Data Processing Agreement
GDPR-compliant data processing terms
Language Notice
Our legal documents are provided in English as the authoritative version. While navigation and interface elements are available in multiple languages, the legal content remains in English to ensure accuracy and legal validity. This is standard practice for B2B enterprise software platforms.
For questions about these documents in your local language, please contact our legal team at legal@flowapp.com
1DPA Purpose
This Data Processing Agreement ensures GDPR compliance when FlowApp processes personal data on your behalf.
GDPR Article 28 Compliance
This DPA ensures compliance with Article 28 of the EU General Data Protection Regulation (GDPR), which requires written contracts between data controllers and processors.
2Definitions
Controller means the entity that determines the purposes and means of processing. Processor means FlowApp when processing data on behalf of the Controller.
Key GDPR Definitions:
Data Controller
The customer organization that determines the purposes and means of processing personal data. As the controller, you have primary responsibility for GDPR compliance.
Data Processor
FlowApp Inc. acts as a processor when handling personal data on your behalf according to your documented instructions and this DPA.
Personal Data
Any information relating to an identified or identifiable natural person that you upload, store, or process using FlowApp services.
Data Subject
The identified or identifiable natural person whose personal data is being processed (e.g., your employees, customers, or end users).
3Processor Obligations
FlowApp will process personal data only as instructed by you, implement appropriate security measures, and assist with data subject requests.
FlowApp's Processor Obligations:
Data Processing
Process personal data only on documented instructions from you
Confidentiality
Ensure all personnel processing data are bound by confidentiality
Security Measures
Implement appropriate technical and organizational measures
Sub-processing
Only engage authorized sub-processors with adequate safeguards
Data Subject Rights
Assist with data subject requests and rights fulfillment
Incident Response
Notify and assist with personal data breach incidents
4Sub-processors
FlowApp may engage sub-processors to assist with data processing. We maintain a current list of authorized sub-processors.
Authorized Sub-processors:
FlowApp may engage the following categories of sub-processors to assist with data processing:
Infrastructure Providers:
- • Cloud hosting and storage services
- • Content delivery networks (CDN)
- • Database management services
- • Backup and disaster recovery
Support Services:
- • Customer support platforms
- • Analytics and monitoring tools
- • Security and compliance services
- • Communication platforms
Sub-processor Changes
We will provide 30 days advance notice of any changes to our sub-processor list. You may object to new sub-processors with legitimate data protection concerns.
5Security Measures
We implement technical and organizational measures to ensure appropriate security of personal data, including encryption and access controls.
Technical and Organizational Measures (TOMs):
Technical Measures
- Encryption of personal data in transit and at rest
- Regular security testing and vulnerability assessments
- Network security controls and monitoring
- Secure backup and recovery procedures
Organizational Measures
- Staff training on data protection principles
- Access controls and authorization procedures
- Incident response and breach notification procedures
- Regular compliance audits and certifications
6Data Breach Notification
In case of a personal data breach, FlowApp will notify you without undue delay and assist with any required notifications to authorities.
Data Breach Response Timeline:
Detection & Assessment
Identify the breach, assess scope and impact, and initiate containment measures
Customer Notification
Notify affected customers without undue delay with preliminary breach details
Authority Assistance
Assist customers with supervisory authority notifications and provide detailed information
7Data Deletion
Upon termination of services, FlowApp will delete or return all personal data unless retention is required by law.
Data Return and Deletion Process:
Service Termination
Upon termination of our processing activities:
- Personal data export available for 30 days
- Secure deletion of all personal data within 90 days
- Certificate of deletion provided upon request
- Backup data securely deleted according to retention schedule
On-Demand Deletion
During active service, we provide:
- Self-service data deletion tools
- API endpoints for programmatic deletion
- Bulk deletion assistance for enterprise customers
- Verification of deletion completion
8Data Subject Rights Support
FlowApp assists customers in fulfilling data subject rights under GDPR Articles 15-22:
Right of Access (Art. 15)
Data export tools and API access
Right to Rectification (Art. 16)
Data editing and correction capabilities
Right to Erasure (Art. 17)
Deletion tools and confirmation
Right to Portability (Art. 20)
Structured data export formats
Right to Restrict Processing (Art. 18)
Account suspension and data isolation
Right to Object (Art. 21)
Processing cessation and opt-out tools
Automated Decision-Making (Art. 22)
Human review options where applicable
Notification of Correction (Art. 19)
Change logs and audit trails
9DPA Contact Information
For DPA-related inquiries, data subject requests, or GDPR compliance questions:
Data Protection Officer: privacy@flowapp.com
Privacy Team: privacy@flowapp.com
Response Time: GDPR requests processed within 30 days
DPA Amendments: Available for enterprise customers