Data Processing Addendum
How DPAFlow processes personal data on your behalf as a processor, supporting GDPR Article 28 aligned arrangements.
Last updated: June 24, 2026
01Processing roles
This Data Processing Addendum (DPA) describes how DPAFlow processes personal data on your behalf. For data within your workspace, you act as the controller and DPAFlow acts as a processor, processing personal data only on your documented instructions.
This DPA is intended to support Article 28 aligned processing arrangements.
02Subject matter and duration
The subject matter is the provision of vendor and subprocessor change monitoring: capturing dated evidence from the sources you configure and supporting your review of changes. Processing continues for the duration of your use of the service, unless otherwise agreed in writing.
03Categories of data and data subjects
Processing may involve:
- Account and workspace data relating to your users (such as name and work email).
- Configuration data — the source URLs and review settings you define.
- Evidence captures of the public pages you choose to monitor.
Data subjects are primarily your authorized users. You remain responsible for ensuring you have a basis to process the sources and content you configure.
04Security measures
We apply technical and organizational measures appropriate to the risk, including role-based access controls within your workspace and honest reporting of source health. Evidence records carry a content hash as an integrity check.
The specific measures, and any independent assurances, will be described accurately here after they are implemented and verified. We do not assert certifications, penetration tests, or specific encryption guarantees that have not been confirmed.
05Subprocessors
We engage subprocessors (such as hosting and infrastructure providers) under data-protection terms consistent with this DPA. A current list of subprocessors will be maintained, and we will provide a mechanism to notify you of intended changes so you can review them — fitting, appropriately, with the kind of subprocessor oversight DPAFlow helps its own customers perform.
06International transfers
Workspace data is hosted in the EU by default. Where personal data is transferred outside the EEA, we use an appropriate transfer mechanism such as Standard Contractual Clauses, together with supplementary measures where needed — consistent with a Schrems II workflow. Details of the transfer mechanisms we rely on are available on request.
07Assistance
Taking into account the nature of processing, we will provide reasonable assistance to help you meet your obligations — including responding to data subject requests, supporting data protection impact assessments, and notifying you of relevant personal data breaches without undue delay. The scope of this assistance reflects the nature of the processing and your instructions as the controller.
08Deletion and return
Evidence and other workspace data are your customer-controlled data. You can export your evidence as audit-ready packets at any time. On termination, data is returned or deleted in line with your account terms and applicable law, unless retention is required by law.
09Contact
Questions about this DPA, or to request a signed copy as part of evaluation? Reach us through the contact page and select the Privacy / DPA subject.