LEGAL
Data Processing Agreement
Last updated: 13 July 2026
This Data Processing Agreement ("DPA") forms part of the contract between Just Izzy Ltd and our customers, establishing the terms under which Just Izzy processes personal data as a processor on behalf of the customer as controller, in compliance with GDPR.
PARTIES
Controller
The customer entity that enters into a subscription agreement with Just Izzy for use of the platform.
Processor
Just Izzy Ltd, 71-75 Shelton Street, Covent Garden,
London, United Kingdom, WC2H 9JQ; Company Number: 17155931
1. Definitions
In this Data Processing Agreement:
- "Applicable Data Protection Laws" means all binding laws and regulations applicable to the processing of Personal Data under this Agreement, including the UK GDPR (as amended by the Data Use and Access Act 2025), the Data Protection Act 2018, the EU GDPR (Regulation (EU) 2016/679), and the ePrivacy Directive 2002/58/EC, each as amended or replaced from time to time.
- "Controller", "Processor", "Personal Data", "Processing", and "Data Subject" shall have the meanings ascribed to them under Applicable Data Protection Laws.
- "Processor" means Just Izzy Ltd (trading as Flagmint).
- "Sub-processor" means any third-party data processor engaged by Just Izzy Ltd to process Personal Data on behalf of the Controller.
2. Scope and Purpose
This DPA governs the processing of Personal Data by Just Izzy Ltd as a Processor on behalf of the Customer (the Controller) in connection with the Flagmint feature flag management platform and related software services. Just Izzy Ltd shall process Personal Data solely to provide, maintain, and secure the contracted services, acting strictly in accordance with the documented contractual instructions from the Controller.
3. Nature of Processing
Just Izzy Ltd processes Personal Data transmitted via the platform infrastructure, including:
- End-User Identifiers: Technical user IDs, account hashes, and device identifiers.
- Targeting Attributes: Contextual attributes passed for real-time feature flag evaluation (e.g., geographic country, subscription plan name, operational cohorts).
- System Telemetry: Real-time flag evaluation logs and core configuration states.
- Operations Performed: Secure in-memory evaluation, transmission, short-term automated logging, structured retrieval, and automated hard-deletion as defined by the customer's subscription plan.
4. Controller's Instructions
Just Izzy Ltd shall process Personal Data only on documented instructions from the Controller. The Customer’s ongoing configuration and operational use of the Flagmint platform, APIs, and SDK parameters constitute such instructions. If Just Izzy Ltd determines that an instruction from the Controller infringes Applicable Data Protection Laws, it shall promptly notify the Controller.
5. Flagmint's Obligations
Just Izzy Ltd (trading as Flagmint) undertakes to:
- Ensure that all personnel authorized to process the Personal Data have committed themselves to appropriate statutory or contractual confidentiality obligations.
- Implement and maintain the technical and organizational security measures described in Section 7 and Annex II.
- Provide reasonable assistance to the Controller, taking into account the nature of the processing, in responding to Data Subjects exercising their statutory rights.
- Assist the Controller in ensuring compliance with its obligations regarding data security, breach notifications, and Data Protection Impact Assessments (DPIAs) where technically feasible.
- Make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of Applicable Data Protection Laws.
6. Sub-processors
The Controller grants a general written authorization for Just Izzy Ltd to engage Sub-processors to deliver core platform services.
- Current Infrastructure List: Our approved list of Sub-processors is permanently detailed in Section 9 of our Privacy Policy.
- Notification of Changes: Just Izzy Ltd shall notify the Controller via email or an in-platform update at least fourteen (14) days before engaging a new Sub-processor or replacing an existing one, giving the Controller a reasonable opportunity to object.
- Emergency Exception: If an immediate vendor replacement is required to maintain platform security, prevent service downtime, or fix an active infrastructure outage (e.g., an emergency email router or primary infrastructure failover), Just Izzy Ltd may appoint the Sub-processor immediately and notify the Controller within three (3) business days post-deployment.
- Contractual Flow-Down: All Sub-processors are bound by written data protection agreements that impose equivalent statutory obligations to those set out in this DPA.
7. Security Measures
Just Izzy Ltd shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure. These measures include:
- Application-Layer Encryption (ALE): Automated client-side asymmetric encryption of sensitive user context payloads via the SDK prior to network transmission, restricting decryption capabilities solely to isolated server memory environments.
- Infrastructure Hosting: Pinned EEA data residency via our infrastructure provider, utilizing AES-256 disk-level encryption at rest and mandatory TLS/HTTPS encryption in transit.
- Access Control: Strict role-based access controls (RBAC) enforced with least-privilege principles, backed by mandatory multi-factor authentication (MFA) for administrative platform systems.
8. Data Subject Rights Assistance
Because our SDK is designed to perform instantaneous feature flag evaluation, Just Izzy Ltd operates primarily as a data pipeline pipeline rather than a permanent behavioral repository.
- Platform Self-Service: We provide administrative console tools within the platform dashboard allowing Controllers to search, export, or manually clear historical audit log entries associated with specific end-user identifiers.
- Technical Escalation: Where a Data Subject submits a rights request directly to the Controller that cannot be fulfilled via the standard dashboard tools, Just Izzy Ltd will provide reasonable technical assistance to locate or purge the target records from active system memory, subject to our standard professional service rates.
9. International Data Transfers
Just Izzy Ltd (trading as Flagmint) stores and processes core platform infrastructure and primary database configurations within data centers physically located inside the European Economic Area (EEA) (Amsterdam, Netherlands).
Where processing operations or corporate sub-processors (such as operational metadata routers) require the transmission of Personal Data outside the EEA or the United Kingdom, Just Izzy Ltd guarantees that such transfers shall comply with Chapter V of Applicable Data Protection Laws. To enforce these protections, the parties contractually execute and incorporate by reference:
- The European Commission's Standard Contractual Clauses (SCCs): pursuant to Decision 2021/914/EU for transfers originating within the EEA.
- The UK International Data Transfer Addendum (UK Addendum): issued under Section 119A of the Data Protection Act 2018 for transfers originating within the United Kingdom.
10. Data Breach Notification
Upon determining or becoming aware of an active personal data breach impacting data processed under this DPA, Just Izzy Ltd shall notify the Controller via their registered administrative email address without undue delay, and in any event within forty-eight (48) hours.
To allow the Controller to satisfy its own 72-hour regulatory notification deadlines, Just Izzy Ltd shall provide comprehensive operational telemetry as it becomes available, including:
- The nature and technical characteristics of the security incident.
- The specific categories and approximate volume of Data Subjects and records impacted.
- The anticipated structural consequences or privacy risks resulting from the exposure.
- The immediate mitigation protocols, containment measures, and long-term remediation strategies implemented by our incident response team.
11. Deletion, Return, and Export of Personal Data
Upon the termination or structural expiry of the primary subscription Agreement, Just Izzy Ltd shall—at the explicit contractual election of the Controller—permanently delete or return all customer Personal Data in our possession and systematically overwrite existing infrastructure database files, unless applicable domestic laws require long-term archival retention.
- Self-Service Export Window: The Controller may independently export platform configurations and operational metrics using our administrative dashboard export tools at any point during their active subscription term and for a buffer period of thirty (30) days post-termination.
- Automated Purging Lifecycle: Once this export window closes or upon explicit manual instruction, residual customer data will be permanently wiped via automated deletion runs across active server memory, with backup infrastructure files rotated out and overwritten within a maximum window of thirty (30) days.
12. Governing Law
This Data Processing Agreement and any contractual disputes or non-contractual claims arising out of its execution shall be governed strictly by, and construed in accordance with, the laws of England and Wales.
The parties explicitly agree to submit to the exclusive jurisdiction of the competent commercial courts located in London, United Kingdom. This DPA forms an inseparable part of the primary commercial Terms of Service and is fully incorporated into the main contract framework by reference.
Questions about this DPA?
Contact our DPO at dpa-officer@flagmint.com.
Ready to start experimenting?
Run your first A/B test today. No credit card required.