Data Processing Addendum

1. Preamble & precedence

This Data Processing Addendum (the “DPA”) forms part of, and is incorporated into, the Terms of Service between you (the “Customer”) and Royal Technology Limited, a company registered in Bulgaria (company number 203253637, VAT number BG203253637), with registered office at Mladost 122, Varna 9020, Bulgaria (“Flowzart”) under which Flowzart provides the Service to the Customer (the “Agreement”). It applies whenever Flowzart processes Personal Data on the Customer's behalf in connection with the Service.

To the extent of any conflict between this DPA and the rest of the Agreement on a matter of data protection, this DPA prevails. To the extent of any conflict between the body of this DPA and the SCCs incorporated under Schedule 4, the SCCs prevail.

2. Definitions

Capitalised terms not defined in this DPA have the meanings given in the Agreement. “Applicable Data Protection Law” means all data-protection and privacy laws applicable to a party's processing of Personal Data under this DPA, including the EU GDPR (Regulation (EU) 2016/679), the UK GDPR and the Data Protection Act 2018, the Swiss FADP, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the Brazilian LGPD, and equivalent local statutes.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process”/“Processing”, and “Special Categories of Personal Data” have the meanings given to them in the EU GDPR, and equivalent terms under other Applicable Data Protection Law have the corresponding meanings. “Customer Personal Data” means Personal Data forming part of Customer Content that Flowzart processes on the Customer's behalf to provide the Service. “Restricted Transfer” means a transfer of Customer Personal Data subject to statutory transfer restrictions under Applicable Data Protection Law. “SCCs” means the European Commission's Standard Contractual Clauses set out in Decision (EU) 2021/914 (Modules Two and Three, as applicable). “UK IDTA” means the International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.

3. Roles & subject-matter of processing

For Customer Personal Data processed under this DPA, the Customer is the Controller and Flowzart is the Processor. Where the Customer itself acts as a processor on behalf of a third-party controller, Flowzart processes the relevant Customer Personal Data as a sub-processor; the Customer represents that it has the authority and instructions of that third-party controller to engage Flowzart on these terms.

Flowzart may act as an independent Controller for limited categories of data (specifically, account-administration data such as Account contact details and login records, billing data we hold for our own tax and accounting obligations, and security-monitoring telemetry) as described in our Privacy Policy. Those categories are outside the scope of this DPA.

The subject-matter, nature and purpose, duration, types of Personal Data, and categories of Data Subjects are described in Schedule 1.

4. Customer instructions & duration

Flowzart will process Customer Personal Data only on documented instructions from the Customer, except where required to do otherwise by Applicable Data Protection Law (in which case Flowzart will inform the Customer of that legal requirement before processing, unless that law prohibits it on important grounds of public interest). The Customer's instructions are set out in this DPA, in the Agreement, and in the Customer's use of the Service through its in-product configuration (for example, choice of region, retention settings, Third-Party-Service connections, and workflow design).

If Flowzart believes an instruction infringes Applicable Data Protection Law, it will inform the Customer without delay. Flowzart may suspend processing of an instruction it reasonably believes is unlawful until the Customer confirms or amends it.

This DPA applies for the duration of the Agreement and continues thereafter only to the extent strictly necessary to comply with section 16 (return & deletion) and any continuing legal obligations.

5. Restrictions on Flowzart processing

Flowzart will not, in connection with Customer Personal Data:

• Sell or share Customer Personal Data, as those terms are defined under the CCPA and equivalent law;
• retain, use, disclose, or otherwise process Customer Personal Data for any purpose other than performing the Service for the Customer, or for a purpose other than the “business purposes” specified in the Agreement;
• combine Customer Personal Data with personal data Flowzart has received from any other source, except where such combination is strictly necessary to provide the Service to the Customer in line with documented instructions;
• use Customer Personal Data to send marketing or other commercial communications to Data Subjects on Flowzart's own behalf;
• use Customer Personal Data, or any output derived from it, to train, fine-tune, or otherwise improve generalised AI or machine-learning models (whether Flowzart's own or any third party's), except where the Customer has given specific, opt-in consent for an identified feature; or
• act outside, or in conflict with, the Customer's documented instructions.

Where the CCPA applies, Flowzart certifies that it understands the restrictions in this section.

6. Sensitive data: not supported

The Service is not designed, marketed, or supported for the processing of Special Categories of Personal Data (Article 9 GDPR), criminal-conviction or offence data (Article 10 GDPR), protected health information falling within HIPAA, payment-card data falling within PCI-DSS, biometric identifiers used for unique identification, or other categories of personal data subject to specific regulatory protection. The Customer is responsible for ensuring that it does not submit such data through the Service unless Flowzart has agreed in writing to such use, including any additional contractual terms required for that data type. Flowzart has no obligation under this DPA in respect of any such data submitted in breach of this section.

7. Confidentiality of personnel

Flowzart ensures that personnel authorised to process Customer Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality, and that access is limited to those personnel who need it to perform the Service.

8. Security measures

Flowzart implements and maintains appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to it, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as required by Article 32 of the EU GDPR. A summary of those measures is set out in Schedule 2; further detail is published on our Security Policy page and in controlled documentation available under NDA on request.

Flowzart may update its security measures from time to time, provided that the level of protection afforded to Customer Personal Data is not materially diminished.

9. Sub-processors

The Customer grants Flowzart a general written authorisation to engage Sub-processors to assist in providing the Service, on the terms set out below.

Current list & notice

The current list of Sub-processors is published at flowzart.com/subprocessors, together with a summary of the processing each Sub-processor performs and the regions in which they operate. A non-exhaustive snapshot is also reproduced in Schedule 3. Customers can subscribe to email notification of changes from their Account billing area.

Flowzart will give the Customer at least thirty (30) days' prior notice of the addition or replacement of a Sub-processor (a “Sub-processor Change”), except where a shorter period is required to address an urgent security or operational risk, in which case Flowzart will give as much notice as is reasonable in the circumstances and document the reason.

Right to object & remedy

The Customer may object to a Sub-processor Change on reasonable data-protection grounds by giving written notice to [email protected] within the notice period. Flowzart will work in good faith with the Customer to resolve the objection, including by offering a configuration that avoids the Sub-processor where feasible.

If the parties cannot agree on a resolution within a reasonable period, the Customer may, as its sole remedy, terminate the affected portion of the Service on written notice to Flowzart. Where the Customer does so:

• Flowzart will refund the pro-rata portion of any pre-paid Subscription Fees attributable to the unused remainder of the current Subscription cycle for the affected portion of the Service; and
• any PAYG Bundle balance the Customer holds remains usable until its one-year expiry, in line with Terms section 10.3.

Flowzart enters into a written contract with each Sub-processor that contains data-protection obligations no less protective of Customer Personal Data than those in this DPA, and remains liable to the Customer for the performance of each Sub-processor's data-protection obligations.

10. International transfers

Where the provision of the Service involves a Restricted Transfer of Customer Personal Data from the Customer (or its onward Controller) to Flowzart, or from Flowzart to a Sub-processor, the parties rely on the transfer mechanisms set out in Schedule 4, including the SCCs (Module Two for Controller-to-Processor transfers and Module Three for Processor-to-Sub-processor transfers), the UK IDTA where the UK GDPR applies, and the Swiss amendments to the SCCs where the Swiss FADP applies. Where the recipient is self-certified under the EU-U.S. Data Privacy Framework (or its UK Extension or Swiss-U.S. counterpart) at the time of the transfer, the parties may instead rely on that mechanism.

Flowzart applies supplementary technical and organisational measures to its Restricted Transfers, including encryption in transit, access controls, and contractual commitments to challenge unlawful government-access requests where legally permitted.

11. Data-subject requests

Taking into account the nature of the processing, Flowzart provides reasonable assistance to the Customer (including by appropriate technical and organisational measures, in so far as possible) to enable the Customer to fulfil its obligations to respond to Data Subjects exercising rights under Applicable Data Protection Law. The Service includes self-service tooling that lets the Customer access, correct, export, and delete Customer Personal Data within its workspace; for requests that cannot be fulfilled with that tooling, the Customer can contact [email protected].

If a Data Subject contacts Flowzart directly with a request relating to Customer Personal Data, Flowzart will not respond on the merits but will, without undue delay, refer the request to the Customer (or, if the Data Subject has not identified the relevant Customer, ask them to identify it).

12. Personal Data Breach notification

Flowzart will notify the Customer of a Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within 72 hours of becoming aware of it. The notification will include, to the extent then known:

• the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
• the likely consequences of the Personal Data Breach;
• the measures Flowzart has taken or proposes to take to address the Personal Data Breach, including measures to mitigate its possible adverse effects; and
• contact details for the Flowzart point of contact handling the Personal Data Breach.

Where information is not all available within the 72-hour window, Flowzart will provide it in further communications without undue delay as it becomes available. Flowzart's notification of a Personal Data Breach is not, by itself, an admission of fault or liability.

13. DPIAs & prior consultation

Taking into account the nature of the processing and the information available to Flowzart, Flowzart provides reasonable assistance to the Customer in carrying out Data Protection Impact Assessments (Article 35 GDPR) and consulting supervisory authorities where required (Article 36 GDPR). Standard documentation that supports DPIAs (including this DPA, the Security Policy, the published Sub-processor list, and any third-party security attestations Flowzart holds, provided under NDA where applicable) is provided as the default form of assistance.

14. Compelled disclosure

If Flowzart receives a legally binding request from a public authority (including a court, law-enforcement, or national-security authority) for disclosure of Customer Personal Data, Flowzart will, unless prohibited by law:

• review the legal validity of the request and challenge it where there are grounds to do so under applicable law;
• notify the Customer of the request without undue delay so that the Customer can seek a protective order or other appropriate remedy;
• where notification is prohibited, use reasonable efforts to obtain a waiver of that prohibition; and
• limit the disclosure to the minimum necessary to comply with the request.

Where the request relates primarily to the Customer rather than to Flowzart, Flowzart will, where lawful and practicable, redirect the requesting authority to the Customer.

15. Audits & inspections

Flowzart makes available to the Customer all information necessary to demonstrate compliance with this DPA. The default form of demonstration is provision of:

• responses to a reasonable security-and-privacy questionnaire;
• this DPA, the published Security Policy describing our technical and organisational measures, and the published Sub-processor list at Schedule 3; and
• any third-party security attestations Flowzart holds (such as a SOC 2 Type II report or ISO/IEC 27001 certification with statement of applicability), where available, under NDA.

Questionnaire responses and any third-party attestations are provided under a mutual non-disclosure agreement.

If, after reviewing the materials above, the Customer reasonably believes that further audit is required to demonstrate compliance with this DPA, the Customer (or a qualified third-party auditor mandated by the Customer who is not a competitor of Flowzart and is bound by confidentiality obligations) may carry out an on-site or remote audit, on reasonable advance notice (at least thirty (30) days, except where shorter notice is required by Applicable Data Protection Law or a competent authority), no more than once in any twelve-month period (except where required following a confirmed Personal Data Breach or by Applicable Data Protection Law), during normal business hours, and in a manner that does not unreasonably disrupt the Service or compromise the security or confidentiality of other customers' data.

Each party bears its own audit costs. Where an audit reveals a material non-compliance by Flowzart, Flowzart will reimburse the Customer's reasonable audit costs and remediate the non-compliance without undue delay.

16. Return & deletion at termination

On termination of the Agreement, Flowzart will, at the Customer's choice, return all Customer Personal Data to the Customer or delete it. The Customer can request export of its Customer Content within thirty (30) days of termination, in line with Terms section 10.4. After that period, Flowzart will delete or anonymise Customer Personal Data, except as set out below.

Flowzart retains the following limited billing-related records as required by Applicable Data Protection Law and Flowzart's tax, accounting, audit, and dispute-resolution obligations:

• PAYG Bundle ledger entries: kept until the bundle's one-year expiry date plus the statutory minimum required for tax and accounting in the relevant jurisdiction (typically 6–10 years);
• Subscription cycle records and invoices: kept for the statutory minimum required for tax and accounting (typically 6–10 years);
• Energy-consumption ledger entries linked to issued invoices: kept for the same period as the corresponding invoice; and
• Backups containing Customer Personal Data: Flowzart will not actively access backed-up Customer Personal Data after termination, and will overwrite or delete such data in line with the regular backup-rotation cycle.

Wherever practicable, Flowzart minimises the Personal Data contained in retained billing records (for example, by retaining account identifier and aggregate Wh figures rather than per-run workflow content) and treats retained billing data as confidential Customer information regardless of its retention period. These periods mirror the retention periods set out in our Privacy Policy section 10.

17. Liability

Each party's liability arising under or in connection with this DPA is subject to the limitations and exclusions on liability set out in the Agreement. Nothing in this DPA increases the aggregate liability cap that applies under the Agreement, save where Applicable Data Protection Law expressly requires otherwise (for example, joint and several liability under Article 82 GDPR for damage caused by infringing processing, which the parties cannot contractually limit as between themselves and a Data Subject).

18. Term, termination & survival

This DPA takes effect on the date the Agreement does and continues for the duration of the Agreement. Sections that by their nature should survive termination (including 7, 12, 14, 16, 17, and any operative provisions of the SCCs incorporated under Schedule 4) survive in accordance with their terms.

19. Governing law

This DPA is governed by the law and jurisdiction set out in the Agreement, save that where Applicable Data Protection Law mandates a particular governing law for an aspect of the processing (for example, the SCCs require governing law of an EU member state for transfers from the EEA), that mandatory law applies for that aspect only.

Schedule 1: Description of processing

Subject-matter. Flowzart's provision of the Service to the Customer.

Nature and purpose of processing. Hosting, storing, transmitting, executing, retaining, monitoring, and metering the Customer Content the Customer routes through its workflows on the Service, including the watt-hour and kilowatt-hour records that drive the Customer's billing.

Duration of processing. For the duration of the Agreement, plus the limited retention periods set out in section 16 (billing-data carve-out) and our Privacy Policy section 10.

Categories of Data Subjects. Whoever the Customer chooses to route through its workflows. Typically: the Customer's authorised users (employees, contractors, and other personnel); the Customer's customers, prospects, and end users; the Customer's suppliers and partners; and any other natural persons whose data the Customer's workflows operate on.

Categories of Customer Personal Data. Determined by the Customer's workflow design. Typically includes identifiers (names, email addresses, user IDs, phone numbers), professional or contact information, technical identifiers (IP addresses, device identifiers, authentication tokens), transaction metadata, message content, and any other categories the Customer's workflows are configured to process. Special Categories of Personal Data and comparable sensitive data are not supported under this DPA: see section 6.

Frequency. Continuous, while the Customer is using the Service.

Geographic locations of processing. Customer Personal Data is processed on Flowzart-operated infrastructure located in the United Kingdom, Bulgaria, and Germany. Sub-processor processing locations are listed in Schedule 3.

Identity of Controller and Processor. The Customer is the Controller (or, in some scenarios, a processor on behalf of a third-party controller); Flowzart is the Processor. Flowzart's contact for matters relating to this DPA is [email protected]; the Customer's contact is the email address associated with the Customer's Account, unless the Customer designates a different one.

Schedule 2: Technical & organisational measures

Flowzart implements the technical and organisational measures summarised below. The Security Policy describes them in more detail and is updated from time to time; this Schedule and the Security Policy are intended to remain consistent.

• Encryption. TLS 1.2+ in transit; application secrets and database credentials stored in a dedicated secrets-management system with daily rotation of dynamic database credentials. At-rest encryption of bulk customer data is on Flowzart's security roadmap.
• Access control. Least-privilege, role-based access; mandatory multi-factor authentication for personnel with access to production; documented joiners / movers / leavers process (effective once Flowzart has joiners or leavers beyond the founder); periodic access review.
• Authentication for end users. Password (memory-hard hash), social OAuth, SAML SSO on Enterprise plans; TOTP / WebAuthn 2FA available to all users.
• Network security. WAF + DDoS mitigation at the edge; private subnets and controlled egress for production workloads; mutual-TLS for sensitive internal traffic.
• Application security. Code review (peer review introduced once a second engineer joins); CI gating; SAST and SCA on every build; third-party penetration testing planned as Flowzart can dedicate resources to it; vulnerability-management priorities by severity (critical, high, medium, low).
• Logging & monitoring. Centralised, time-synchronised, retained ≥ 12 months for security and audit logs; alerting that triggers paging on anomaly thresholds; customer-visible workspace audit log.
• Resilience & recovery. Continuous or daily backups to a separate region; documented incident-response plan; business-continuity targets published in the Security Policy as the platform reaches a stability tier that supports them.
• Personnel. Background checks where lawful; written confidentiality obligations; security and privacy training on onboarding and annually thereafter as the team grows; same-day offboarding of access.
• Sub-processor governance. Written contracts with data-protection terms at least as protective as this DPA; pre-engagement security assessment; reassessment as material changes warrant or as our review capacity grows.
• Billing-data protection. The watt-hour ledger and PAYG / Subscription records are replicated and accessible only to the metering pipeline and the Customer's Account view.

Schedule 3: Sub-processors

The categories of Sub-processor Flowzart engages, and an indicative (non-exhaustive) snapshot at the effective date of this DPA, are:

Cloud hosting & managed infrastructure

• Contabo GmbH (Germany) — virtual server hosting for Flowzart's compute infrastructure.
• IONOS SE (Germany) — virtual server hosting for Flowzart's compute infrastructure.
• Tailscale Inc. (Canada / United States) — encrypted private network overlay used to administer Flowzart's infrastructure. Tailscale's DERP relays may transit encrypted traffic between cluster nodes when a direct peer-to-peer connection is unavailable; payload contents are not visible to Tailscale.

Portions of Flowzart's compute run on infrastructure operated directly by Royal Technology Limited and are not subprocessed to third parties.

Payment processing

• Stripe Payments Europe Ltd (Ireland) — payment processing, subscription billing, and PAYG top-up checkout. Limited customer data (email, billing name, masked payment-method details) is shared with Stripe per their data processing terms.

Transactional email & notifications

• Twilio Inc. (United States) — operates SendGrid, used for marketing-list (waitlist) management and administrative transactional email (e.g., contact form forwarding to internal mailboxes).
• Wildbit LLC (United States) — operates Postmark, used for customer-critical transactional email (account, billing, and product notifications).
• Slack Technologies LLC (United States) — internal operational notification channels mirroring waitlist signups and contact-form submissions, providing a fallback record so no submission is lost if email-provider integrations fail.

Customer support tooling

No third-party customer-support tooling is currently in use. Royal Technology Limited tracks internal work in Linear, which does not store customer-identifying data unrelated to the work itself. This Schedule will be updated as a customer-support tool is provisioned.

Error monitoring & performance telemetry

• Functional Software, Inc. (United States, operating as Sentry) — error monitoring and performance telemetry. May incidentally capture limited identifiers in error contexts (user IDs in stack traces, request URLs).

Product analytics

• Google Ireland Limited (Ireland, operating Google Analytics) — web traffic analytics for the Flowzart marketing site.

Additional product-analytics tooling for in-app usage may be added; this Schedule will be updated when new tools are provisioned. Internal dashboards for engineering metrics may be operated on Royal Technology Limited's own infrastructure and are not subprocessed.

All non-EU/EEA Sub-processors above are engaged subject to the Standard Contractual Clauses (SCCs) referenced in this DPA, providing a lawful transfer mechanism for personal data of EU/EEA data subjects.

The authoritative, current list (including the named vendor for each category, the regions in which the vendor processes Customer Personal Data, and the date each Sub-processor was added) is published at flowzart.com/subprocessors.

Schedule 4: Transfer mechanisms

Transfers between the EEA and the United Kingdom are covered by the European Commission's adequacy decision for the UK and the UK's adequacy regulations for the EEA, and are not treated as Restricted Transfers under this DPA.

Where a Restricted Transfer occurs in connection with this DPA, the parties incorporate by reference, and undertake to comply with, the following transfer mechanisms:

• EU SCCs. The Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914, with Module Two applying where Flowzart receives Customer Personal Data from the Customer as Controller, and Module Three applying onward to Sub-processors. The optional docking clause, the optional clauses on third-party beneficiaries, and the local-law option (b) of Clause 17 apply. Clause 17: governing law is the law of an EU member state that allows third-party-beneficiary rights: Bulgaria. Clause 18(b): forum is the courts of the same member state. Annexes I, II, and III to the SCCs are populated by Schedule 1, Schedule 2, and Schedule 3 respectively, with the Customer as data exporter and Flowzart as data importer.
• UK IDTA. For transfers subject to the UK GDPR, the EU SCCs as incorporated above are amended by the UK International Data Transfer Addendum issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018. Tables 1, 2, and 3 of the IDTA are populated by reference to the corresponding SCC annexes; Table 4 (ending the Addendum) is set so that either party may end the IDTA in accordance with its terms.
• Swiss amendments. For transfers subject to the Swiss FADP, the SCCs are amended so that references to GDPR are read as references to the FADP, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and the governing law and forum are Switzerland.
• EU-U.S. Data Privacy Framework. Where the recipient is self-certified under the EU-U.S. Data Privacy Framework (or its UK Extension or Swiss-U.S. counterpart) at the time of the transfer, the parties may instead rely on that mechanism. If the recipient's certification lapses, the SCCs (and IDTA / Swiss amendments where applicable) automatically apply.

Where new transfer mechanisms are issued by the European Commission, the UK Information Commissioner, or other competent authority that supersede those above, the parties agree to treat such mechanisms as automatically incorporated into this Schedule 4 from the date they take effect, to the extent they apply to the relevant Restricted Transfer.

Effective: 2026-05-06 · v1.0