Flowframe Data Processing Agreement

IMPORTANT BETA NOTICE

THIS AGREEMENT GOVERNS THE PROCESSING OF PERSONAL DATA DURING FLOWFRAME'S BETA PHASE.

Flowframe is currently operating in public beta with the following characteristics:

• ✅ Service is functional and available for production use
• ⚠️ Some features are experimental and may change
• ⚠️ Service-level guarantees are best-effort during beta
• ✅ GDPR-compliant data protection measures are fully implemented
• ✅ Enterprise-grade security infrastructure is operational

Customer acknowledges that by using Flowframe during beta, they accept reasonable risks associated with early-stage software while benefiting from enterprise-grade data protection.

---

TABLE OF CONTENTS

1. Parties and Definitions
2. Scope and Purpose of Processing
3. Data Processor Obligations
4. Data Controller Obligations
5. Technical and Organizational Security Measures
6. Sub-Processors
7. International Data Transfers
8. Data Subject Rights Support
9. Data Breach Notification and Incident Response
10. Data Retention and Deletion
11. Audit Rights and Compliance Verification
12. Liability, Indemnification, and Insurance
13. Term and Termination
14. General Provisions
15. Standard Contractual Clauses
16. Signatures and Acceptance

---

1. PARTIES AND DEFINITIONS

1.1 Parties

DATA PROCESSOR ("Processor", "Flowframe", "we", "us", "our")

DATA CONTROLLER ("Controller", "Customer", "you", "your")

1.2 Definitions

For the purposes of this Data Processing Agreement, the following terms shall have the meanings set forth below:

"Personal Data" means any information relating to an identified or identifiable natural person ('Data Subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. This definition is as set forth in Article 4(1) of the GDPR.

"Processing" means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as defined in Article 4(2) of the GDPR.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates, as defined in Article 4(1) of the GDPR.

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, as defined in Article 4(7) of the GDPR.

"Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller, as defined in Article 4(8) of the GDPR.

"Sub-Processor" means any Processor engaged by Flowframe who processes Personal Data received from the Controller or collected on the Controller's behalf in order to assist Flowframe in fulfilling its obligations under this DPA.

"Data Protection Laws" means all applicable legislation relating to data protection and privacy, including:

• Regulation (EU) 2016/679 (General Data Protection Regulation or "GDPR")
• UK GDPR and Data Protection Act 2018 (for UK customers)
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (for California residents)
• Any applicable national or state data protection laws
• Any successor or replacement legislation

"Supervisory Authority" means an independent public authority established by an EU Member State or the UK pursuant to the GDPR or UK GDPR to monitor and enforce compliance with Data Protection Laws.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission pursuant to Decision 2021/914/EU, as may be amended or replaced.

"Third Country" means a country outside the European Economic Area (EEA) or United Kingdom that has not been subject to an adequacy decision by the European Commission or the UK government.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed, as defined in Article 4(12) of the GDPR.

"Services" means the Flowframe analytics platform and all related services, features, and functionalities provided by Flowframe as described in the Terms of Service, including but not limited to:

• Web-based collaborative data analysis platform
• SQL query editor and visual query builder
• Real-time collaboration capabilities
• Data visualization and dashboard creation
• Project sharing and version control
• Account and workspace management
• Technical support services

---

2. SCOPE AND PURPOSE OF PROCESSING

2.1 Processor-Controller Relationship

This Data Processing Agreement ("DPA") forms an integral part of and is incorporated into the Flowframe Terms of Service (the "Agreement"). This DPA sets forth the terms and conditions under which Flowframe (as Processor) will process Personal Data on behalf of Customer (as Controller).

Roles and Responsibilities:

• Customer is the Data Controller who determines the purposes and means of Processing Personal Data through the Flowframe platform
• Flowframe is the Data Processor who processes Personal Data solely on documented instructions from Customer
• Relationship: Flowframe acts exclusively as a service provider processing Personal Data on Customer's behalf and does not process Personal Data for its own purposes (except as permitted by Data Protection Laws)

2.2 Subject Matter of Processing

The subject matter of Processing under this DPA is the provision of Flowframe's collaborative data analytics platform, which enables Customer to:

• Analyze data from various sources using SQL queries and visual builders
• Collaborate in real-time with team members on data analysis projects
• Create and share data visualizations and dashboards
• Manage workspace access and team permissions
• Store query history and project configurations

2.3 Duration of Processing

Processing shall continue for the duration of the Agreement and during any data retention period as specified in Section 10 (Data Retention and Deletion), unless earlier terminated in accordance with Section 13 (Term and Termination).

Key Milestones:

• Commencement: Date Customer accepts the Terms of Service and creates an account
• Active Processing: Throughout Customer's subscription period
• Post-Termination: Up to 30 days for backup retention, plus legal retention requirements
• Final Deletion: Complete deletion of all Personal Data within 30 days after termination (except legally required retention)

2.4 Nature and Purpose of Processing

Processing Activities include:

1. Account Management: Creating and maintaining user accounts, authentication, authorization
2. Collaboration Services: Enabling real-time collaborative editing using Conflict-free Replicated Data Types (CRDTs)
3. Query Storage: Storing SQL queries and visual query configurations for version history
4. Metadata Management: Storing user-provided descriptions and documentation
5. Project Configuration: Maintaining canvas layouts, visualization settings, and workspace configurations
6. Security and Access Control: Implementing role-based permissions and audit logging
7. Technical Support: Providing customer support and troubleshooting assistance
8. Service Improvement: Analyzing anonymized usage patterns to improve platform functionality
9. Billing and Payment: Processing subscription payments and maintaining billing records (via Sub-Processor Stripe)

Purposes of Processing:

• To provide the Services as described in the Agreement
• To maintain service quality, security, and availability
• To fulfill Customer's instructions and requirements
• To comply with legal obligations (e.g., tax, financial record-keeping)
• To protect against fraud, abuse, and security threats

2.5 Categories of Data Subjects

Depending on Customer's use of Flowframe, Data Subjects may include:

• Customer's Employees: Individuals employed by Customer who use Flowframe
• Customer's Contractors: Independent contractors or consultants authorized by Customer
• Customer's Clients or End Users: If Customer analyzes data about their own customers
• Any Individuals: Whose Personal Data Customer chooses to upload or analyze through Flowframe

Note: Customer is solely responsible for determining which Data Subjects' Personal Data is processed and ensuring lawful processing under Data Protection Laws.

2.6 Categories and Types of Personal Data

Flowframe processes the following categories of Personal Data on behalf of Customer:

2.6.1 Account and Authentication Data

• Full name
• Email address
• Password (hashed using bcrypt with salt - plaintext never stored)
• Account preferences and settings
• User role and permissions
• Two-factor authentication credentials (when available)

2.6.2 Workspace and Collaboration Data

• Workspace name and settings
• Team member list and roles
• Project names and descriptions
• Real-time collaboration state (Yjs CRDT documents)
• Comments and annotations
• Version history metadata

2.6.3 Query and Analysis Data

• SQL query text
• Visual query builder configurations
• Metadata descriptions (user-provided column/table descriptions)
• Project canvas layouts and configurations
• Visualization settings (chart types, axes, filters)

IMPORTANT - Data Processing Architecture:

• ⚠️ Cloud Database Query Results: Transmitted through Flowframe servers (transient, NOT stored) → Cached in browser only
• ✅ Actual Business Data: Customer's database contents remain in Customer's control (never copied to Flowframe)
• ⚠️ Database Credentials: Encrypted end-to-end, stored on Flowframe servers (encrypted at rest)
• ⚠️ Uploaded File Contents: CSV/Parquet/JSON processed client-side, then encrypted and stored in DigitalOcean Spaces (AES-256)
• ✅ File Query Results: Processed client-side using DuckDB WASM (stays in browser)

2.6.4 Usage and Analytics Data

• Login timestamps and session duration
• Feature usage patterns (anonymized where possible)
• Performance metrics (page load times, query execution times)
• Error logs and debugging information
• IP addresses (for security and fraud prevention)
• Browser type and operating system

2.6.5 Billing and Payment Data

• Billing name and address
• Payment method information (processed by Sub-Processor Stripe - Flowframe does not store credit card numbers)
• Transaction history
• Invoices and receipts

2.6.6 Support and Communication Data

• Support ticket content and correspondence
• Customer feedback and feature requests
• Email communications with Flowframe

2.6.7 User-Uploaded Personal Data (Scope Determined by Customer)

Customer may choose to analyze Personal Data through Flowframe. The specific categories depend entirely on Customer's business and use case. Examples may include:

• Customer records (if Customer uploads customer lists)
• Employee information (if Customer analyzes HR data)
• Transaction data (if Customer analyzes sales/payment data)
• Any other Personal Data Customer chooses to process

Customer Responsibility: Customer is solely responsible for:

• Determining what Personal Data to upload or analyze
• Ensuring lawful basis for processing under GDPR Article 6
• Obtaining necessary consents from Data Subjects
• Providing appropriate privacy notices to Data Subjects
• Complying with data minimization principles

2.7 Special Categories of Personal Data

Flowframe is NOT designed to process Special Categories of Personal Data as defined in GDPR Article 9, including:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for identification purposes
• Health data
• Data concerning sex life or sexual orientation

Prohibition: Customer shall NOT upload or process Special Categories of Personal Data through Flowframe without prior written agreement with Flowframe and implementation of additional safeguards as required by Data Protection Laws.

If Customer requires processing of Special Categories: Customer must contact Flowframe at support@flowframe.io to execute a separate addendum with enhanced security measures, legal bases, and compliance requirements.

2.8 Processing Instructions

Documented Instructions: This DPA, together with the Terms of Service, constitutes Customer's complete and final documented instructions to Flowframe for Processing Personal Data.

Additional Instructions: Customer may issue additional written instructions via:

• Configuration of workspace settings and features in the platform
• Selections made through the user interface
• Written requests sent to support@flowframe.io

Instruction Compliance: Flowframe shall:

• Process Personal Data only in accordance with Customer's documented instructions
• Immediately inform Customer if instructions violate Data Protection Laws
• Not process Personal Data for purposes other than those instructed by Customer
• Seek clarification if instructions are ambiguous or unclear

Customer Acknowledgment: Customer acknowledges that use of specific Flowframe features constitutes instructions to process Personal Data as necessary to provide those features.

---

3. DATA PROCESSOR OBLIGATIONS

3.1 Processing Only on Instructions

Core Principle: Flowframe shall process Personal Data only on documented instructions from Customer, unless required to do so by EU, Member State, or UK law applicable to Flowframe.

Obligations:

1. Flowframe shall NOT process Personal Data for any purpose other than as instructed by Customer
2. Flowframe shall immediately inform Customer if, in Flowframe's opinion, an instruction infringes Data Protection Laws
3. If EU or Member State law requires Flowframe to process Personal Data, Flowframe shall inform Customer of that legal requirement before processing (unless prohibited by law on important grounds of public interest)
4. Flowframe shall implement appropriate technical and organizational measures to ensure Processing complies with this DPA and Data Protection Laws

Permitted Processing Without Instruction:

• Processing required by applicable law (e.g., financial record retention, tax compliance)
• Processing necessary to protect against security threats, fraud, or abuse
• Processing to comply with court orders, warrants, or subpoenas (with notice to Customer when legally permitted)

3.2 Confidentiality and Personnel

Confidentiality Obligations:

1. Flowframe shall ensure that all personnel authorized to process Personal Data:

   • Are subject to a duty of confidentiality (whether contractual or statutory)
   • Have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
   • Are trained on data protection requirements and security procedures

2. Flowframe maintains the following organizational measures:

   • Employment Contracts: All employees sign confidentiality and data protection clauses
   • Contractor Agreements: All contractors and vendors sign NDAs and data protection terms
   • Security Training: Annual mandatory security awareness and GDPR training for all personnel with data access
   • Background Checks: Background verification for employees with access to production systems or Personal Data
   • Access Restrictions: Personnel granted access only on a need-to-know basis for their role

Access Management:

• Engineering Team: Access to anonymized logs and debugging data only (no Personal Data)
• Support Team: Access to account information only as necessary to resolve support tickets
• Founder/CEO: Administrative access with audit logging and MFA required
• File Access: Strictly limited to authorized personnel for support/maintenance; all access logged and monitored
• Database Query Results: Not stored on servers (transient only), no employee access
• Customer Database Contents: Never copied to Flowframe, remains in Customer's control

Ongoing Compliance:

• Flowframe conducts annual refresher training on data protection
• Personnel access is reviewed quarterly and revoked when no longer necessary
• All access to production systems is logged and auditable

3.3 Security of Processing

Flowframe implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by GDPR Article 32. See Section 5 (Technical and Organizational Security Measures) for comprehensive details.

Security Principles:

• Confidentiality: Prevent unauthorized access to Personal Data
• Integrity: Prevent unauthorized alteration or corruption of Personal Data
• Availability: Ensure authorized access to Personal Data when needed
• Resilience: Maintain security during incidents and attacks
• Recoverability: Restore availability and access after incidents

3.4 Assistance with Data Subject Rights

Flowframe shall, taking into account the nature of the Processing and to the extent possible, assist Customer in fulfilling Customer's obligation to respond to Data Subject requests to exercise their rights under Data Protection Laws.

Response Timeline: Flowframe shall provide assistance within 10 business days of Customer's request.

See Section 8 (Data Subject Rights Support) for detailed procedures.

3.5 Assistance with Compliance Obligations

Flowframe shall assist Customer in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36 (security, breach notification, impact assessments, prior consultation), taking into account:

• The nature of Processing
• The information available to Flowframe
• The scope and context of Processing activities

Specific Assistance:

1. Security Measures (Article 32): Provide documentation of technical and organizational measures
2. Breach Notification (Articles 33-34): Promptly notify Customer of Personal Data breaches (see Section 9)
3. Data Protection Impact Assessment (DPIA) (Article 35): Provide information reasonably necessary for Customer's DPIA
4. Prior Consultation (Article 36): Cooperate with Customer if prior consultation with Supervisory Authority is required

DPIA Support: If Customer determines that a DPIA is required for its use of Flowframe, Flowframe will provide:

• Description of Processing operations and purposes
• Assessment of necessity and proportionality of Processing
• Description of technical and organizational security measures
• Information about sub-processors and data transfers
• Risk assessment information available to Flowframe

Fees: Assistance with complex compliance matters requiring significant Flowframe resources (e.g., extensive DPIA support, custom compliance reports) may be subject to reasonable professional services fees, to be agreed in advance.

3.6 Data Deletion or Return

Upon termination of Services or at Customer's written request, Flowframe shall, at Customer's choice, delete or return all Personal Data to Customer and delete existing copies, subject to Section 10 (Data Retention and Deletion).

Deletion Certification: Flowframe shall provide written certification of deletion upon request.

3.7 Information and Audit Rights

Flowframe shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

See Section 11 (Audit Rights and Compliance Verification) for detailed procedures.

3.8 Records of Processing Activities

Flowframe maintains records of all categories of Processing activities carried out on behalf of Customer, as required by GDPR Article 30(2), including:

• The name and contact details of Flowframe and each sub-processor
• The categories of Processing carried out on behalf of each Controller
• Where applicable, transfers of Personal Data to a Third Country or international organization
• Where possible, a general description of the technical and organizational security measures

Availability: Records are available to Supervisory Authorities upon request and to Customer upon reasonable request.

3.9 Notification of Legal Process

If Flowframe receives any legal process (subpoena, warrant, court order, regulatory investigation) requiring disclosure of Customer's Personal Data, Flowframe shall:

1. Notify Customer promptly (within 24 hours when legally permitted)
2. Provide Details: Share the nature of the legal process and data requested
3. Await Customer Response: Allow Customer reasonable opportunity to object or seek protective order
4. Minimize Disclosure: Disclose only the minimum Personal Data required
5. Document Process: Maintain records of legal process and data disclosed

Exceptions: Notification may be delayed or prohibited if:

• Law enforcement specifically prohibits notification
• Notification would obstruct governmental investigation
• Gag order or court seal is in effect
• Disclosure is required to prevent imminent harm

When legally permitted, Flowframe shall inform Customer after prohibition is lifted.

---

4. DATA CONTROLLER OBLIGATIONS

4.1 Legal Basis and Lawfulness

Customer Warranties: Customer represents and warrants that:

1. Lawful Basis: Customer has established and documented a lawful basis for Processing Personal Data under GDPR Article 6:

   • Consent of the Data Subject
   • Performance of a contract with the Data Subject
   • Compliance with a legal obligation
   • Protection of vital interests
   • Performance of a task in the public interest or exercise of official authority
   • Legitimate interests pursued by Customer (with balancing test)

2. Compliance: Customer's Processing and instructions to Flowframe comply with all applicable Data Protection Laws

3. Authority: Customer has all necessary rights, consents, and authorizations to provide Personal Data to Flowframe for Processing

4. Instructions Lawful: All instructions given to Flowframe comply with Data Protection Laws

Customer Indemnity: Customer shall indemnify and hold Flowframe harmless from any claims, damages, or penalties arising from Customer's failure to establish lawful basis or obtain necessary consents.

4.2 Privacy Notices and Transparency

Customer Obligations: Customer is responsible for providing clear, comprehensive privacy notices to Data Subjects, including:

Required Disclosures:

• Identity of Controller (Customer) and contact details
• Contact details of Customer's Data Protection Officer (if applicable)
• Purposes of Processing and legal basis
• Categories of Personal Data collected
• Recipients or categories of recipients (including disclosure to Flowframe as Processor)
• Information about international data transfers (including use of Standard Contractual Clauses)
• Retention periods or criteria for determining retention
• Data Subject rights under Data Protection Laws
• Right to lodge complaint with Supervisory Authority
• Whether provision of Personal Data is statutory, contractual requirement, or necessary to enter into a contract
• Existence of automated decision-making, including profiling

Flowframe Reference: Customer's privacy notice should identify Flowframe as a data processor and may reference this DPA and Flowframe's Privacy Policy (https://flowframe.io/privacy).

Template Provided: Flowframe provides a sample privacy notice template (see supporting documents) that Customer may adapt for its own use.

4.3 Consents and Permissions

Customer Responsibility: Where Processing is based on consent, Customer is solely responsible for:

• Obtaining valid, informed, freely given consent from Data Subjects
• Providing Data Subjects with clear information about how to withdraw consent
• Maintaining records of consent
• Honoring withdrawal of consent
• Ensuring consent meets GDPR requirements (Article 7)

Consent Standards (GDPR Article 7):

• Given by clear affirmative action
• Specific and informed
• Freely given (no imbalance of power)
• As easy to withdraw as to give
• Separate from other terms and conditions
• Not bundled as a condition of service (if not necessary)

4.4 Data Minimization

Customer Obligations: Customer shall:

1. Process only Personal Data that is adequate, relevant, and limited to what is necessary for the purposes (GDPR Article 5(1)(c))
2. Not upload or process more Personal Data than necessary
3. Regularly review and delete Personal Data that is no longer needed
4. Implement retention schedules aligned with business and legal requirements

Prohibited Data: Customer shall NOT process through Flowframe:

• Special Categories of Personal Data (GDPR Article 9) without prior written agreement
• Personal Data of children under age 16 without documented parental consent (if applicable)
• Personal Data Customer is not authorized to process
• Personal Data in violation of Data Protection Laws

4.5 Data Accuracy

Customer Obligations (GDPR Article 5(1)(d)):

• Ensure Personal Data is accurate and kept up to date
• Take reasonable steps to erase or rectify inaccurate data without delay
• Periodically review and update Personal Data
• Implement processes to identify and correct inaccurate data

Flowframe provides tools for Customer to update and correct Personal Data via the platform interface.

4.6 Responding to Data Subject Requests

Customer Responsibility: Customer is responsible for:

• Receiving and responding to Data Subject requests
• Verifying identity of Data Subjects making requests
• Determining whether to fulfill or refuse requests
• Responding within legal timeframes (1 month under GDPR, extendable to 3 months for complex requests)
• Communicating directly with Data Subjects

Flowframe Assistance: Flowframe will assist Customer by providing technical capabilities and data exports as detailed in Section 8.

4.7 Data Protection Impact Assessments

Customer Responsibility: If Customer's use of Flowframe involves Processing likely to result in high risk to Data Subjects (GDPR Article 35), Customer is responsible for conducting a Data Protection Impact Assessment (DPIA).

High-Risk Processing may include:

• Systematic and extensive profiling or automated decision-making
• Large-scale processing of Special Categories of Personal Data
• Systematic monitoring of publicly accessible areas on a large scale
• Processing of Personal Data of vulnerable individuals (children, employees)

Flowframe Support: Flowframe will provide information reasonably necessary for Customer's DPIA upon request (see Section 3.5).

4.8 Compliance with Sector-Specific Regulations

Customer Responsibility: If Customer operates in a regulated industry, Customer is responsible for compliance with sector-specific regulations, including:

• HIPAA (Health Insurance Portability and Accountability Act) - US healthcare
• GLBA (Gramm-Leach-Bliley Act) - US financial services
• PCI DSS (Payment Card Industry Data Security Standard) - payment card processing
• FERPA (Family Educational Rights and Privacy Act) - US education
• COPPA (Children's Online Privacy Protection Act) - US children's data

Note: Flowframe's standard service is NOT HIPAA-compliant or PCI DSS Level 1 certified. Customer requiring sector-specific compliance must contact Flowframe at support@flowframe.io to discuss custom compliance requirements and separate Business Associate Agreements (BAA) or other necessary documentation.

---

5. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Flowframe implements comprehensive technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32.

5.1 Security Framework and Principles

Security Objectives:

• Confidentiality: Protection against unauthorized access or disclosure
• Integrity: Protection against unauthorized modification or destruction
• Availability: Ensuring authorized access when needed
• Resilience: Ability to resist and recover from security incidents
• Accountability: Ability to demonstrate compliance with security requirements

Risk-Based Approach: Security measures are designed taking into account:

• State of the art technology and implementation costs
• Nature, scope, context, and purposes of Processing
• Risks to rights and freedoms of Data Subjects
• Likelihood and severity of potential incidents

5.2 Technical Security Measures

5.2.1 Encryption

Data in Transit:

• TLS 1.3 encryption for all connections between Customer browsers and Flowframe servers
• HTTPS Strict Transport Security (HSTS) enabled to prevent downgrade attacks
• Certificate Management: SHA-256 signed certificates from trusted Certificate Authorities
• Perfect Forward Secrecy: Enabled to protect past sessions even if keys are compromised
• WebSocket Secure (WSS): Encrypted WebSocket connections for real-time collaboration
• Cipher Suites: Modern, strong cipher suites only (AES-256-GCM, ChaCha20-Poly1305)

Data at Rest:

• AES-256 encryption for all stored Personal Data
• PostgreSQL encryption: Full database encryption using pgcrypto extension
• Backup encryption: All backups encrypted with AES-256
• Encrypted storage volumes: DigitalOcean Block Storage with encryption enabled
• Key Management: Encryption keys stored securely separate from encrypted data

Database Credentials Storage:

• Encryption in Transit: Database credentials encrypted in browser before transmission via TLS 1.3
• Encryption at Rest: Stored encrypted on Flowframe servers with AES-256
• Access Control: Access restricted to authorized personnel only, fully logged

Client-Side Caching:

• Query Results: Cached in browser local storage for performance
• File Uploads: Files encrypted with AES-256 in DigitalOcean Spaces (London, UK)

5.2.2 Access Controls and Authentication

User Authentication:

• Bcrypt password hashing: 12 rounds with salt (industry best practice)
• Password Requirements: Minimum 8 characters (12+ recommended), complexity requirements
• Account Lockout: Temporary lockout after 5 failed login attempts
• Session Management: Secure, HTTP-only, SameSite cookies
• Session Timeout: Automatic logout after 24 hours of inactivity (configurable)
• Multi-Factor Authentication (2FA): Planned for Q2 2026 (TOTP-based)

Administrative Access:

• Multi-Factor Authentication (MFA): Required for all Flowframe personnel with production access
• Principle of Least Privilege: Personnel granted only minimum necessary access
• Role-Based Access Control (RBAC): Granular permissions based on job function
• Access Logging: All administrative access logged and auditable
• Access Reviews: Quarterly review and recertification of access rights

Network Security:

• Virtual Private Cloud (VPC): Database servers isolated in private VPC with no public internet access
• Firewall Rules: Strict ingress/egress rules, default deny policy
• DDoS Protection: DigitalOcean Cloud Firewall with DDoS mitigation
• Web Application Firewall (WAF): Protection against OWASP Top 10 vulnerabilities
• Rate Limiting: API rate limiting to prevent abuse (100 req/min Free tier, 1000 req/min Pro)

5.2.3 Dual Data Processing Architecture

Architecture 1: Cloud Database Connections

Data Flow:

• Database Credentials: Encrypted end-to-end, stored on Flowframe servers (encrypted at rest with AES-256)
• Query Execution: SQL queries routed through Flowframe servers to Customer's database
• Query Results: Transmitted through Flowframe servers (transient, NOT stored) → Sent to Customer's browser
• Result Caching: Results cached in Customer's browser only (not on Flowframe servers)

Security Benefits:

• Enhanced Connection Security: Secure tunneling and firewall compatibility
• No Data Storage: Query results transient on servers (not stored, immediately transmitted)
• Database Isolation: Customer's database contents never copied to Flowframe
• Connection Management: Secure credential handling and rotation

Architecture 2: File Uploads

Data Flow:

• File Upload: CSV/Parquet/JSON files processed client-side using DuckDB WASM first
• File Storage: Encrypted file contents stored in DigitalOcean Spaces (London, UK)
• File Encryption: AES-256 server-side encryption at rest
• File Queries: Execute client-side in browser using DuckDB WASM
• Query Results: Processed and displayed client-side, never leave browser

Security Benefits:

• Client-Side Processing: File analysis happens in Customer's browser (DuckDB WASM)
• Encrypted Storage: Files encrypted at rest with AES-256
• Immediate Deletion: Files deleted instantly upon request (no backups)
• Access Control: Flowframe access strictly limited to authorized personnel, logged and monitored

Benefits of Dual Architecture:

• Data Minimization: Query results not stored, only transient on servers
• Encryption Everywhere: TLS 1.3 in transit, AES-256 at rest
• Faster Performance: Client-side file processing, optimized cloud DB connections
• Customer Control: Immediate file deletion, no backup retention period

What IS Transmitted to/Stored on Servers:

• SQL query text (for version history and collaboration)
• Database credentials (encrypted at rest)
• Metadata descriptions (for AI features and documentation)
• Project configurations (canvas layout, visualization settings)
• Account and authentication data
• Uploaded file contents (encrypted in DigitalOcean Spaces)

5.2.4 Vulnerability Management

Security Updates:

• Automated Patching: Operating systems and infrastructure patched within 7 days of critical security updates
• Dependency Scanning: Automated scanning of npm/yarn dependencies for known vulnerabilities
• Dependency Updates: Critical security updates applied within 48 hours, other updates monthly
• Container Security: Docker images scanned for vulnerabilities before deployment

Vulnerability Testing:

• Penetration Testing: Annual third-party penetration tests (starting Q2 2026 post-SOC 2)
• Continuous Scanning: Automated vulnerability scanning of infrastructure
• Code Security Reviews: Security-focused code reviews for all changes to authentication, authorization, or data handling
• Bug Bounty Program: Planned launch Q2 2026 to incentivize responsible disclosure

Security Monitoring:

• 24/7 Automated Monitoring: Real-time security event detection
• Intrusion Detection: Alerts for suspicious access patterns or unauthorized attempts
• Log Analysis: Centralized logging and analysis for security threat detection
• Anomaly Detection: Monitoring for unusual activity patterns

5.2.5 Backup and Recovery

Backup Strategy:

• Daily Incremental Backups: Every 24 hours for changed data
• Weekly Full Backups: Complete system backups every Sunday
• Retention Period: 30 days for disaster recovery
• Backup Encryption: All backups encrypted with AES-256
• Backup Location: Stored in same region (London, UK) separate from production systems
• Immutable Backups: Write-once-read-many (WORM) storage to prevent ransomware attacks

Disaster Recovery:

• Recovery Point Objective (RPO): Maximum 24 hours of data loss
• Recovery Time Objective (RTO): Service restoration within 4 hours for critical systems
• Backup Testing: Quarterly restore tests to verify backup integrity
• Failover Procedures: Documented procedures for disaster recovery scenarios

5.3 Organizational Security Measures

5.3.1 Security Policies and Procedures

Flowframe maintains comprehensive written policies and procedures, including:

• Information Security Policy: Overall security governance framework
• Data Protection Policy: GDPR compliance and data handling procedures
• Incident Response Plan: Procedures for detecting, responding to, and recovering from security incidents
• Business Continuity Plan: Procedures for maintaining operations during disruptions
• Acceptable Use Policy: Employee and contractor usage requirements
• Vendor Management Policy: Security requirements for third-party vendors and sub-processors
• Data Retention and Deletion Policy: Standards for data lifecycle management

Policy Review: All policies reviewed and updated annually or when significant changes occur.

5.3.2 Personnel Security

Background Checks:

• Employment verification for all personnel
• Criminal background checks for personnel with access to production systems or Personal Data
• Reference checks for key personnel

Confidentiality Agreements:

• All employees sign confidentiality and data protection clauses in employment contracts
• All contractors and consultants sign Non-Disclosure Agreements (NDAs)
• Obligations survive termination of employment or contract

Security Training:

• Onboarding: All new personnel complete security and data protection training
• Annual Refresher: Mandatory annual GDPR and security awareness training
• Specialized Training: Additional training for personnel with elevated access (e.g., database administrators)
• Phishing Simulations: Quarterly phishing awareness campaigns

Access Termination:

• Immediate revocation of access upon termination of employment or contract
• Return or secure deletion of all company devices and data
• Exit interviews to reinforce confidentiality obligations

5.3.3 Physical Security (Data Center)

Flowframe utilizes DigitalOcean's London, UK (LON1) data center, which implements:

• 24/7 Physical Security: Guards, surveillance cameras, access logging
• Multi-Factor Access Control: Biometric scanners, key cards, PIN codes
• Perimeter Security: Fencing, barriers, vehicle access controls
• Environmental Controls: Fire suppression, HVAC, uninterruptible power supply (UPS)
• Compliance Certifications: ISO 27001, SOC 2 Type II, PCI DSS

DigitalOcean Compliance: https://www.digitalocean.com/trust/certification-reports

5.3.4 Vendor and Sub-Processor Management

Vendor Selection:

• Security and compliance assessment before onboarding
• Review of security certifications (SOC 2, ISO 27001, etc.)
• Data Processing Agreements required for all sub-processors
• Standard Contractual Clauses for international data transfers

Ongoing Monitoring:

• Quarterly review of sub-processor security posture
• Annual review of Data Processing Agreements
• Monitoring for security incidents or data breaches at sub-processors
• Replacement of sub-processors failing to meet security standards

See Section 6 (Sub-Processors) for detailed sub-processor information.

5.3.5 Change Management

Secure Development Lifecycle:

• Code Reviews: All code changes reviewed before deployment
• Security Testing: Automated security scans in CI/CD pipeline
• Staging Environment: Changes tested in non-production environment before release
• Deployment Controls: Multi-person approval required for production deployments
• Rollback Procedures: Ability to quickly revert changes if issues are detected

Change Approval:

• Documented change management process
• Security impact assessment for significant changes
• Approval required from technical lead for all production changes

5.3.6 Asset Management

Inventory Management:

• Comprehensive inventory of all hardware, software, and data assets
• Classification of assets by sensitivity and criticality
• Documented ownership and custodianship of assets
• Regular inventory audits

Asset Disposal:

• Secure deletion or destruction of decommissioned hardware
• Certificate of destruction for disposed storage media
• Cryptographic erasure of encryption keys when possible

5.4 Application Security

Secure Coding Practices:

• OWASP Top 10: Development practices address OWASP Top 10 vulnerabilities
• Input Validation: All user input validated and sanitized
• Output Encoding: Proper encoding to prevent XSS attacks
• SQL Injection Prevention: Parameterized queries, prepared statements
• CSRF Protection: Anti-CSRF tokens for state-changing operations
• Content Security Policy (CSP): Strict CSP headers to prevent XSS and injection attacks

API Security:

• Authentication: All API endpoints require authentication (except public endpoints)
• Authorization: Fine-grained authorization checks for all resources
• Rate Limiting: Protection against brute force and DoS attacks
• Input Validation: Strict validation of all API inputs
• Error Handling: Generic error messages that don't leak sensitive information

5.5 Security Monitoring and Incident Detection

Logging and Monitoring:

• Centralized Logging: All security-relevant events logged to centralized system
• Log Retention: Security logs retained for 90 days
• Real-Time Alerts: Automated alerts for security events (failed logins, unauthorized access attempts, anomalous behavior)
• SIEM Capabilities: Log aggregation and analysis for threat detection (planned for Q3 2026)

Monitored Events:

• Failed authentication attempts
• Privilege escalation attempts
• Unauthorized access to resources
• Unusual data access patterns
• System errors and crashes
• Changes to security configurations
• Administrative actions

5.6 Continuous Improvement

Security Reviews:

• Quarterly review of security measures and incidents
• Annual comprehensive security assessment
• Post-incident reviews to identify improvements
• Regular review of industry best practices and emerging threats

Adaptation to Risks:

• Security measures updated in response to new threats
• Incorporation of lessons learned from security incidents
• Adoption of new technologies to improve security posture

---

6. SUB-PROCESSORS

6.1 General Authorization

Customer Authorization: By entering into this DPA, Customer provides general authorization for Flowframe to engage sub-processors to assist in providing the Services.

Sub-Processor Requirements: All sub-processors must:

• Be bound by written agreements imposing data protection obligations substantially similar to this DPA
• Implement appropriate technical and organizational security measures
• Comply with Data Protection Laws applicable to their Processing activities
• Submit to audits and inspections as required
• Execute Standard Contractual Clauses for international data transfers (where applicable)

Flowframe Liability: Flowframe remains fully liable to Customer for the performance of sub-processors' obligations under this DPA. Flowframe's liability is not diminished by engaging sub-processors.

6.2 Current Sub-Processors

Flowframe currently engages the following sub-processors:

6.2.1 DigitalOcean LLC

Purpose: Infrastructure hosting and cloud services provider

Entity Details:

• Legal Name: DigitalOcean, LLC
• Headquarters: 101 6th Avenue, New York, NY 10013, USA
• Data Processing Location: London, United Kingdom (LON1 data center)
• Website: https://www.digitalocean.com

Services Provided:

• Cloud infrastructure and compute resources
• PostgreSQL database hosting
• Object storage (for backups and file storage)
• Networking and load balancing
• Block storage with encryption

Personal Data Transferred:

• All platform data stored on servers: account information, collaboration state, query history, metadata, workspace configurations, authentication credentials

Security and Compliance:

• Certifications: ISO 27001, SOC 2 Type II, PCI DSS Level 1
• GDPR Compliance: EU-US Data Privacy Framework participant, Standard Contractual Clauses in place
• Data Location: Primary processing in European Union (London, UK)
• Encryption: AES-256 encryption at rest, TLS 1.3 in transit
• Physical Security: ISO 27001 certified data centers
• Compliance Documentation: https://www.digitalocean.com/trust/certification-reports

DPA and SCCs: DigitalOcean Data Processing Agreement with Standard Contractual Clauses executed.

6.2.2 Stripe, Inc.

Purpose: Payment processing services

Entity Details:

• Legal Name: Stripe, Inc.
• Headquarters: 510 Townsend Street, San Francisco, CA 94103, USA
• Data Processing Location: United States (with global infrastructure)
• Website: https://stripe.com

Services Provided:

• Credit card payment processing
• Subscription billing management
• Invoice generation
• Payment method storage (tokenized)
• Fraud detection and prevention

Personal Data Transferred:

• Customer billing name and email address
• Billing address
• Payment method information (credit card numbers tokenized by Stripe, NOT stored by Flowframe)
• Transaction history
• IP addresses (for fraud prevention)

Security and Compliance:

• Certifications: PCI DSS Level 1 (highest level), SOC 2 Type II, ISO 27001
• GDPR Compliance: EU-US Data Privacy Framework participant, Standard Contractual Clauses available
• Data Residency: Global infrastructure with EU data localization options
• Encryption: AES-256 encryption at rest, TLS 1.3 in transit
• Tokenization: Card numbers tokenized and stored securely, never accessible to Flowframe
• Compliance Documentation: https://stripe.com/docs/security/stripe

DPA and SCCs: Stripe Data Processing Agreement with Standard Contractual Clauses executed.

Note: Flowframe does NOT store credit card numbers. Stripe handles all sensitive payment data, and Flowframe only receives payment tokens and transaction confirmations.

6.3 Planned Future Sub-Processors

The following sub-processors are planned for future integration (NOT currently processing Personal Data):

6.3.1 Google LLC (Gemini AI) - PLANNED Q2 2026

Purpose: AI-powered natural language query generation

Entity Details:

• Legal Name: Google LLC
• Headquarters: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
• Data Processing Location: United States (Google Cloud infrastructure)
• Website: https://cloud.google.com

Planned Services:

• Processing natural language questions to generate SQL queries
• Understanding database schema and metadata to provide context-aware responses

Personal Data to be Transferred (when feature launches):

• User questions/prompts in natural language
• Table and column metadata (schema information, user-provided descriptions)
• Database structure information (table names, column names, data types)

Personal Data NOT Transferred:

• ❌ Actual customer data (query results, database contents)
• ❌ Database credentials or connection strings
• ❌ Query results or row-level data
• ❌ File contents from uploaded CSVs

Planned Security and Compliance:

• Certifications: SOC 2, ISO 27001, PCI DSS
• GDPR Compliance: EU-US Data Privacy Framework, Standard Contractual Clauses
• Zero Data Retention (ZDR): Google has committed NOT to store prompts or use them for model training
• Data Deletion: Prompts processed and immediately discarded after SQL generation
• Privacy Commitments: https://cloud.google.com/terms/service-terms

Customer Opt-Out: When AI features launch, Customer may disable AI query features in workspace settings to prevent any data transfer to Google.

Notification: Flowframe will notify Customer 30 days before activating Google as a sub-processor (see Section 6.4).

6.4 Sub-Processor Change Notification

Advance Notice: Flowframe shall inform Customer of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance.

Notification Method:

• Email notification to Customer's registered email address
• Notification within Customer's Flowframe dashboard (when logged in)

Information Provided:

• Name and contact details of new/replacement sub-processor
• Description of Processing activities to be performed
• Location(s) where Personal Data will be processed
• Security and compliance certifications
• Data Processing Agreement and Standard Contractual Clauses status

6.5 Customer Right to Object

Objection Period: Customer has 15 days from receipt of notification to object to the addition or replacement of a sub-processor on reasonable grounds relating to data protection.

How to Object: Customer must submit objection in writing to support@flowframe.io, including:

• Specific sub-processor being objected to
• Reasonable grounds for objection based on data protection concerns
• Supporting evidence or documentation for objection

Flowframe Response:

• Flowframe will acknowledge Customer's objection within 3 business days
• Flowframe will engage in good faith discussions to address Customer's concerns
• Flowframe may propose alternative solutions or additional safeguards

Resolution Options:

1. Flowframe Addresses Concerns: Implement additional safeguards or select alternative sub-processor
2. Agreement on Safeguards: Customer and Flowframe agree on additional contractual or technical measures
3. Termination: If objection cannot be resolved, Customer may terminate the Agreement without penalty, and Flowframe will refund any prepaid fees for unused service

Deemed Acceptance: If Customer does not object within 15 days, Customer is deemed to have accepted the new or replacement sub-processor.

---

7. INTERNATIONAL DATA TRANSFERS

7.1 Primary Data Location

EU Data Residency: Flowframe's primary infrastructure is hosted in the European Union (London, United Kingdom), providing strong data protection under GDPR and UK GDPR.

Data Center: DigitalOcean London (LON1) datacenter

• Location: London, United Kingdom
• Compliance: GDPR-compliant, ISO 27001, SOC 2 Type II certified
• Backup Location: Same region (London, UK)

Benefits for EU/UK Customers:

• Data remains within EU/UK jurisdiction
• Subject to GDPR and UK GDPR protections
• Reduced latency for European users
• Simplified compliance for EU-based Controllers

7.2 Data Transfer Mechanisms

Where Flowframe transfers Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to Third Countries (countries outside EEA/UK without adequacy decision), Flowframe relies on the following mechanisms:

7.2.1 Standard Contractual Clauses (SCCs)

Legal Basis: Flowframe uses the European Commission's Standard Contractual Clauses (SCCs) approved by Decision 2021/914/EU for international data transfers.

Modules Used:

• Module Two: Controller to Processor (when Customer is Controller and Flowframe is Processor)
• Module Three: Processor to Processor (for transfers to sub-processors like Stripe and Google)

SCC Incorporation: The SCCs are incorporated by reference into this DPA and are attached as Appendix A (see Section 15).

Availability: Full executed SCCs available upon request at support@flowframe.io within 5 business days.

7.2.2 EU-US Data Privacy Framework

For sub-processors certified under the EU-US Data Privacy Framework (DPF), Flowframe relies on their DPF certification as an additional safeguard:

• Stripe: EU-US Data Privacy Framework certified
• Google: EU-US Data Privacy Framework certified (when engaged as sub-processor)

DPF Compliance: https://www.dataprivacyframework.gov/list

7.2.3 UK Addendum to SCCs

For transfers from the United Kingdom, Flowframe uses the UK Information Commissioner's Office (ICO) International Data Transfer Addendum to the EU SCCs.

UK GDPR Compliance: All transfers from UK comply with UK GDPR requirements and ICO guidance.

7.3 Transfers to Sub-Processors

7.3.1 Stripe (United States)

Transfer Mechanism:

• Standard Contractual Clauses (Module Three: Processor to Processor)
• EU-US Data Privacy Framework certification
• Stripe Data Processing Agreement

Data Transferred: Billing information (name, email, address, payment tokens, transaction history)

Purpose: Payment processing for subscriptions

Safeguards:

• PCI DSS Level 1 compliance
• AES-256 encryption at rest, TLS 1.3 in transit
• Tokenization of payment card data
• SOC 2 Type II and ISO 27001 certified

7.3.2 Google LLC (United States) - PLANNED Q2 2026

Transfer Mechanism (when sub-processor is engaged):

• Standard Contractual Clauses (Module Three: Processor to Processor)
• EU-US Data Privacy Framework certification
• Google Cloud Data Processing Agreement
• Zero Data Retention (ZDR) policy

Data to be Transferred: Metadata and natural language questions (NOT actual customer data or query results)

Purpose: AI-powered SQL query generation

Safeguards:

• Zero Data Retention: Prompts not stored or used for training
• Data processed and immediately deleted
• SOC 2, ISO 27001, GDPR-compliant infrastructure
• Customer opt-out capability

7.4 Supplementary Measures

In addition to Standard Contractual Clauses, Flowframe implements supplementary technical and organizational measures to protect data transfers, as required by the European Data Protection Board (EDPB) Recommendations 01/2020:

Technical Measures:

• Encryption in Transit: TLS 1.3 for all data transfers
• Encryption at Rest: AES-256 encryption for stored data
• Access Controls: Strong authentication and authorization
• Data Minimization: Only necessary data transferred to sub-processors

Organizational Measures:

• Contractual Protections: Data Processing Agreements with all sub-processors
• Transparency: Clear disclosure of all data transfers and sub-processors
• Vendor Assessment: Security and compliance review before engaging sub-processors
• Limited Purpose: Data used only for specified purposes
• Deletion Obligations: Sub-processors required to delete data upon termination

Legal Protections:

• Government Access Procedures: Sub-processors required to notify Flowframe of government data requests (where legally permitted)
• Legal Challenge: Commitment to challenge disproportionate or unlawful government requests
• Transparency Reports: Monitoring for government data access requests

7.5 Assessment of Third Country Laws

Flowframe has assessed the laws of Third Countries where sub-processors operate, particularly:

United States (Stripe, Google):

• Legal Framework: EU-US Data Privacy Framework provides adequacy-like protections
• Government Access: US law (FISA, CLOUD Act) permits government access under certain conditions
• Mitigations: SCCs + supplementary measures + DPF certification + zero data retention (Google)
• Risk Assessment: Low risk given encryption, limited data transferred, contractual protections

Ongoing Monitoring: Flowframe continuously monitors legal developments in Third Countries and will:

• Update transfer mechanisms if adequacy decisions or legal frameworks change
• Implement additional safeguards if new risks are identified
• Notify Customer of material changes to data transfer risks

7.6 Customer Consent and Acknowledgment

By accepting this DPA, Customer:

• Acknowledges international data transfers to Third Countries as described
• Consents to use of Standard Contractual Clauses and supplementary measures
• Authorizes transfers to current and future sub-processors (subject to objection rights in Section 6.5)
• Agrees that Flowframe has implemented appropriate safeguards for international transfers

7.7 Alternative Data Residency (Enterprise)

Enterprise Option: For Enterprise customers with specific data residency requirements, Flowframe may offer alternative hosting locations or data residency solutions. Contact support@flowframe.io for custom data residency arrangements.

Custom Deployments: Enterprise customers may request on-premises or private cloud deployments for complete data residency control (subject to minimum contract value and technical feasibility).

---

8. DATA SUBJECT RIGHTS SUPPORT

Flowframe shall assist Customer in fulfilling Data Subject requests to exercise their rights under Data Protection Laws. Customer remains responsible for verifying Data Subject identities and responding to Data Subjects directly.

8.1 Overview of Data Subject Rights

Under GDPR (Articles 15-22) and other Data Protection Laws, Data Subjects have the following rights:

1. Right of Access (Article 15): Obtain confirmation and copy of Personal Data being processed
2. Right to Rectification (Article 16): Correct inaccurate or incomplete Personal Data
3. Right to Erasure ("Right to be Forgotten") (Article 17): Request deletion of Personal Data
4. Right to Restriction of Processing (Article 18): Limit how Personal Data is used
5. Right to Data Portability (Article 20): Receive Personal Data in machine-readable format
6. Right to Object (Article 21): Object to certain types of Processing
7. Rights Related to Automated Decision-Making (Article 22): Not be subject to solely automated decisions

Response Timeline: Customer must respond to Data Subject requests within 1 month of receipt (extendable by 2 months for complex requests).

Flowframe Assistance Timeline: Flowframe will provide assistance within 10 business days of Customer's request for support.

8.2 Right of Access (GDPR Article 15)

Data Subject Entitlement: Data Subjects may request:

• Confirmation whether their Personal Data is being processed
• Access to their Personal Data
• Information about Processing purposes, categories, recipients, retention periods, and Data Subject rights

Supported Export via Email:

• Customer emails support@flowframe.io with subject "Data Subject Access Request"
• Provides Customer account email and description of requested data
• Flowframe provides export within 10 business days
• Export delivered securely via encrypted email or secure download link

Information Provided in Export:

{
  "account": {
    "email": "user@example.com",
    "name": "John Doe",
    "created_at": "2026-01-01T00:00:00Z",
    "last_login": "2026-01-10T12:00:00Z"
  },
  "workspaces": [...],
  "projects": [...],
  "query_history": [...],
  "metadata": [...],
  "collaboration_activity": [...]
}

Customer Responsibility:

• Verify identity of Data Subject making request
• Determine whether to fulfill or refuse request
• Communicate directly with Data Subject
• Provide additional information required by GDPR Article 15(1)

8.3 Right to Rectification (GDPR Article 16)

Data Subject Entitlement: Data Subjects may request correction of inaccurate or incomplete Personal Data.

Flowframe Assistance:

Self-Service Correction:

• Customer can update most data directly in Flowframe interface:
  • Account Settings: Update name, email, password
  • Workspace Settings: Update workspace name, team member roles
  • Projects: Update project names, descriptions, metadata

Steps for Customer:

1. Log into Flowframe account
2. Navigate to relevant settings page
3. Update inaccurate information
4. Changes take effect immediately

Supported Correction:

• For data not accessible via UI, Customer may email support@flowframe.io
• Flowframe will correct data within 5 business days
• Confirmation of correction provided to Customer

Customer Responsibility:

• Verify accuracy of correction requested by Data Subject
• Ensure corrected data complies with Data Protection Laws
• Inform Data Subject of correction

8.4 Right to Erasure / Right to be Forgotten (GDPR Article 17)

Data Subject Entitlement: Data Subjects may request deletion of Personal Data in certain circumstances:

• Personal Data no longer necessary for original purpose
• Data Subject withdraws consent
• Data Subject objects to Processing and no overriding legitimate grounds exist
• Personal Data processed unlawfully
• Legal obligation requires deletion

Limitations: Right to erasure does NOT apply when Processing is necessary for:

• Compliance with legal obligations
• Establishment, exercise, or defense of legal claims
• Archiving purposes in the public interest, scientific/historical research, or statistical purposes

Flowframe Assistance:

Self-Service Deletion:

• Delete Individual Projects:

  • Navigate to Project Settings → Delete Project
  • Immediate deletion from active storage
  • Purged from backups after 30 days

• Delete Entire Account:

  • Navigate to Account Settings → Delete Account
  • Confirm deletion (irreversible action)
  • All Personal Data deleted immediately from active storage
  • Purged from backups within 30 days
  • Billing records retained for 7 years (legal requirement)

Supported Deletion:

• Customer may request deletion by emailing support@flowframe.io
• Flowframe will delete specified Personal Data within 10 business days
• Deletion certificate provided upon request

What Gets Deleted:

• Account credentials and authentication data
• Workspace settings and team member associations
• Projects, query history, and metadata
• Collaboration data and comments
• Usage analytics linked to Customer

What May Be Retained:

• Billing Records: Retained for 7 years for tax and financial compliance (legal obligation)
• Anonymized Analytics: Aggregated, non-identifiable usage statistics
• Legal/Dispute Data: Data necessary for establishment, exercise, or defense of legal claims

Customer Responsibility:

• Determine whether Data Subject's request meets legal criteria for erasure
• Verify identity of Data Subject
• Assess whether legal obligations or overriding legitimate grounds prevent deletion
• Communicate deletion decision to Data Subject

8.5 Right to Restriction of Processing (GDPR Article 18)

Data Subject Entitlement: Data Subjects may request restriction (not deletion) of Processing when:

• Accuracy of Personal Data is contested (restriction during verification period)
• Processing is unlawful but Data Subject prefers restriction over deletion
• Flowframe no longer needs the data, but Data Subject needs it for legal claims
• Data Subject has objected to Processing (restriction pending verification of overriding grounds)

Flowframe Assistance:

Account Suspension (temporary restriction):

• Customer may request temporary suspension of account via support@flowframe.io
• Suspended accounts:
  • Cannot log in or access Services
  • Data retained but not actively processed
  • Can be reactivated upon request
• Suspension implemented within 3 business days

Feature-Specific Restrictions:

• Disable AI Features: Customer can disable AI query processing in workspace settings
• Disable Collaboration: Customer can disable real-time collaboration features
• Restrict Access: Customer can change team member roles or remove access

Customer Responsibility:

• Determine whether restriction is appropriate
• Decide on scope and duration of restriction
• Inform Data Subject of restriction and any limitations
• Inform Data Subject before lifting restriction

8.6 Right to Data Portability (GDPR Article 20)

Data Subject Entitlement: Data Subjects may receive their Personal Data in a structured, commonly used, machine-readable format and transmit it to another controller where:

• Processing is based on consent or contract
• Processing is carried out by automated means

Flowframe Assistance:

JSON Export (machine-readable format):

• Same self-service export as Right of Access (Section 8.2)
• JSON format allows easy import into other systems
• Includes all Personal Data provided by or generated about Data Subject

API Access (for programmatic export):

• Enterprise customers: API endpoints available for data export
• Authentication required
• Rate limiting applies
• Documentation at https://docs.flowframe.io/api

Data Included in Portability Export:

• Account information
• Projects and analyses created by Data Subject
• Query history
• Metadata and descriptions
• Collaboration activity
• Workspace settings

Format: JSON (JavaScript Object Notation) - widely compatible, machine-readable format

Customer Responsibility:

• Verify Data Subject's identity
• Determine whether data portability right applies (consent or contract basis)
• Provide exported data to Data Subject securely
• Assist Data Subject in transmitting data to another controller if requested

8.7 Right to Object (GDPR Article 21)

Data Subject Entitlement: Data Subjects may object to Processing based on:

• Legitimate interests (Article 6(1)(f))
• Performance of public interest tasks (Article 6(1)(e))
• Direct marketing (absolute right)
• Scientific/historical research or statistical purposes (unless Processing necessary for public interest task)

Upon objection, Processor must cease Processing unless compelling legitimate grounds override Data Subject's interests, rights, and freedoms, or Processing is necessary for legal claims.

Flowframe Assistance:

Opt-Out Mechanisms:

• Marketing Emails: Unsubscribe link in all marketing emails (immediate effect)
• Optional Features: Disable AI features, collaboration, or analytics in workspace settings
• Account Deletion: Ultimate objection is account deletion (see Section 8.4)

Processing Cessation:

• If Customer determines objection is valid, Customer may request cessation by emailing support@flowframe.io
• Flowframe will cease objected Processing within 10 business days
• Alternative: Account deletion if Processing cannot continue without objected activity

Customer Responsibility:

• Assess whether Data Subject's objection is valid under Data Protection Laws
• Determine whether compelling legitimate grounds override objection
• Balance Data Subject's interests against Customer's legitimate interests
• Inform Data Subject of decision and reasoning

8.8 Rights Related to Automated Decision-Making and Profiling (GDPR Article 22)

Data Subject Entitlement: Data Subjects have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them.

Flowframe's Position:

• No Automated Decision-Making: Flowframe does NOT use Personal Data for automated decision-making or profiling
• AI Query Generation: AI feature generates SQL queries but does NOT make decisions about individuals
• No Profiling: No profiling of Data Subjects based on their Personal Data

Customer Responsibility:

• If Customer uses Flowframe to conduct automated decision-making or profiling, Customer must comply with GDPR Article 22
• Customer must implement safeguards, including human review, for automated decisions with legal/significant effects

8.9 Additional Assistance and Coordination

Flowframe Commitment: Flowframe will reasonably assist Customer in fulfilling Data Subject rights, including:

• Providing technical documentation on data export formats
• Explaining how data is processed in Flowframe architecture
• Coordinating with sub-processors for data retrieval if necessary
• Providing confirmation of actions taken (deletion, correction, restriction)

Complex Requests: For complex or unusual Data Subject requests requiring significant Flowframe engineering effort (e.g., custom data exports, forensic data retrieval), Flowframe may charge reasonable professional services fees, agreed in advance with Customer.

Customer's Primary Responsibility: Customer remains primarily responsible for:

• Receiving and triaging Data Subject requests
• Verifying Data Subject identities (preventing fraudulent requests)
• Determining legal validity of requests
• Communicating with Data Subjects directly
• Making final decisions on how to respond to requests

---

9. DATA BREACH NOTIFICATION AND INCIDENT RESPONSE

9.1 Definition of Personal Data Breach

A "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

Examples of Personal Data Breaches:

• Unauthorized access to Customer account data
• Accidental disclosure of Personal Data to unauthorized third party
• Ransomware attack encrypting or destroying Personal Data
• Lost or stolen device containing unencrypted Personal Data
• Insider threat (employee unauthorized access to Personal Data)
• Hacking or cyberattack resulting in data exfiltration

9.2 Breach Notification Obligation

GDPR Requirement: Flowframe must notify Customer of any Personal Data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach (GDPR Article 33).

Flowframe Commitment: Flowframe will notify Customer within 72 hours of confirming a breach of Customer's Personal Data.

Notification Method:

• Primary: Email to Customer's registered account email address
• Subject Line: "URGENT: Personal Data Breach Notification - Flowframe"
• Secondary: Notification within Flowframe dashboard (if accessible)
• Escalation: Phone call for high-severity breaches (if contact number available)

9.3 Breach Notification Content

Flowframe's breach notification shall include (to the extent information is available at time of notification):

Required Information (GDPR Article 33(3)):

1. Nature of Breach:

   • Description of the breach and how it occurred
   • Date and time of breach (or estimated timeframe)
   • Date and time Flowframe became aware of breach

2. Categories and Approximate Numbers:

   • Categories of Data Subjects affected (e.g., "employees", "customers")
   • Approximate number of Data Subjects affected
   • Categories of Personal Data records affected (e.g., "account credentials", "billing data")
   • Approximate number of Personal Data records affected

3. Likely Consequences:

   • Assessment of potential impact on affected Data Subjects
   • Severity rating: Critical / High / Medium / Low
   • Risk of identity theft, fraud, financial loss, reputational damage, etc.

4. Measures Taken or Proposed:

   • Actions Flowframe has taken to contain and remediate the breach
   • Proposed measures to mitigate adverse effects on Data Subjects
   • Timeline for implementing remediation measures

5. Contact Point:

   • Name and contact details of Flowframe's data protection contact
   • Email: support@flowframe.io
   • Person responsible: Francis Atoyebi, Founder & CEO

6. Recommendations for Customer:

   • Whether Customer should notify Data Subjects
   • Whether Customer should notify Supervisory Authority
   • Recommended actions for Customer to protect affected Data Subjects

Phased Notification: If all information is not available within 72 hours, Flowframe will provide:

• Initial Notification: Within 72 hours with available information
• Follow-Up Updates: As investigation progresses and more information becomes available
• Final Report: Comprehensive incident report within 14 days of breach discovery

9.4 Incident Response Procedures

Flowframe follows a structured incident response process:

Phase 1: Detection and Identification (Target: Within 1 hour)

• Monitoring Systems: Automated alerts for suspicious activity
• Incident Logging: All potential security events logged
• Triage: Determine if incident constitutes a Personal Data breach
• Initial Assessment: Severity and scope evaluation

Phase 2: Containment (Target: Within 4 hours)

• Immediate Actions:

  • Isolate affected systems to prevent further unauthorized access
  • Disable compromised credentials or accounts
  • Block malicious IP addresses or network traffic
  • Preserve evidence for forensic investigation

• Damage Limitation:

  • Prevent breach from spreading to additional systems
  • Protect unaffected data and systems
  • Implement temporary security controls

Phase 3: Investigation (Target: Within 24-48 hours)

• Root Cause Analysis: Determine how breach occurred
• Scope Assessment: Identify all affected data and systems
• Evidence Collection: Preserve logs, system snapshots, and forensic evidence
• Attribution: Identify threat actor or cause (if possible)
• Timeline Reconstruction: Document sequence of events

Phase 4: Notification (Target: Within 72 hours)

• Customer Notification: As described in Section 9.2
• Internal Notification: Inform relevant Flowframe personnel
• Sub-Processor Notification: If breach originated with sub-processor
• Regulatory Notification: If required by law (with Customer coordination)

Phase 5: Eradication and Recovery (Target: Within 7 days)

• Remove Threat: Eliminate vulnerability or threat actor access
• Restore Systems: Return affected systems to secure operational state
• Verification: Confirm threat has been fully eradicated
• Enhanced Monitoring: Increased monitoring for residual threats

Phase 6: Post-Incident Review (Target: Within 14 days)

• Lessons Learned: Analyze what went wrong and why
• Improvement Actions: Identify security enhancements to prevent recurrence
• Final Report: Comprehensive incident documentation
• Policy Updates: Update security policies and procedures as needed

9.5 Customer Obligations After Breach

Upon receiving breach notification from Flowframe, Customer must:

Assessment:

• Evaluate whether the breach requires notification to Data Subjects (GDPR Article 34)
• Determine whether breach must be reported to Supervisory Authority (GDPR Article 33)
• Assess impact on affected Data Subjects

Notification to Supervisory Authority (if required):

• Customer must notify their Supervisory Authority within 72 hours of becoming aware of the breach (if breach is likely to result in risk to rights and freedoms)
• Flowframe will provide information to assist Customer in preparing the notification

Notification to Data Subjects (if required):

• Customer must notify affected Data Subjects without undue delay if breach is likely to result in high risk to rights and freedoms (GDPR Article 34)
• Flowframe will provide information to assist Customer in identifying affected Data Subjects

Coordination:

• Customer and Flowframe shall coordinate on external communications to ensure consistency
• Customer shall not publicly disclose breach without consulting Flowframe (unless legally required)

9.6 Breach Documentation

Flowframe's Obligation: Flowframe shall document all Personal Data breaches, including:

• Facts relating to the breach
• Effects of the breach
• Remedial action taken

Records Maintained: Breach documentation retained for 3 years and made available to Supervisory Authorities upon request.

Customer Access: Customer may request copies of breach documentation for their records.

9.7 Sub-Processor Breaches

If a breach occurs at a sub-processor (e.g., DigitalOcean, Stripe), Flowframe will:

1. Require sub-processor to notify Flowframe immediately
2. Investigate scope and impact with sub-processor
3. Notify Customer within 72 hours (same timeline as direct breaches)
4. Coordinate remediation with sub-processor
5. Hold sub-processor accountable for breach (contractually)

Flowframe remains fully responsible to Customer for sub-processor breaches.

9.8 No Breach Threshold

Security Incidents vs. Breaches: Not all security incidents constitute Personal Data breaches. Flowframe distinguishes between:

• Security Incidents: Events that may pose risk but do not result in unauthorized access/disclosure (e.g., failed login attempts, blocked attacks, vulnerabilities discovered and patched before exploitation)
• Personal Data Breaches: Events resulting in actual or likely unauthorized access, disclosure, alteration, or loss of Personal Data

No Notification for Non-Breaches: Flowframe is NOT required to notify Customer of security incidents that do not constitute Personal Data breaches.

Transparency: Flowframe may provide periodic security reports to Customer summarizing security incidents and threat landscape (optional, upon request).

9.9 Testing and Preparedness

Incident Response Testing:

• Annual tabletop exercises to test incident response procedures
• Simulated breach scenarios to validate notification processes
• Regular review and update of incident response plans

Continuous Improvement:

• Incorporate lessons learned from real incidents and exercises
• Update procedures based on evolving threats and regulatory guidance
• Train personnel on incident response roles and responsibilities

---

10. DATA RETENTION AND DELETION

10.1 Retention Principles

Data Minimization: Flowframe retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected or as required by law.

Retention Governed By:

• Duration of Customer's subscription/account
• Legal and regulatory retention requirements
• Legitimate business purposes (e.g., dispute resolution, contract enforcement)
• Customer's instructions and configuration

10.2 Retention During Active Subscription

While Customer's account is active, Flowframe retains:

• Account and authentication data
• Workspace settings and configurations
• Projects, query history, and metadata
• Collaboration data (Yjs documents)
• Usage analytics
• Billing and transaction history

Customer Control: Customer may delete individual projects, workspaces, or team members at any time via the platform interface. Deleted items are purged from active storage immediately and from backups within 30 days.

10.3 Retention After Account Deletion or Termination

30-Day Backup Retention: When Customer deletes their account or terminates the Agreement:

Immediate Deletion (Day 0):

• Account credentials and authentication data deleted from active production systems
• Personal Data removed from active databases
• Access to Services immediately revoked
• Public sharing links deactivated

Backup Retention (Days 1-30):

• Personal Data remains in encrypted backups for disaster recovery purposes
• Backups are NOT accessible for normal operations
• Backups are immutable (write-once-read-many) to prevent tampering

Permanent Deletion (Day 31):

• Personal Data permanently deleted from all backups
• Data rendered irrecoverable through cryptographic erasure (encryption keys destroyed)
• Deletion certified upon Customer request

Exceptions to 30-Day Deletion:

1. Billing Records (7-year retention):

   • What: Invoices, receipts, payment records, tax documentation
   • Why: Legal requirement for tax and financial compliance (e.g., IRS, HMRC, tax authorities)
   • Legal Basis: Compliance with legal obligation (GDPR Article 6(1)(c))
   • Data Retained: Billing name, email, company name, amounts paid, dates, invoice IDs
   • Data NOT Retained: Usage data, project data, query history, collaboration data

2. Legal/Dispute Data (6-year retention or until resolved):

   • What: Data necessary for establishment, exercise, or defense of legal claims
   • Examples: Dispute resolution, litigation, regulatory investigation, contract enforcement
   • Legal Basis: Legitimate interests for legal claims (GDPR Article 6(1)(f))
   • Retention: Until claim is resolved or statute of limitations expires (typically 6 years)

3. Anonymized Analytics (indefinite retention):

   • What: Aggregated, anonymized usage statistics that cannot be linked to individuals
   • Examples: "Number of projects created in January 2026", "Average query execution time"
   • Why: Not considered Personal Data under GDPR once properly anonymized
   • Anonymization: Irreversible process removing all identifiers; cannot be re-identified

10.4 Data Deletion Methods

Secure Deletion Standards: Flowframe employs industry-standard secure deletion methods:

Active Storage Deletion:

• Database records marked as deleted and excluded from queries
• Background purge process permanently removes deleted records within 24 hours
• Multi-pass overwrite for sensitive data (e.g., passwords already hashed, so plaintext never existed)

Backup Deletion:

• Encrypted backups expire after 30-day retention period
• Expired backups automatically purged from storage
• Cryptographic Erasure: Encryption keys destroyed, rendering encrypted data permanently irrecoverable even if backup media is compromised

Physical Media Disposal (when hardware is decommissioned):

• DigitalOcean follows NIST SP 800-88 media sanitization guidelines
• Secure wipe or physical destruction of storage media
• Certificate of destruction provided for auditable disposal

10.5 Customer-Initiated Deletion Requests

Self-Service Deletion:

• Individual Projects: Delete Project button in project settings (immediate deletion)
• Team Members: Remove team member from workspace (immediate deletion of access)
• Entire Account: Delete Account in account settings (immediate deletion, 30-day backup retention)

Supported Deletion (via email to support@flowframe.io):

• Customer may request deletion of specific Personal Data
• Flowframe will fulfill request within 10 business days
• Confirmation of deletion provided

Right to be Forgotten Requests:

• See Section 8.4 (Right to Erasure) for Data Subject-initiated deletion requests
• Customer responsible for verifying Data Subject identity and validity of request

Immediate Deletion (bypassing 30-day backup retention):

• Customer may request immediate deletion from backups by emailing support@flowframe.io
• Flowframe will manually purge specified Personal Data from backups within 5 business days
• Available for high-sensitivity situations (e.g., data breach, highly sensitive Personal Data inadvertently uploaded)

10.6 Retention Schedule Summary

Data Category	Active Account	After Deletion	Legal Retention	Final Deletion
Account credentials	Retained	Immediate deletion	None	Day 0 (immediate)
Projects, queries, metadata	Retained	Immediate deletion	None	Day 31 (backups purged)
Collaboration data	Retained	Immediate deletion	None	Day 31 (backups purged)
Usage analytics	Retained	Immediate deletion (identifiable)	Anonymized indefinitely	Day 31 (if identifiable)
Billing records	Retained	Anonymized (amounts/dates kept)	7 years	Year 7 (legal requirement)
Legal/dispute data	Retained	Retained if claim exists	Until resolved or 6 years	Upon claim resolution
Anonymized analytics	Retained	Retained	Indefinite	Never (not Personal Data)

10.7 Deletion Certification

Certificate of Deletion: Upon request, Flowframe will provide Customer with written certification of deletion, including:

• Date of deletion request
• Date of deletion from active systems
• Date of deletion from backups
• Categories of Personal Data deleted
• Signature from authorized Flowframe representative

Request Method: Email support@flowframe.io with subject "Deletion Certification Request"

Delivery Timeline: Within 10 business days of completion of deletion process

---

11. AUDIT RIGHTS AND COMPLIANCE VERIFICATION

11.1 Customer's Audit Rights

GDPR Requirement: Customer has the right to verify Flowframe's compliance with this DPA and Data Protection Laws through audits and inspections (GDPR Article 28(3)(h)).

Audit Frequency: Customer may conduct or commission audits once per calendar year unless:

• A Personal Data breach occurs affecting Customer's data (additional audit permitted)
• Supervisory Authority requires an audit
• Reasonable grounds exist to believe Flowframe is not compliant (additional audit permitted with justification)

11.2 Audit Methodologies

Customer may verify compliance through the following methods:

11.2.1 Documentation Review

Scope: Customer may request and review:

• Security policies and procedures
• Incident response plans and breach logs
• Sub-processor agreements and due diligence
• Data Processing Agreements with sub-processors
• Standard Contractual Clauses
• Employee confidentiality agreements (redacted for personal info)
• Security training records
• Backup and disaster recovery procedures
• Change management processes

Process:

• Customer submits request to support@flowframe.io
• Flowframe provides requested documentation within 15 business days
• Documentation provided under mutual Non-Disclosure Agreement (NDA)

No Cost: Documentation review is provided at no cost to Customer.

11.2.2 Compliance Certifications and Reports

SOC 2 Reports (planned Q2 2026):

• SOC 2 Type I (point-in-time audit) - Target: Q2 2026
• SOC 2 Type II (12-month audit) - Target: Q4 2026
• Reports provided to Customer upon request under NDA
• Covers security, availability, confidentiality, and privacy

ISO 27001 Certification (planned 2027):

• Information Security Management System certification
• Certificate and statement of applicability provided upon request

Sub-Processor Certifications:

• DigitalOcean: SOC 2 Type II, ISO 27001 (available at https://www.digitalocean.com/trust/)
• Stripe: SOC 2, ISO 27001, PCI DSS Level 1 (available at https://stripe.com/docs/security)

Industry Certifications: Flowframe will provide certifications and attestations as they become available.

No Cost: Providing compliance certifications is at no cost to Customer.

11.2.3 Questionnaires and Self-Assessments

Security Questionnaires: Customer may submit security questionnaires (e.g., SIG, CAIQ, VSA) to Flowframe.

• Flowframe will complete questionnaire within 30 business days
• Reasonable scope: Maximum 200 questions per year
• Excessive or repetitive questionnaires may be subject to professional services fees

Preferred Formats: Flowframe maintains completed questionnaires for common frameworks:

• Standard Information Gathering (SIG) Questionnaire
• Consensus Assessment Initiative Questionnaire (CAIQ)
• Vendor Security Assessment (VSA)

No Cost: One comprehensive security questionnaire per year at no cost; additional or custom questionnaires may incur fees.

11.2.4 On-Site or Remote Audits

Third-Party Audits: Customer may engage an independent third-party auditor to conduct on-site or remote audits of Flowframe's Processing activities and security controls.

Advance Notice Required: Minimum 30 days written notice to support@flowframe.io

Audit Plan Required: Customer must provide:

• Name and credentials of auditor (must be reputable firm)
• Scope and objectives of audit
• Specific controls or areas to be examined
• Proposed dates and duration (maximum 3 business days on-site)
• Personnel who will participate

Flowframe Approval: Flowframe may reasonably object to proposed auditor if:

• Auditor is a competitor or has conflict of interest
• Auditor cannot sign appropriate confidentiality agreement
• Scope is overly broad or disruptive to operations

Confidentiality: Auditor must sign Flowframe's NDA before audit.

Cooperation:

• Flowframe will provide reasonable access to facilities, systems, and personnel
• Audits conducted during normal business hours (9 AM - 5 PM GMT, Monday-Friday)
• Flowframe personnel will be available to answer questions

Cost:

• Customer bears all costs of third-party auditor (auditor fees, travel, expenses)
• Flowframe may charge reasonable fees for significant personnel time (e.g., >16 hours) dedicated to audit support
• Fees agreed in advance before audit commences

Audit Report:

• Auditor provides findings report to Customer
• Customer shares summary of findings with Flowframe (redacting confidential Customer information)
• Flowframe commits to address any non-compliance findings within reasonable timeframe

Limitations:

• Audits may not disrupt Flowframe's business operations
• Auditor may not access other customers' data or unrelated systems
• Flowframe may decline access to information that would violate confidentiality obligations to third parties

11.2.5 Remote Technical Assessments

Penetration Testing: Customer may request permission to conduct penetration testing or vulnerability scanning of Flowframe's infrastructure.

Pre-Approval Required: Customer must obtain written approval from Flowframe at least 14 days in advance.

Scope Restrictions:

• Testing must not disrupt service or impact other customers
• Testing limited to Customer's own account and data
• Denial-of-service (DoS) attacks prohibited
• Social engineering or physical attacks prohibited
• Testing must comply with Flowframe's Acceptable Use Policy

Responsible Disclosure: Any vulnerabilities discovered must be reported to Flowframe immediately at support@flowframe.io (see Flowframe's Security Vulnerability Disclosure Policy).

Flowframe's Own Testing: Flowframe conducts annual penetration testing by independent third parties (starting Q2 2026). Summary results available to Enterprise customers upon request.

11.3 Audit Coordination

Single Audit Provision: To reduce audit burden, Flowframe may propose that multiple customers participate in a pooled audit conducted by a mutually agreed independent auditor.

Benefits:

• Reduced cost per customer
• More comprehensive audit scope
• Industry-recognized auditor
• Consistent audit standards

Customer Acceptance: Customer may accept or decline pooled audit and conduct individual audit instead.

11.4 Remediation of Findings

Non-Compliance Identified: If audit reveals non-compliance with this DPA or Data Protection Laws, Flowframe shall:

1. Acknowledge findings within 5 business days
2. Remediation Plan: Provide written remediation plan within 15 business days, including:
   • Root cause analysis
   • Specific actions to address each finding
   • Responsible parties
   • Target completion dates
3. Implementation: Execute remediation plan according to agreed timeline
4. Verification: Provide evidence of remediation completion
5. Follow-Up: Customer may request follow-up audit to verify remediation (at Customer's cost)

Material Non-Compliance: If non-compliance poses significant risk to Personal Data, Customer may:

• Require immediate corrective action
• Suspend Processing until remediated
• Terminate Agreement if not remediated within reasonable time

11.5 Limitations and Exceptions

Trade Secrets and Confidential Information: Flowframe may redact or withhold information that:

• Constitutes trade secrets or proprietary technology
• Would violate confidentiality obligations to third parties
• Is not relevant to data protection compliance

Alternative Demonstration: If information cannot be disclosed, Flowframe will provide alternative means of demonstrating compliance (e.g., third-party certification, attestation, summary description).

Security Concerns: Flowframe may restrict audit access to information that could compromise security if disclosed (e.g., specific vulnerability details, security architecture diagrams, penetration test reports). Such information may be disclosed only to qualified auditors under strict confidentiality.

---

12. LIABILITY, INDEMNIFICATION, AND INSURANCE

12.1 Limitation of Liability

Liability Cap: Flowframe's total aggregate liability arising out of or related to this DPA (including all claims for breach of contract, negligence, or other torts) shall be limited to the amount Customer paid Flowframe in the 12 months immediately preceding the claim.

Free Tier Users: For Customers on the Free tier who have not paid any fees, Flowframe's total liability is limited to $100 USD.

Per-Incident vs. Aggregate: The liability cap applies in the aggregate to all claims, not per incident.

12.2 Exclusions from Liability Cap

The following are NOT subject to the liability cap and Flowframe may be fully liable:

1. Gross Negligence or Willful Misconduct: Intentional wrongdoing or reckless disregard for obligations
2. Data Breaches Caused by Flowframe: Breaches resulting from Flowframe's failure to implement required security measures
3. Violation of Data Protection Laws: Damages resulting from Flowframe's non-compliance with GDPR or other Data Protection Laws
4. Death or Personal Injury: Caused by Flowframe's negligence (unlikely in context of data processing, but not limited)
5. Fraud or Fraudulent Misrepresentation: Intentional deception or false statements
6. Indemnification Obligations: Flowframe's duty to indemnify Customer under Section 12.4

Regulatory Fines: GDPR fines imposed on Customer due to Flowframe's breach of this DPA are NOT subject to the liability cap.

12.3 Excluded Damages

Disclaimer of Consequential Damages: TO THE MAXIMUM EXTENT PERMITTED BY LAW, FLOWFRAME SHALL NOT BE LIABLE FOR:

• Indirect Damages: Losses not directly caused by breach
• Consequential Damages: Losses flowing from the breach but not immediately caused by it
• Incidental Damages: Costs of substitute services or workarounds
• Punitive or Exemplary Damages: Damages intended to punish beyond compensation
• Lost Profits or Revenue: Business income lost due to breach
• Loss of Business Opportunities: Deals or opportunities lost due to breach
• Loss of Goodwill or Reputation: Damage to brand or reputation
• Loss of Data: Permanent loss of data (subject to backup obligations)

Even If Advised: The above exclusions apply even if Flowframe was advised of the possibility of such damages.

Exceptions: Exclusions do NOT apply to liability arising from Flowframe's gross negligence, willful misconduct, or fraud.

12.4 Indemnification by Flowframe

Flowframe's Indemnity: Flowframe shall indemnify, defend, and hold harmless Customer from and against any third-party claims, damages, losses, and expenses (including reasonable attorneys' fees) arising from:

1. Flowframe's Breach of DPA: Violation of obligations under this DPA
2. Flowframe's Violation of Data Protection Laws: Non-compliance with GDPR or other Data Protection Laws in performing Processing
3. Flowframe's Security Failures: Data breaches caused by Flowframe's failure to implement appropriate security measures
4. Flowframe's Gross Negligence or Willful Misconduct: Intentional or reckless violations
5. Sub-Processor Breaches: Breaches by Flowframe's sub-processors (Flowframe remains liable)

Conditions for Indemnity: Customer must:

• Promptly Notify Flowframe in writing of any claim (within 10 business days of becoming aware)
• Provide Control: Give Flowframe sole control of defense and settlement of claim
• Cooperate: Reasonably cooperate with Flowframe in defense (at Flowframe's expense)
• No Admission: Not admit liability or settle claim without Flowframe's prior written consent

Indemnity Limitations: Flowframe's indemnity does NOT apply if:

• Claim arises from Customer's breach of this DPA or Terms of Service
• Claim arises from Customer's violation of Data Protection Laws
• Customer modified Flowframe's Services in a way that caused the claim
• Customer continued using Flowframe after being advised to stop due to infringement or violation

Settlement: Flowframe may settle any claim on terms it deems appropriate, provided settlement does not require Customer to admit liability or pay money (unless Flowframe reimburses Customer).

12.5 Indemnification by Customer

Customer's Indemnity: Customer shall indemnify, defend, and hold harmless Flowframe from and against any third-party claims, damages, losses, and expenses (including reasonable attorneys' fees) arising from:

1. Customer's Breach of DPA: Violation of Customer's obligations under this DPA
2. Customer's Violation of Data Protection Laws: Customer's failure to establish lawful basis, obtain consents, or comply with Data Protection Laws
3. Customer's Data: Claims that Customer's data infringes third-party intellectual property rights or violates laws
4. Customer's Instructions: Claims arising from Flowframe's compliance with Customer's lawful instructions
5. Unauthorized Data Processing: Customer uploading Special Categories of Personal Data without authorization or processing data Customer has no right to process
6. Customer's Failure to Notify Data Subjects: Claims from Data Subjects due to Customer's failure to provide privacy notices or obtain consents

Conditions for Indemnity: Flowframe must:

• Promptly notify Customer in writing of any claim
• Provide Customer control of defense and settlement
• Cooperate with Customer in defense
• Not admit liability or settle without Customer's consent

12.6 Regulatory Fines and Penalties

GDPR Fines: If a Supervisory Authority imposes fines for GDPR violations:

Flowframe Liable For:

• Fines resulting from Flowframe's breach of this DPA
• Fines for Processing beyond Customer's instructions
• Fines for failing to implement appropriate security measures
• Fines for failing to notify breaches within required timeframes
• Fines for sub-processor violations (Flowframe liable for sub-processor acts)

Customer Liable For:

• Fines resulting from Customer's violation of Data Protection Laws
• Fines for failing to establish lawful basis for Processing
• Fines for failing to obtain necessary consents
• Fines for failing to respond to Data Subject rights requests
• Fines for Customer's unlawful Processing instructions

Joint and Several Liability: If both parties contributed to the violation, liability shall be apportioned based on respective fault and degree of contribution.

Cooperation: Parties shall cooperate in responding to regulatory investigations and contesting unjust fines.

12.7 Insurance

Flowframe's Insurance: Flowframe maintains the following insurance policies:

1. Cyber Liability Insurance:

   • Coverage for data breaches, cyber incidents, and privacy violations
   • Minimum coverage: $1,000,000 USD per occurrence (target for post-Series A funding)
   • Current Status (Beta): Cyber insurance planned upon commercial launch and sufficient revenue

2. Professional Liability Insurance (Errors & Omissions):

   • Coverage for negligent acts, errors, or omissions in providing Services
   • Minimum coverage: $1,000,000 USD per claim
   • Current Status (Beta): E&O insurance planned upon commercial launch

3. General Liability Insurance:

   • Coverage for bodily injury, property damage, and personal injury
   • Minimum coverage: $1,000,000 USD per occurrence
   • Current Status (Beta): General liability insurance in place

Beta Status Disclaimer: As Flowframe is currently in beta with no paying customers, full insurance coverage is not yet in place. Upon commercial launch and securing revenue, Flowframe commits to obtaining comprehensive cyber liability and professional liability insurance as described above.

Certificates of Insurance: Enterprise customers may request certificates of insurance upon request (available post-commercial launch).

Insurance Not a Cap: Existence of insurance does NOT limit Flowframe's liability beyond the caps stated in Section 12.1.

12.8 Allocation of Risk

Risk Distribution: This DPA allocates risk between the parties as follows:

• Flowframe Bears Risk: Security breaches, sub-processor failures, compliance violations by Flowframe
• Customer Bears Risk: Lawfulness of Processing, consents, Data Subject communications, Customer's own compliance
• Shared Risk: Incidents involving both parties' actions, joint investigations, regulatory engagement

No Guarantee of Security: While Flowframe implements robust security measures, NO SYSTEM IS 100% SECURE. Customer acknowledges that absolute security cannot be guaranteed and accepts residual risk of Processing Personal Data through cloud services.

12.9 Survival

Post-Termination Liability: Sections 12.1 through 12.8 survive termination or expiration of this DPA for the applicable statute of limitations period (typically 3-6 years depending on jurisdiction).

---

13. TERM AND TERMINATION

13.1 Term of Agreement

Effective Date: This DPA takes effect on the date Customer accepts the Flowframe Terms of Service and creates a Flowframe account.

Duration: This DPA remains in effect for the duration of the Terms of Service and as long as Flowframe processes Personal Data on behalf of Customer.

Auto-Renewal: If Terms of Service auto-renew, this DPA automatically renews with the Terms of Service unless either party terminates.

13.2 Termination by Customer

Termination Rights: Customer may terminate this DPA at any time by:

1. Cancelling Subscription: Cancel subscription in account settings (access continues until end of billing period)
2. Deleting Account: Delete account in account settings (immediate termination)
3. Written Notice: Email support@flowframe.io with termination request

Effective Date of Termination:

• Paid Subscription Cancelled: End of current billing period (Customer retains access until then)
• Account Deleted: Immediate (access revoked immediately)
• Written Notice: As specified in notice (minimum 30 days unless Customer deletes account)

No Refunds: Termination does not entitle Customer to refund of prepaid fees (except as provided in Terms of Service for annual subscriptions cancelled within 30 days).

13.3 Termination by Flowframe

Termination Rights: Flowframe may terminate this DPA by terminating the Terms of Service in accordance with the Terms of Service, including:

1. Non-Payment: Account past due on payment (30 days notice, opportunity to cure)
2. Material Breach: Customer's material breach of Terms of Service or this DPA (7 days notice, opportunity to cure)
3. Prohibited Use: Customer uses Services for illegal purposes or violates Acceptable Use Policy (immediate termination for egregious violations)
4. Service Discontinuation: Flowframe discontinues Services (90 days notice)

Notice: Flowframe will provide notice of termination via email to Customer's registered email address.

Opportunity to Cure: Except for immediate termination situations (illegal activity, egregious violations), Customer shall have opportunity to cure breach within notice period.

13.4 Termination for Breach of DPA

Material Breach: Either party may terminate this DPA immediately if the other party:

• Materially breaches this DPA
• Fails to cure breach within 30 days of written notice
• Breach creates significant risk to Personal Data security or compliance

Examples of Material Breach:

• By Flowframe: Data breach due to gross negligence, Processing Personal Data beyond instructions, refusing to cooperate with audit, disclosing Personal Data to unauthorized third parties
• By Customer: Instructing Flowframe to violate Data Protection Laws, failing to pay fees, uploading illegal content, violating Acceptable Use Policy

Notice Requirement: Terminating party must provide written notice describing the breach and allowing 30 days to cure (unless breach is incurable or poses imminent risk).

13.5 Effect of Termination

Upon termination or expiration of this DPA, the following shall occur:

13.5.1 Immediate Effects (Day 0)

Access Revocation:

• Customer's access to Flowframe Services immediately revoked
• User accounts disabled
• API keys deactivated
• Public sharing links disabled

Data Export Opportunity:

• If termination notice provided in advance, Customer should export data before termination
• If termination is immediate (e.g., account deleted), Customer forfeits access to data (subject to data return option below)

13.5.2 Data Return or Deletion (Days 0-30)

Customer's Choice: At Customer's election, Flowframe shall either:

Option A: Return Personal Data

• Flowframe provides Customer with export of all Personal Data in JSON format
• Export delivered via secure download link sent to Customer's email
• Export available for 14 days after termination
• Customer responsible for downloading export within 14-day window

Option B: Delete Personal Data

• Flowframe immediately deletes Personal Data from active systems
• Personal Data remains in backups for 30 days (then permanently deleted)
• No data export provided

Default (if Customer does not elect): If Customer does not specify preference, Flowframe will delete Personal Data (Option B).

How to Request Data Return: Email support@flowframe.io within 7 days of termination with subject "Data Return Request".

13.5.3 Deletion Timeline (see Section 10)

Active Systems: Personal Data deleted from production databases within 24 hours of termination (or after data return period expires)

Backups: Personal Data purged from backups within 30 days of termination

Legal Retention: Billing records and data subject to legal retention requirements retained per Section 10.3

Deletion Certification: Flowframe will provide written certification of deletion upon request (email support@flowframe.io)

13.5.4 Outstanding Fees

Payment Obligation: Termination does not relieve Customer of obligation to pay outstanding fees for Services rendered before termination.

Pro-Rated Refunds: As specified in Terms of Service:

• Monthly subscriptions: No pro-rated refunds
• Annual subscriptions: Pro-rated refund if cancelled within 30 days of initial purchase

Invoice Due: Any unpaid invoices remain due and payable per original payment terms.

13.6 Survival of Provisions

The following provisions shall survive termination or expiration of this DPA:

Indefinite Survival:

• Section 1.2: Definitions (as needed to interpret surviving provisions)
• Section 3.2: Confidentiality (confidentiality obligations continue)
• Section 3.6: Data Deletion or Return (until fulfilled)
• Section 10: Data Retention and Deletion (until completed)
• Section 12: Liability, Indemnification, and Insurance (until statute of limitations expires)
• Section 14.1: Governing Law (for dispute resolution)
• Section 14.4: Entire Agreement
• Section 14.5: Severability

Limited Survival (until obligations fulfilled):

• Section 8: Data Subject Rights Support (for pending requests)
• Section 9: Data Breach Notification (for breaches discovered post-termination)
• Section 11: Audit Rights (for audits initiated before termination)

Purpose: Survival ensures that obligations that should continue after termination (e.g., confidentiality, indemnification, data deletion) remain enforceable.

13.7 Transition Assistance

Reasonable Assistance: For Enterprise customers, Flowframe may provide reasonable transition assistance to help Customer migrate to alternative service provider:

• Data export in commonly used formats
• Documentation of data structure and schema
• Reasonable consultation on migration (subject to professional services fees for extensive assistance)

Not Guaranteed: Transition assistance is a courtesy and not a contractual obligation unless separately agreed in writing.

Timeframe: Transition assistance, if provided, available for 30 days after termination (concurrent with data retention period).

---

14. GENERAL PROVISIONS

14.1 Governing Law and Jurisdiction

Primary Governing Law: This DPA and all non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with:

• Data Protection Matters: GDPR, UK GDPR, and EU/UK data protection law (taking precedence for data protection issues)
• Other Matters: The laws of the State of Delaware, United States (excluding conflict of law principles)

Jurisdictional Priority:

1. EU/UK Customers: For data protection disputes, EU/UK law governs and EU/UK courts or Supervisory Authorities have jurisdiction
2. US Customers: Delaware law governs and Delaware courts have jurisdiction (subject to arbitration provisions in Terms of Service)
3. Other Jurisdictions: Delaware law governs unless local mandatory data protection law takes precedence

Supervisory Authority Jurisdiction: EU/UK customers may lodge complaints with their local Supervisory Authority regardless of governing law provisions.

Arbitration for Non-Data Protection Disputes: For US Customers, non-data protection disputes (e.g., contract interpretation, billing) may be subject to arbitration per Terms of Service. However, data protection compliance disputes are NOT subject to arbitration and may be brought before Supervisory Authorities or courts.

14.2 Conflict with Terms of Service

Precedence for Data Protection: In the event of a conflict or inconsistency between this DPA and the Flowframe Terms of Service:

• This DPA prevails for matters related to data protection, privacy, and Processing of Personal Data
• Terms of Service prevail for other matters (e.g., billing, account management, service availability, intellectual property)

Integrated Agreement: This DPA and the Terms of Service are intended to be read together as complementary documents.

Interpretation: If a provision can be reasonably interpreted in a manner that avoids conflict, that interpretation shall be adopted.

14.3 Amendments and Updates

Amendments to DPA: This DPA may be amended only by:

1. Written agreement signed by both parties (for negotiated amendments)
2. Updated version posted by Flowframe with 30 days advance notice (for compliance updates or clarifications)
3. Immediate update if required by changes in Data Protection Laws (e.g., new GDPR guidance, court rulings)

Notice of Amendments:

• Email notification to Customer's registered email address
• Posting of updated DPA on Flowframe website (https://flowframe.io/legal/dpa)
• Version number and "Last Updated" date clearly marked

Customer's Options:

• Accept Amendment: Continue using Services after 30-day notice period constitutes acceptance
• Object to Amendment: If Customer objects to material amendment, Customer may terminate Agreement without penalty within 30 days
• Negotiate: Enterprise customers may request negotiation of specific provisions

Sub-Processor Changes: Governed by Section 6.4 (separate 30-day notice and objection process).

Version Control: Flowframe maintains prior versions of DPA for reference. Customer may request previous versions by emailing support@flowframe.io.

14.4 Entire Agreement

Complete Agreement: This DPA, together with the following, constitutes the entire agreement between the parties concerning the Processing of Personal Data:

• Flowframe Terms of Service
• Flowframe Privacy Policy
• Standard Contractual Clauses (Appendix A)
• Any executed addendums or order forms

Supersedes Prior Agreements: This DPA supersedes all prior negotiations, understandings, and agreements (whether written or oral) related to the subject matter.

No Reliance: Each party acknowledges that it has not relied on any statement, representation, or warranty not expressly set forth in this DPA.

Amendment: This DPA may only be amended as provided in Section 14.3.

14.5 Severability

Invalid Provisions: If any provision of this DPA is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction or Supervisory Authority:

• The remaining provisions shall remain in full force and effect
• The invalid provision shall be deemed modified to the minimum extent necessary to make it valid and enforceable
• If modification is not possible, the invalid provision shall be severed from the DPA

Reformation: To the extent permitted by law, the invalid provision shall be reformed to reflect the parties' original intent while complying with applicable law.

Negotiation: If severance or reformation substantially alters the balance of the parties' rights and obligations, the parties shall negotiate in good faith to amend the DPA to restore the intended balance.

14.6 Waiver

No Implied Waiver: Failure or delay by either party in enforcing any provision of this DPA shall NOT constitute a waiver of that provision or any other provision.

Written Waiver Required: Any waiver must be in writing and signed by the party granting the waiver.

No Continuing Waiver: Waiver of a breach or default does NOT waive any subsequent breach or default.

Rights Cumulative: All rights and remedies are cumulative and not exclusive.

14.7 Assignment and Successors

Assignment by Customer: Customer may NOT assign, transfer, or delegate this DPA or any rights or obligations hereunder without Flowframe's prior written consent.

Permitted Customer Assignments (no consent required):

• Assignment to a parent, subsidiary, or affiliated company under common control
• Assignment in connection with a merger, acquisition, or sale of all or substantially all assets (provided assignee agrees to be bound by this DPA)

Assignment by Flowframe: Flowframe may assign this DPA without Customer consent:

• To a parent, subsidiary, or affiliated company
• In connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all assets
• Upon Incorporation: Automatic assignment from unincorporated business to Flowframe, Inc. (or similar legal entity) upon incorporation

Successors Bound: This DPA shall bind and inure to the benefit of the parties and their respective permitted successors and assigns.

Notice of Assignment: Flowframe will notify Customer of any assignment via email.

14.8 Force Majeure

Excuse for Non-Performance: Neither party shall be liable for failure or delay in performing obligations under this DPA (except payment obligations) due to circumstances beyond its reasonable control, including:

• Natural disasters: Earthquakes, floods, hurricanes, fires, pandemics
• War or terrorism: Armed conflict, acts of terrorism, civil unrest
• Government actions: Laws, regulations, embargoes, sanctions (except those specifically applicable to party in breach)
• Infrastructure failures: Internet outages, telecommunications failures, power outages (beyond sub-processor failures)
• Cyberattacks: Large-scale cyberattacks affecting internet infrastructure (not targeted attacks on Flowframe, which do not excuse performance)

Notice Requirement: Party claiming force majeure must:

• Notify other party promptly (within 5 business days of force majeure event)
• Provide details of the event and expected duration
• Use reasonable efforts to mitigate impact and resume performance

Duration: Obligations are suspended only for the duration of the force majeure event.

Termination for Extended Force Majeure: If force majeure event continues for more than 60 consecutive days, either party may terminate this DPA without penalty.

Not a Blanket Excuse: Force majeure does NOT excuse:

• Payment obligations (Customer must still pay for Services received)
• Data deletion or return obligations (Flowframe must still delete/return data post-termination)
• Breach notification obligations (breaches must still be reported)

14.9 Notices

How to Give Notice: All notices required or permitted under this DPA shall be in writing and delivered by:

• Email (preferred): Delivered to the email address on file
• Postal Mail: Delivered to the postal address on file via certified mail, return receipt requested

Flowframe's Notice Address:

• Email: support@flowframe.io
• Postal: [To be provided upon incorporation - Registered Agent Address]
• Attention: Data Protection Officer / Legal

Customer's Notice Address:

• Email: The email address associated with Customer's Flowframe account
• Postal: The billing address on file with Customer's account

Effective Date of Notice:

• Email: Deemed delivered 24 hours after sending (provided no bounce-back or error)
• Postal Mail: Deemed delivered 5 business days after mailing (if sent within same country) or 10 business days (if international)

Change of Address: Parties shall promptly notify each other of any change in email or postal address.

14.10 Third-Party Beneficiaries

No Third-Party Rights: Except as expressly stated below, this DPA does not create rights for any third parties.

Data Subject Rights: Data Subjects are intended third-party beneficiaries with respect to their rights under GDPR (Articles 15-22), and may enforce those rights directly against Flowframe or Customer as applicable.

Supervisory Authority Rights: Supervisory Authorities may enforce this DPA to the extent necessary to ensure compliance with Data Protection Laws.

No Other Beneficiaries: No other third parties (including sub-processors, affiliates, or other customers) have rights under this DPA.

14.11 Counterparts and Electronic Signatures

Counterparts: This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument.

Electronic Signatures: This DPA may be executed by electronic signature (e.g., DocuSign, Adobe Sign, or Customer's acceptance of Terms of Service including this DPA), which shall be deemed an original signature for all purposes.

Acceptance by Use: Customer's acceptance of the Flowframe Terms of Service (which incorporate this DPA) constitutes Customer's binding acceptance of this DPA. No separate signature is required unless Customer requests an executed DPA for Enterprise purposes.

14.12 Language and Interpretation

Language: This DPA is drafted in English. If translated, the English version prevails in case of conflict.

Interpretation Rules:

• Headings are for convenience only and do not affect interpretation
• "Including" means "including without limitation"
• Singular includes plural and vice versa
• "Shall" and "must" indicate mandatory obligations; "may" indicates discretion
• References to "days" mean calendar days unless specified as "business days"
• References to "writing" or "written" include email

Business Days: Monday through Friday, excluding US federal holidays and UK bank holidays.

14.13 Relationship of Parties

Independent Contractors: Flowframe and Customer are independent contractors. This DPA does not create:

• Partnership or joint venture
• Employment relationship
• Agency relationship (except Customer's authorization for Flowframe to process Personal Data as Customer's agent/processor)
• Franchise or distribution relationship

No Authority: Neither party has authority to bind the other or make commitments on the other's behalf (except Flowframe processing Personal Data on Customer's documented instructions).

14.14 Publicity and References

Customer References: Flowframe may not use Customer's name, logo, or trademarks in marketing materials, case studies, or customer lists without Customer's prior written consent.

Exception for Regulatory Compliance: Flowframe may disclose Customer's name to Supervisory Authorities or in response to legal process without consent.

Confidential Customers: If Customer requests confidentiality, Flowframe will not publicly disclose Customer relationship.

---

15. STANDARD CONTRACTUAL CLAUSES

15.1 Incorporation of SCCs

For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to Third Countries (countries without an adequacy decision), the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914/EU) are incorporated into this DPA by reference.

Full SCCs: The complete text of the Standard Contractual Clauses is available at:

• European Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
• Flowframe: Available upon request at support@flowframe.io (provided within 5 business days)

15.2 SCC Modules Applicable

Module Two: Controller to Processor

• Applies when Customer is the Data Controller
• Flowframe is the Data Processor
• For transfers from EU/EEA/UK Customer to Flowframe (if Flowframe processes data in Third Country)

Module Three: Processor to Sub-Processor

• Applies when Flowframe engages sub-processors in Third Countries
• Flowframe is Processor
• Sub-processor (e.g., Stripe, Google) is Sub-Processor
• For transfers from Flowframe to sub-processors like Stripe (USA) or Google (USA)

15.3 SCC Docking Clause

Docking Clause Activated: The docking clause in Clause 7 of the SCCs is activated. This allows new parties (e.g., affiliates, successors) to accede to the SCCs by completing Annex I and providing notice.

15.4 SCC Optional Clauses

Optional Clause Selections:

• Clause 7 (Docking Clause): ACTIVATED - New parties may join
• Clause 9(a) (Prior Authorization): SELECTED - Customer grants prior general authorization for sub-processors (subject to Section 6.4 notification and objection rights)
• Clause 11(a) (Redress): SELECTED - Independent dispute resolution body: EU Data Protection Authorities
• Clause 17 (Governing Law): Law of EU Member State where Customer is established (for EU customers)
• Clause 18 (Jurisdiction): Courts of EU Member State where Customer is established (for EU customers)

15.5 UK Addendum for UK GDPR

For transfers from the United Kingdom, the UK Information Commissioner's Office (ICO) International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0) applies.

UK Addendum: Available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/

Automatic Application: The UK Addendum automatically applies for UK-to-Third Country transfers without requiring separate execution.

15.6 SCC Annexes (Data Transfer Details)

The following annexes provide specifics required by the Standard Contractual Clauses:

ANNEX I - Data Transfer Details

A. List of Parties

Data Exporter (Controller / Processor):

• Name: [Customer Legal Entity Name]
• Address: [Customer Address]
• Contact: [Customer Contact Person]
• Role: Data Controller (Module 2) or Processor (Module 3, if applicable)

Data Importer (Processor / Sub-Processor):

• Name: Flowframe (or specific sub-processor if Module 3)
• Address: [Flowframe Registered Agent Address - to be provided]
• Contact: support@flowframe.io
• Role: Data Processor (Module 2) or Sub-Processor (Module 3)

B. Description of Transfer

• Categories of Data Subjects: As described in Section 2.5 (Customer's employees, contractors, clients, end users)
• Categories of Personal Data: As described in Section 2.6 (account data, collaboration data, query history, usage analytics, billing data)
• Sensitive Data: Not applicable (Special Categories not processed without prior agreement)
• Frequency of Transfer: Continuous (ongoing transfers during subscription)
• Nature of Processing: As described in Section 2.4 (account management, collaboration, query storage, analytics, support)
• Purpose of Transfer: Provision of Flowframe's collaborative data analytics platform
• Retention Period: As described in Section 10 (duration of subscription plus 30 days, with exceptions for legal retention)
• Sub-Processors: As listed in Section 6.2 (DigitalOcean, Stripe, Google if/when added)

C. Competent Supervisory Authority

• EU Customers: Supervisory Authority of the EU Member State where Customer is established
• UK Customers: Information Commissioner's Office (ICO)

ANNEX II - Technical and Organizational Measures (TOMs)

See Section 5 (Technical and Organizational Security Measures) for comprehensive list of security measures, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Access controls and authentication
• Network security (VPC, firewalls, DDoS protection)
• Personnel security (background checks, confidentiality agreements, training)
• Incident response and breach notification procedures
• Data backup and recovery
• Vulnerability management and security monitoring

Certification: Flowframe's security measures are designed to comply with ISO 27001 and SOC 2 standards (certifications in progress).

ANNEX III - Sub-Processor List

See Section 6 (Sub-Processors) for current and planned sub-processors, including:

• DigitalOcean LLC (infrastructure hosting)
• Stripe, Inc. (payment processing)
• Google LLC (AI services, planned Q2 2026)

15.7 Precedence of SCCs

SCC Priority: In the event of conflict between the main body of this DPA and the Standard Contractual Clauses:

• SCCs prevail to the extent required by Data Protection Laws
• DPA provisions that provide greater protection or more specific implementation of SCC principles shall complement (not conflict with) SCCs

Interpretation: SCCs and DPA should be read together as integrated data protection framework.

15.8 Requests for Executed SCCs

Self-Service Customers (Free/Pro): SCCs are incorporated by reference. Customer's acceptance of Terms of Service constitutes acceptance of SCCs.

Enterprise Customers: Upon request, Flowframe will provide fully executed Standard Contractual Clauses as a separate document.

Request Process:

1. Email support@flowframe.io with subject "SCC Execution Request"
2. Provide Customer company details and authorized signatory information
3. Flowframe will prepare SCCs with completed Annexes
4. Both parties sign SCCs (electronic signature acceptable)
5. Executed SCCs provided within 10 business days

No Additional Fee: Providing executed SCCs is at no cost to Customer.

---

16. SIGNATURES AND ACCEPTANCE

16.1 Acceptance Methods

This Data Processing Agreement may be accepted by Customer in the following ways:

Method 1: Acceptance via Terms of Service (Standard)

• Customer accepts Flowframe Terms of Service when creating account
• Terms of Service explicitly incorporate this DPA by reference
• Customer's use of Flowframe constitutes binding acceptance of this DPA
• No separate signature required
• Effective immediately upon account creation

Method 2: Executed DPA (Enterprise)

• Enterprise Customer may request executed DPA for procurement or legal requirements
• Flowframe provides DPA for signature via DocuSign or Adobe Sign
• Both parties execute via electronic or wet signature
• Executed copy provided to Customer for records
• Request via: support@flowframe.io with subject "DPA Execution Request"

16.2 Electronic Signatures

Legal Validity: Electronic signatures are legally valid and enforceable under:

• US: ESIGN Act and UETA
• EU: eIDAS Regulation
• UK: Electronic Communications Act 2000

Accepted Methods:

• DocuSign
• Adobe Sign
• HelloSign
• Typed name in "Customer Signature" field with date
• Click-through acceptance in Flowframe platform

Effect: Electronic signatures have the same legal effect as handwritten signatures.

16.3 Amendment Upon Incorporation

Auto-Update Provision: Upon incorporation of Flowframe as a legal entity (e.g., Flowframe, Inc.), this DPA shall automatically transfer to and be binding upon the successor legal entity without requiring re-execution.

Notice of Incorporation: Flowframe will notify Customer via email of incorporation and provide updated entity details (legal name, registered address, tax ID).

Continuity: All terms, conditions, and obligations under this DPA continue unchanged except for updated entity information.

---

DOCUMENT INFORMATION

Document Title: Data Processing Agreement (DPA)

Version: 1.0 (Comprehensive Legal Edition)

Effective Date: January 10, 2026

Last Updated: January 10, 2026

Document ID: DPA-FLOWFRAME-2026-v1.0

Status: Pre-Production Release (Effective for Beta Users)

Next Review Date: April 10, 2026 (or upon material changes to Services or Data Protection Laws)

Contact for Questions:

• Email: support@flowframe.io
• Subject Line: "DPA Inquiry"
• Response Time: Within 48 business hours

---

THIS DATA PROCESSING AGREEMENT IS EFFECTIVE AS OF THE DATE CUSTOMER ACCEPTS THE FLOWFRAME TERMS OF SERVICE.

For questions about this DPA, data protection practices, or to request an executed copy, please contact support@flowframe.io.

---

END OF DATA PROCESSING AGREEMENT