Skip to main content

Data Processing Agreement

Version
1.0.0
Effective date
2026-01-01

This document is provided as a template. Review with legal counsel before production use.

Introduction

This Data Processing Agreement ("DPA") supplements the Terms of Service between you ("Customer") and AACFlow ("Processor") when Customer's use of the Service involves the processing of personal data subject to data-protection law. This DPA applies automatically when Customer is established in the EEA, UK, Switzerland, or another applicable jurisdiction.

Definitions

Terms such as "personal data", "processing", "data subject", "controller", "processor", "subprocessor", and "supervisory authority" have the meaning given in the applicable law (including GDPR Article 4).

Scope and duration

This DPA applies to any processing of Customer personal data carried out by Processor on behalf of Customer in the course of providing the Service. It remains in effect for the duration of the Agreement and, for some obligations, after termination.

Roles of the parties

Customer is the controller of personal data processed through the Service. Processor acts as a processor and will process personal data only on Customer's documented instructions, except where otherwise required by applicable law.

Subprocessors

Customer provides general authorization for Processor to engage subprocessors listed in the current subprocessor register, which is available on request or in the admin console. Processor will notify Customer of any intended changes to the list and give Customer the opportunity to object on reasonable grounds.

Security measures

Processor maintains technical and organizational measures including encryption in transit and at rest, access controls, logging, regular security review, and personnel confidentiality obligations. A detailed description is available on request.

Data subject requests

Processor will provide reasonable assistance to Customer in responding to data-subject requests to exercise rights under applicable law, including access, correction, deletion, portability, and objection. Where a request is received directly by Processor, Processor will forward it to Customer without undue delay.

Breach notification

Processor will notify Customer without undue delay after becoming aware of a personal data breach and will provide reasonable information to assist Customer in meeting its own notification obligations under applicable law.

International transfers

Where Processor transfers Customer personal data outside the EEA, UK, or Switzerland, such transfers are subject to Standard Contractual Clauses or another approved transfer mechanism incorporated by reference in this DPA.

Return or deletion of data

Upon termination of the Agreement, Processor will, at Customer's choice, delete or return all Customer personal data, subject to a retention period strictly necessary to comply with legal obligations.

Liability

The liability of each party under this DPA is subject to the limitations of liability in the Terms of Service, subject to any mandatory limits imposed by applicable law.

Contact

Notices and DPA-related requests should be directed to dpo@aacflow.example.