1. Parties
Data Controller
You, the customer (the entity determining the purposes and means of processing)
Data Processor
ClientFlow (processing personal data on your behalf)
1.1 Scope of Processing
This DPA applies to the processing of personal data where:
- ClientFlow processes personal data on behalf of the Controller as part of providing the Service
- The processing relates to the management of the Controller's client relationships
- The data subjects are the Controller's clients and business contacts
Processing Activities
- Storage and organisation of client contact information
- Recording and tracking of payment transactions
- Sending of authorised communications (reminders, notifications)
- Generation of analytics and reports based on aggregated data
2. Data Categories
| Category | Examples | Purpose |
|---|---|---|
| Account Data | Email, name, profile picture | Service access |
| Customer Data | Client names, phones, emails | CRM functionality |
| Payment Records | Amounts, dates, statuses | Payment tracking |
| Usage Data | Login times, feature usage | Security, improvement |
3. Processor Obligations
We Will:
- Process data only on your documented instructions
- Ensure personnel are bound by confidentiality
- Implement appropriate security measures
- Assist with data subject requests
- Notify you of data breaches within 72 hours
- Delete data upon termination (after retention period)
4. Security Measures
Technical
- TLS 1.3 (transit)
- AES-256 (at rest)
- OAuth 2.0 authentication
- Role-based access control
- Real-time monitoring
Organisational
- Security policies
- Incident response plan
- Regular audits
- Vendor security reviews
- Employee training
5. Sub-processors
We use the following authorised sub-processors:
| Provider | Service | Location | DPF |
|---|---|---|---|
| Google Cloud | Authentication | USA | Yes |
| iyzico | Payments | Turkey | SCCs |
| Meta (WhatsApp) | Messaging | USA | Yes |
| Resend | USA | SCCs | |
| Hetzner | Hosting & Database | Germany (EU) | SCCs |
| Cloudflare | CDN & Storage | EU | Yes |
DPF = EU-US Data Privacy Framework certified
Sub-processor Changes
We will notify you of any intended changes to sub-processors:
- At least 14 days' advance notice before adding or replacing sub-processors
- Notification via email to your registered account email address
- You may object to changes within 14 days by contacting us
- If your objection cannot be resolved, you may terminate the affected services
5.1 Audit Rights
The Controller has the right to verify compliance with this DPA:
- Request relevant documentation and certifications
- Conduct audits with at least 30 days' written notice
- Audits shall be conducted during normal business hours
- Auditor must sign a confidentiality agreement
Audit Scope
- Security measures and technical safeguards
- Sub-processor compliance
- Data handling procedures
- Incident response capabilities
Costs for audits shall be borne by the Controller unless the audit reveals material non-compliance.
6. Data Retention & Deletion
Your data is preserved for account recovery and regulatory compliance.
| Timeline | Action |
|---|---|
| Immediately | Account deactivated |
| Indefinite | Data preserved (archived) |
| Anytime | Account can be reactivated |
7. CCPA Provisions
Under CCPA, we act as a "Service Provider" and:
- Process data only for specified business purposes
- Do not sell personal information
- Assist with consumer rights requests
- Implement reasonable security measures
8. Data Breach Notification
In the event of a personal data breach, we commit to the following:
Notification Timeline
- Notify you within 72 hours of becoming aware of a breach
- Provide initial assessment of the breach scope and impact
- Deliver detailed written notification within 5 business days
Notification Content
- Nature of the breach including categories and approximate number of data subjects affected
- Name and contact details of our Data Protection Officer
- Description of likely consequences of the breach
- Measures taken or proposed to address the breach
- Measures to mitigate possible adverse effects
We will cooperate fully with your investigation and any regulatory enquiries, and assist with breach notifications to supervisory authorities and affected individuals as required by applicable law.
9. International Data Transfers
When personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards:
Transfer Mechanisms
EU Adequacy Decisions
Transfers to countries deemed adequate by the European Commission
EU-US Data Privacy Framework
For US-based processors certified under the DPF
Standard Contractual Clauses (SCCs)
EU Commission approved clauses (2021 version) for other transfers
We conduct transfer impact assessments where required and implement supplementary measures (technical, organisational, and contractual) when necessary to ensure an essentially equivalent level of protection.
You may request copies of the relevant transfer mechanisms upon request.
10. Liability and Indemnification
Processor Liability
ClientFlow shall be liable for damages caused by processing that does not comply with this DPA or where we have acted outside or contrary to lawful instructions of the Controller.
Controller Liability
The Controller shall be liable for damages caused by processing that violates applicable data protection law or does not comply with the Controller's obligations under this DPA.
Limitations
- Neither party shall be liable for indirect, incidental, or consequential damages
- Total aggregate liability under this DPA is limited to fees paid in the 12 months preceding the claim
- These limitations do not apply to breaches of confidentiality, wilful misconduct, or gross negligence
Each party agrees to indemnify the other against third-party claims arising from the indemnifying party's breach of this DPA or applicable data protection laws.
11. Termination and Data Return
Duration
This DPA remains in effect for the duration of the Service Agreement and for as long as we process personal data on your behalf.
Upon Termination
- At your choice, we will return or delete all personal data within 30 days
- You may request data export in a commonly used machine-readable format
- We will certify deletion upon request
- Data may be retained where required by applicable law
Sections relating to confidentiality, liability, and data protection rights shall survive termination of this DPA.