Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or any other agreement between:

Manuel Ogomigo LLC, a United States limited liability company (“Flowdrive”, “Processor”, “we”, “us”) and The Customer (“Controller”, “you”), together referred to as the “Parties”.

This DPA governs the processing of Personal Data by Flowdrive on behalf of the Customer in connection with the Flowdrive platform and services (“Services”). By using the Services, Customer agrees to this DPA.

1. Definitions

For purposes of this DPA:

“Applicable Data Protection Laws”

means all laws governing Personal Data processing, including GDPR (EU Regulation 2016/679), UK GDPR and Data Protection Act 2018, Swiss FADP, CCPA/CPRA (California), and any other applicable privacy laws.

“Personal Data”

means any information relating to an identified or identifiable individual.

“Processing”

means any operation performed on Personal Data.

“Subprocessor”

means any third party engaged by Flowdrive to process Personal Data.

“Customer Data”

means all data submitted to the Services by or on behalf of Customer, including Personal Data.

“Data Subject”

means the individual to whom Personal Data relates.

2. Roles of the Parties

3. Scope of Processing

Flowdrive processes Personal Data only to provide the Services, including:

• File storage and hosting
• File delivery and CDN distribution
• Upload and download functionality
• Access control and permissions
• User account management
• Analytics and usage monitoring (if enabled)
• Customer support
• Billing and account administration
• Security monitoring and abuse prevention

4. Categories of Data

5. Categories of Data Subjects

• Customer employees and team members
• End users accessing Customer content
• Clients or customers of Customer
• Any individuals included in uploaded files
• Visitors interacting with shared links

6. Customer Obligations

Customer is responsible for:

• Ensuring lawful basis for processing Personal Data
• Providing privacy notices to Data Subjects
• Obtaining necessary consents
• Ensuring data accuracy and legality
• Configuring access controls appropriately
• Not uploading unlawful or infringing data

Customer must NOT upload:

• Special category data (health, biometrics, political opinions, etc.) unless explicitly agreed
• Illegal or regulated data without compliance safeguards

7. Flowdrive Obligations

Flowdrive shall:

• Process Personal Data only on documented instructions
• Maintain confidentiality of personnel
• Implement appropriate security measures
• Assist Customer with Data Subject requests
• Assist with GDPR compliance obligations
• Notify Customer of breaches without undue delay
• Delete or return Personal Data upon termination
• Not use Personal Data for advertising or profiling

8. No Selling or AI Training

9. Security Measures

Flowdrive implements industry-standard technical and organizational safeguards, including:

10. Subprocessors

Customer authorizes Flowdrive to use Subprocessors. A current list is maintained in Annex B.

Flowdrive ensures all subprocessors:

• Sign data protection agreements
• Maintain GDPR-level safeguards
• Only process data for specified purposes

11. International Transfers

11.1 Data Residency

Flowdrive is configured to process and store Customer Data in Cloudflare’s Western Europe (EU) region by default. Flowdrive does not guarantee exclusive data residency in any specific jurisdiction unless explicitly agreed in writing.

11.2 Transfer Mechanisms

Personal Data may be processed outside the EEA, UK, or Switzerland. Where required, Flowdrive relies on:

• EU Standard Contractual Clauses (SCCs)
• UK International Data Transfer Addendum
• Swiss equivalent safeguards

Appropriate safeguards (encryption, access controls, contractual protections) are applied.

11.3 Order of Precedence

In case of conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses take precedence.

12. Data Subject Rights

Flowdrive will assist Customer in responding to requests for:

If Flowdrive receives a request directly, it will forward it to Customer unless legally prohibited.

13. Data Breach Notification

Flowdrive will notify Customer without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data Breach.

Notification will include:

• Nature of the breach
• Data affected
• Likely consequences
• Remediation steps

14. Data Retention and Deletion

Upon termination:

• Customer Data is deleted within 30–90 days from active systems
• Backups are deleted according to retention cycles (up to ~90 additional days)
• Logs may be retained for security purposes for limited periods

Customer may request earlier deletion.

15. Audits

Customer may request reasonable information to demonstrate compliance. Audits:

• Limited to once per year unless required otherwise
• Must not disrupt operations
• May rely on third-party security reports (SOC 2, etc.) where available

16. Limitation of Liability

Liability is governed by the main Terms of Service agreement.

17. Term and Termination

This DPA remains in effect for as long as Flowdrive processes Customer Data.

Obligations regarding confidentiality, deletion, and liability survive termination.

18. Governing Law

This DPA is governed by the laws applicable to the main Agreement (United States), unless otherwise required by applicable data protection law.

19. Flowdrive Contact

For all privacy and data protection matters:

Annex A — Technical & Organizational Measures

Flowdrive maintains the following safeguards:

• · TLS encryption in transit
• · AES-256 encryption at rest
• · MFA for all internal systems
• · Role-based access control
• · Secure API authentication
• · WAF + DDoS protection via Cloudflare
• · Continuous monitoring and logging
• · Vulnerability scanning and patching
• · Incident response procedures
• · Regular backup and restore testing
• · Production/staging separation

Annex B — Subprocessor Details

The following third parties process Personal Data on Flowdrive’s behalf: