Data Processing Agreement

Last updated: February 2026

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the Agreement between FlowLoom and the Customer for the provision of web automation services. This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, such as collection, storage, use, or deletion.
  • "Data Controller" means the Customer who determines the purposes and means of Processing.
  • "Data Processor" means FlowLoom, which Processes Personal Data on behalf of the Data Controller.

3. Processing Instructions

FlowLoom will only Process Personal Data in accordance with the Customer's documented instructions. The Customer instructs FlowLoom to Process Personal Data to provide the Service.

4. Security Measures

FlowLoom implements appropriate technical and organizational measures:

  • Encryption of Personal Data at rest and in transit
  • Access controls and authentication
  • Regular security testing and audits
  • Employee training on data protection
  • Incident response procedures
  • Business continuity and disaster recovery

5. Sub-processors

The Customer authorizes FlowLoom to engage sub-processors for the provision of the Service. FlowLoom maintains a list of sub-processors and will notify the Customer of any changes.

6. Data Subject Rights

FlowLoom will assist the Customer in responding to requests from data subjects exercising their rights under applicable Data Protection Laws.

7. Data Breach Notification

FlowLoom will notify the Customer without undue delay after becoming aware of a Personal Data breach and will provide information necessary to enable the Customer to meet its breach notification obligations.

8. International Transfers

Personal Data may be transferred outside the EEA only in compliance with applicable Data Protection Laws, using appropriate safeguards such as Standard Contractual Clauses.

9. Audits

FlowLoom will make available information necessary to demonstrate compliance with this DPA and allow for audits. FlowLoom maintains SOC 2 Type II certification and ISO 27001 readiness.

10. Term and Termination

This DPA shall remain in effect until termination of the Agreement. Upon termination, FlowLoom will delete or return all Personal Data as instructed by the Customer.