Data Processing Agreement

This page summarises the FlowChat Data Processing Agreement (DPA), the GDPR Article 28 controller-to-processor terms that apply when FlowChat processes personal data on a customer’s behalf. The complete signed DPA, with Standard Contractual Clauses (SCCs) and the current sub-processor appendix, is available on request.

Roles

For data your tenant routes through FlowChat — queries from your end users, content from your authorised crawl sources, your admin users’ account data — you are the controller and FlowChat is the processor. We process strictly per your documented instructions (i.e., the configuration in your admin panel).

Sub-processors

Cloudflare Inc. (Workers AI, Vectorize, R2, D1, KV, AI Gateway, Browser Rendering, Logpush). Anthropic PBC (Claude Sonnet 4.6 via AI Gateway, opt-in for premium routing). Cohere Inc. (Rerank 3.5 via AI Gateway). Stripe Inc. (billing). Postmarkapp / ActiveCampaign (transactional and marketing email). The current list and any regional residency notes are maintained in the DPA appendix and updated with 30-day advance notice.

International transfers

Cloudflare data plane runs on globally distributed primitives. Personal data may be processed in the EU, US, UK, Australia, or other Cloudflare regions per the configured routing policy. SCC Module 2 (controller-to-processor) is incorporated by reference for any transfer that requires it under GDPR.

Security measures

Encryption at rest (R2, D1, Vectorize) and in transit (TLS 1.2+). Per-tenant logical isolation enforced at every layer. Immutable audit log via Logpush to R2 with object-lock retention. Access controls per least-privilege; admin-panel access requires SSO on Enterprise. Full posture documented at /security.

Personal data breach

We notify the customer’s designated security contact without undue delay (target: within 24 hours of confirmation), with the information GDPR Article 33(3) requires. The notification flow is an automated webhook plus follow-up email, both signed by security@flowchat.com .

Data subject rights

We assist customers in responding to data subject access, rectification, erasure, and portability requests. Tenants can self-serve query deletion via the admin panel; bulk exports are available within 5 business days.

Audit

Customers may, at their cost, audit FlowChat’s controls annually with reasonable advance notice. We provide our SOC2 report (Type I currently, Type II in progress) under NDA, which satisfies most audit obligations without an on-site visit.

Termination & deletion

On contract termination, personal data is deleted within 30 days, except where the immutable audit log retention window mandated by Enterprise contract requires longer (max 7 years). Deletion is confirmed in writing via legal@flowchat.com .

Request the signed DPA

Email legal@flowchat.com with your company name and the email address you want the executed copy sent to. We use a self-serve DocuSign flow; turnaround is usually under one business day.