Scope and definitions
This DPA applies to all personal data that you, the Controller, upload, import, connect, or otherwise make available to the Flow Solutions platform for processing. It supplements and forms part of the Terms of Service.
In this DPA, the following terms have the meanings given to them in GDPR unless otherwise specified:
- "Controller" means you, the account holder who determines the purposes and means of processing lead data through the service.
- "Processor" means Flow Solutions Ltd., which processes lead data on the Controller's behalf.
- "Personal Data" means any information relating to an identified or identifiable natural person that the Controller uploads, imports, or connects to the service.
- "Processing" has the meaning given in GDPR Article 4(2).
- "Subprocessor" means any third party engaged by Flow Solutions Ltd. to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
This DPA takes effect when the Controller creates an account and remains in effect for as long as the Processor processes Personal Data on behalf of the Controller.
Subject matter, duration, nature, and purpose of processing
The following details are provided in accordance with GDPR Article 28(3):
| Element | Description |
|---|---|
| Subject matter | Processing of lead and contact data through the Flow Solutions platform as instructed by the Controller. |
| Duration | For the term of the Controller's account, plus the retention period described in the Privacy Policy (90 days post-deletion). |
| Nature of processing | Collection, storage, organization, retrieval, transmission (through connected messaging channels), AI-assisted analysis and qualification, automated messaging, and deletion. |
| Purpose of processing | To operate the Flow Solutions service on behalf of the Controller, including automated outreach, workflow execution, lead qualification, conversation management, and notification delivery. |
| Types of Personal Data | Lead names, phone numbers, email addresses, messaging identifiers, message content, conversation history, responses to workflow questions, qualification scores, source labels, and any other contact data the Controller uploads or imports. |
| Categories of data subjects | Leads, prospects, contacts, and other individuals whose data the Controller uploads, imports, or connects to the service. |
Processor obligations
The Processor shall:
- process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by EU or member state law, in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law;
- ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (HTTPS/TLS), password hashing with salting, access controls, session lifecycle management, and regular security reviews;
- not engage another processor (subprocessor) without prior specific or general written authorization of the Controller — see Subprocessors;
- assist the Controller in responding to data subject rights requests to the extent technically feasible within the service;
- assist the Controller in ensuring compliance with the obligations under GDPR Articles 32–36 (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to the Processor;
- at the choice of the Controller, delete or return all Personal Data after the end of the provision of services and delete existing copies unless EU or member state law requires storage — see Data return and deletion;
- make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and allow for and contribute to audits and inspections — see Audit rights.
The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes GDPR or other EU or member state data protection provisions.
Subprocessors
The Controller provides general written authorization for the Processor to engage subprocessors, subject to the conditions in this section. The Processor currently uses the following subprocessors:
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Anthropic (Claude API) | AI-assisted message generation, conversation handling, and lead qualification | Workflow prompts, question trees, lead conversation content (messages and responses) | United States (SCCs in place) |
| Stripe, Inc. | Payment processing | Billing identifiers and payment method data (does not process lead Personal Data) | United States (SCCs in place) |
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of subprocessors, giving the Controller at least 30 days to object. If the Controller objects on reasonable grounds relating to data protection, the Processor shall either not engage the subprocessor or, if that is not feasible, the Controller may terminate the affected services.
Where the Processor engages a subprocessor, it shall impose the same data protection obligations as set out in this DPA on the subprocessor by way of a contract, ensuring in particular that the subprocessor provides sufficient guarantees to implement appropriate technical and organizational measures. The Processor remains fully liable to the Controller for the performance of the subprocessor's obligations.
International transfers
The Controller's Personal Data is stored on infrastructure located within the European Union. Where Personal Data is transferred to subprocessors located outside the EU/EEA (currently the United States for Anthropic and Stripe), the Processor ensures that appropriate safeguards are in place in accordance with GDPR Chapter V, specifically Standard Contractual Clauses (SCCs) approved by the European Commission.
The Processor shall not transfer Personal Data to any country or international organization outside the EU/EEA without appropriate safeguards and without informing the Controller.
Data subject rights
The Processor shall assist the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making). This assistance includes:
- providing the Controller with the ability to export, correct, and delete lead data through the service's user interface;
- promptly notifying the Controller if the Processor receives a request directly from a data subject, without responding to the request itself unless authorized by the Controller;
- providing reasonable technical assistance to the Controller for requests that cannot be fulfilled through the standard service interface.
Data breach notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting the Controller's Personal Data. The notification shall include:
- a description of the nature of the Data Breach, including where possible the categories and approximate number of data subjects and records concerned;
- the name and contact details of the point of contact at the Processor;
- a description of the likely consequences of the Data Breach;
- a description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.
Audit rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and GDPR Article 28. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Controller shall bear the costs of any audit it initiates. The Processor may satisfy audit requests by providing relevant certifications, audit reports, or summaries from independent third-party audits where available.
Data return and deletion
Upon termination or expiry of the Controller's account, and upon the Controller's request, the Processor shall either return all Personal Data to the Controller in a structured, commonly used, machine-readable format (such as CSV or JSON) or delete all Personal Data and existing copies, unless EU or member state law requires continued storage.
If the Controller does not request return of data, the Processor shall delete all Personal Data within 90 days of account termination, except where retention is required by law (such as billing data retained under the Hungarian Act C of 2000 on Accounting).
The Processor shall certify the deletion of Personal Data upon request by the Controller.
Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Each party's liability under this DPA is limited to direct damages and is subject to the aggregate liability cap stated in the Terms.
Nothing in this DPA limits either party's liability for breaches of GDPR that cannot be limited under applicable law, including liability arising from processing Personal Data outside of or contrary to the Controller's lawful instructions.
Contact
Questions about this Data Processing Agreement, data processing practices, or requests related to the processing of Personal Data can be sent to [email protected].