Last updated: April 7, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Flowzao ("Processor") and the Customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller.
"Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the General Data Protection Regulation (EU) 2016/679 ("GDPR").
Subject matter: Provision of the Flowzao service desk platform. Duration: For the term of the agreement. Nature and purpose: Storage and processing of ticket data, user information, organization data, and ecosystem collaboration data. Categories of data subjects: Customer employees, end-users, and partners. Types of personal data: Names, email addresses, organization details, ticket content, and usage data.
The Processor shall: process Personal Data only on documented instructions from the Controller; ensure personnel are bound by confidentiality; implement appropriate technical and organizational security measures; assist the Controller in responding to data subject requests; delete or return Personal Data upon termination; make available all information necessary to demonstrate compliance.
The Processor uses the following sub-processors: Neon (database hosting, EU); Cloudflare (hosting, CDN, global); Stripe (payment processing, US/EU); Resend (email delivery, US). The Controller is deemed to have authorized these sub-processors. The Processor will notify the Controller before adding new sub-processors.
Personal Data is primarily stored in the EU (Neon PostgreSQL, eu-central-1). Where data is transferred outside the EU/EEA, appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).
The Processor implements: encryption in transit (TLS 1.3) and at rest; access controls and authentication; regular security reviews; incident response procedures; backup and disaster recovery.
The Processor will notify the Controller of any Personal Data breach without undue delay, and in any event within 72 hours of becoming aware of it, providing all relevant details.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits and inspections by the Controller or an authorized auditor.
This DPA shall remain in effect for the duration of the agreement. Upon termination, the Processor shall delete all Personal Data within 30 days, unless retention is required by law.
Data Protection Officer: dpo@flowzao.com