Roles & Responsibilities
Last updated: 4 May 2026
This document is provided in English. It is governed by Finnish and EU law (the GDPR).
1. FlowDial's status
Axiora Labs Oy (Business ID 3605198-5, "FlowDial") acts as an independent data controller for its own company database in all use of the service. Data in the FlowDial database is collected from public sources, and FlowDial determines the purposes and means of processing independently.
FlowDial does not act as a data processor on behalf of the customer, and the customer does not provide personal data to FlowDial for processing. For this reason, no data-processing agreement (DPA) under GDPR Article 28 is required between the parties.
2. Roles in different use scenarios
| Scenario | FlowDial's role | Customer's role |
|---|---|---|
| Browsing and searching the database | Data controller | Recipient |
| Exporting data from the service (CSV, Excel, CRM) | Data controller (originating) | Independent data controller |
When the customer exports data from the service, the customer becomes an independent data controller for the exported data. From that point onward, the customer is responsible for its own compliance with data-protection law, including fulfilment of data-subject rights, respect for the right to object to direct marketing, and documentation of its own lawful basis for processing.
3. Lawful basis
FlowDial processes personal data on the basis of legitimate interest under GDPR Article 6(1)(f). The processing covers company and contact data published in the context of professional roles, for B2B intelligence purposes. FlowDial has carried out a Legitimate Interest Assessment (LIA) and complies with its information obligations to data subjects under GDPR Article 14. Further information for data subjects is available in the Database Register.
4. Information security
FlowDial implements technical and organisational safeguards in accordance with GDPR Article 32:
- TLS 1.2+ encryption for all data in transit
- Encryption at rest (AES-256)
- Access control on a least-privilege basis, with multi-factor authentication
- Regular security audits and vulnerability assessments
- Breach detection and response plan
- Staff training on data protection
- Data processing in EU/EEA data centres
5. International transfers
FlowDial processes personal data primarily in data centres located in the EU/EEA. If a subprocessor is located outside the EU/EEA, all transfers are safeguarded as follows:
- EU-US Data Privacy Framework (DPF) for certified US recipients
- EU Standard Contractual Clauses (SCC, Commission Decision 2021/914) for other third countries
- A Transfer Impact Assessment (TIA) is performed prior to any transfer to a third country, in accordance with EDPB Recommendations 01/2020
- Supplementary safeguards (encryption in transit and at rest, pseudonymisation, access controls) are implemented as required by Schrems II (Case C-311/18)
- If a TIA shows that adequate protection cannot be ensured, the transfer is suspended
An up-to-date list of subprocessors, their locations, and the transfer mechanisms used is available on request at [email protected].
6. Liability
Each party is independently responsible for its own compliance with the GDPR. FlowDial is responsible for its controller obligations in respect of its own database. The customer is responsible for the lawfulness of any subsequent processing of data exported from the service, in accordance with its own terms and applicable data-protection law.
7. Future features
If FlowDial later offers explicitly named features in which personal data provided by the customer is processed (for example enrichment or validation of the customer's own list), those features will be subject to a separate data-processing agreement under GDPR Article 28. Customers will be notified separately about the introduction of such features and the DPA process.
8. Contact
For questions about data protection: [email protected]