPR requires that processing by a processor be governed by a written contract between the controller and the processor. Because there is no processor relationship between the customer and Flopsar Technology Sp. z o.o. in respect of the on-premise product, **no such contract is required**. Customers and customer counsel sometimes ask Flopsar Technology Sp. z o.o. to sign a data processing agreement for the product anyway, "as a matter of standard procurement practice". We respectfully decline such requests in respect of the on-premise product, and refer the requester to this page, because: * signing a DPA where no processor relationship exists would misrepresent the legal relationship between the parties; and * it would oblige Flopsar Technology Sp. z o.o. to comply with controller's instructions in respect of data we never see and have no technical means to access. Where Flopsar Technology Sp. z o.o. processes personal data in a distinct, ancillary context — for example, as part of a paid professional services engagement where our staff handle a customer's data directly — a DPA is signed for that specific engagement. Such engagements are out of scope of this page. ## What personal data may be processed within a customer's deployment Although Flopsar Technology Sp. z o.o. has no access to it, customers should be aware of what personal data their own Flopsar deployment may process, so that they can fulfil their obligations as controller. The following categories may be present in a typical deployment: * **Administrator and operator user accounts.** Usernames, optional display names, password hashes (computed with scrypt), and, where LDAP or single sign-on is configured, attributes provided by the customer's identity provider. * **Audit log entries.** Identifiers of the administrators who carried out configuration changes, timestamps, and source IP addresses. * **Application telemetry collected by the agent.** By default, the agent records method names, timings, and stack frames; it does not record method argument values or end-user-identifying data. Customers may opt in to deeper instrumentation that captures method parameters or exception payloads, in which case the captured data may incidentally contain personal data of the customer's end users. Customers can — and where the legal basis requires, must — use the product's filtering and masking features to prevent or reduce such capture (see Section 5). None of the above data is transmitted to, stored by, or otherwise processed by Flopsar Technology Sp. z o.o. It all resides exclusively within the customer's deployment. ## Article 32 GDPR — security of processing Article 32 GDPR requires the controller and the processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Although Flopsar Technology Sp. z o.o. is not a processor, the product provides technical measures that the customer-controller can rely upon as part of its Article 32 programme, including encryption in transit, encryption at rest where configured, access control, audit logging, and integrity protection of distributed artefacts. The full description of these measures is in the Security section. ## Direct interactions with Flopsar Technology Sp. z o.o. There are limited contexts in which Flopsar Technology Sp. z o.o. does process personal data, all of which are distinct from the operation of the product: * **The corporate website and this documentation site.** Visit logs, cookie data, and any details voluntarily submitted through web forms. Flopsar Technology Sp. z o.o. is **controller** for this processing. See the corporate [privacy policy](https://flopsar.com/privacy) for details. * **Customer support and professional services.** Contact details, ticket content, and any data shared by the customer in the course of obtaining support. Flopsar Technology Sp. z o.o. is **controller** for the contact and ticket metadata, and where the customer shares data from their deployment with us in the course of an investigation, we process that data on the customer's instruction under a separately-agreed arrangement. * **Vulnerability reports.** Identifying details of the reporter (name, email, optional affiliation) and any personal data inadvertently contained in the report. Flopsar Technology Sp. z o.o. is **controller** for this processing; see Section 11 of the Vulnerability Disclosure Policy. * **Marketing and sales.** Business contact details voluntarily provided. Flopsar Technology Sp. z o.o. is **controller**. All such processing takes place within the European Union. No international transfer of personal data within the meaning of Chapter V GDPR occurs. ## Data subject rights against Flopsar Technology Sp. z o.o. Where Flopsar Technology Sp. z o.o. processes personal data as controller in one of the contexts described in Section 7, data subjects may exercise the rights granted by Chapter III GDPR by contacting: * **Email:** `contact@flopsar.com` * **Postal address:** Flopsar Technology Sp. z o.o., * ``, Poland Where the request concerns data processed by the customer's Flopsar deployment, the data subject should contact the **customer** instead, because Flopsar Technology Sp. z o.o. has no access to that data and no technical means of responding to such a request on the customer's behalf. ## Data breach notification Article 33 GDPR requires the **controller** to notify the supervisory authority of a personal data breach within 72 hours, and Article 34 requires the controller to notify affected data subjects in certain cases. Article 33(2) requires the **processor** to notify the controller without undue delay. For an on-premise Flopsar deployment, Article 33 and Article 34 obligations fall on the customer-controller. Flopsar Technology Sp. z o.o., not being a processor in this context, has no Article 33(2) obligation in respect of data processed by the customer's deployment. Where a personal data breach is caused or facilitated by a **vulnerability in Flopsar itself**, Flopsar Technology Sp. z o.o. will notify customers of the vulnerability promptly through the Security Advisories channel and will cooperate with the customer's investigation under the Vulnerability Disclosure Policy. ## Supervisory authority The competent supervisory authority for Flopsar Technology Sp. z o.o. is: > **Prezes Urzędu Ochrony Danych Osobowych** > > ul. Stawki 2, 00-193 Warszawa, Poland > > This is relevant only for processing carried out by Flopsar Technology Sp. z o.o. as controller (see Section 7). Processing carried out by a customer's deployment falls under the supervisory authority of the Member State in which the customer is established. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flopsar.com/7/regulatory-compliance/gdpr.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.