Legal · Data Protection # Data Processing Agreement

 How Flowdrive processes Personal Data on behalf of our customers — including security,
				subprocessors, and your rights as a Data Subject.

 Last updated: March 10, 2026 · Version 1.0

 Long read? Ask AI to summarize this agreement. https://chatgpt.com/?q=Summarize%20Flowdrive https://claude.ai/new?q=Summarize%20Flowdrive https://gemini.google.com/app?q=Summarize%20Flowdrive https://grok.com/?q=Summarize%20Flowdrive https://www.perplexity.ai/search?q=Summarize%20Flowdrive

  This Data Processing Agreement (“**DPA**”) forms part of the
							Terms of Service or any other agreement between:

 **Manuel Ogomigo LLC**, a United States limited liability company
							(“**Flowdrive**”, “**Processor**”,
							“**we**”, “**us**”) and **The Customer** (“**Controller**”, “**you**”), together referred to as the “**Parties**”.

 This DPA governs the processing of Personal Data by Flowdrive on behalf of the
							Customer in connection with the Flowdrive platform and services (“**Services**”). By using the Services, Customer agrees to this DPA.

 ## 1. Definitions

 For purposes of this DPA:

 “Applicable Data Protection Laws” means all laws governing Personal Data processing, including GDPR (EU Regulation
									2016/679), UK GDPR and Data Protection Act 2018, Swiss FADP, CCPA/CPRA
									(California), and any other applicable privacy laws.

 “Personal Data” means any information relating to an identified or identifiable individual.

 “Processing” means any operation performed on Personal Data.

 “Subprocessor” means any third party engaged by Flowdrive to process Personal Data.

 “Customer Data” means all data submitted to the Services by or on behalf of Customer, including
									Personal Data.

 “Data Subject” means the individual to whom Personal Data relates.

 ## 2. Roles of the Parties

 ### 2.1 Customer is the Controller

 Customer determines the purpose and means of processing Personal Data.

 ### 2.2 Flowdrive is the Processor

 Flowdrive processes Personal Data solely on behalf of Customer.

 2.3 If Customer acts as a processor for a third party, Customer guarantees it has
									authority to appoint Flowdrive as Subprocessor.

 ## 3. Scope of Processing

 Flowdrive processes Personal Data only to provide the Services, including:

 - File storage and hosting
 - File delivery and CDN distribution
 - Upload and download functionality
 - Access control and permissions
 - User account management
 - Analytics and usage monitoring (if enabled)
 - Customer support
 - Billing and account administration
 - Security monitoring and abuse prevention

 ## 4. Categories of Data

 ### 4.1 Personal Data

 - Name
 - Email address
 - IP address
 - Device and browser information
 - User IDs
 - Account credentials (hashed passwords)

 ### 4.2 Usage Data

 - Access logs
 - Activity logs
 - Feature usage events
 - Error logs

 ### 4.3 Customer Content

 - Files uploaded by Customer or end users
 - Metadata (file names, folders, tags)
 - Embedded Personal Data inside uploaded content

 ### 4.4 Billing Data

 Processed by payment providers:

 - Name
 - Billing address
 - Payment status
 - Transaction identifiers

 ## 5. Categories of Data Subjects

 - Customer employees and team members
 - End users accessing Customer content
 - Clients or customers of Customer
 - Any individuals included in uploaded files
 - Visitors interacting with shared links

 ## 6. Customer Obligations

 Customer is responsible for:

 - Ensuring lawful basis for processing Personal Data
 - Providing privacy notices to Data Subjects
 - Obtaining necessary consents
 - Ensuring data accuracy and legality
 - Configuring access controls appropriately
 - Not uploading unlawful or infringing data

 Customer must NOT upload:

 - Special category data (health, biometrics, political opinions, etc.) unless explicitly agreed
 - Illegal or regulated data without compliance safeguards

 ## 7. Flowdrive Obligations

 Flowdrive shall:

 - Process Personal Data only on documented instructions
 - Maintain confidentiality of personnel
 - Implement appropriate security measures
 - Assist Customer with Data Subject requests
 - Assist with GDPR compliance obligations
 - Notify Customer of breaches without undue delay
 - Delete or return Personal Data upon termination
 - Not use Personal Data for advertising or profiling

 ## 8. No Selling or AI Training

 Flowdrive explicitly agrees:

 - ✓ We do **NOT** sell Personal Data
 - ✓ We do **NOT** share Personal Data for advertising purposes
 - ✓ We do **NOT** use Customer Data to train AI or machine learning models
 - ✓ We do **NOT** use Customer Content for product development outside providing the Services

 ## 9. Security Measures

 Flowdrive implements industry-standard technical and organizational safeguards,
							including:

 ### 9.1 Access Controls

 - Role-based access control
 - MFA for administrative access
 - Least privilege principles

 ### 9.2 Encryption

 - TLS 1.2+ in transit
 - AES-256 encryption at rest

 ### 9.3 Infrastructure

 - Hosted on Cloudflare
 - DDoS protection and WAF
 - Network segmentation

 ### 9.4 Monitoring

 - Access logging
 - Anomaly detection
 - Audit trails

 ### 9.5 Development Security

 - Code reviews
 - Vulnerability scanning
 - Secure SDLC practices

 ## 10. Subprocessors

 Customer authorizes Flowdrive to use Subprocessors. A current list is maintained in [Annex B](#annex-b).

 Flowdrive ensures all subprocessors:

 - Sign data protection agreements
 - Maintain GDPR-level safeguards
 - Only process data for specified purposes

 Change notification

 Customers will be notified of material changes to subprocessors with reasonable
								advance notice (typically at least 30 days) before the change takes effect.
								Customers may object to a new subprocessor for legitimate data-protection reasons by
								contacting [privacy@flowdrive.app](mailto:privacy@flowdrive.app). If no acceptable resolution is reached, the Customer may terminate the affected
								Services without penalty for the unused portion of the term.

 ## 11. International Transfers

 ### 11.1 Data Residency

 Flowdrive is configured to process and store Customer Data in Cloudflare’s
							Western Europe (EU) region by default. Flowdrive does not guarantee exclusive data
							residency in any specific jurisdiction unless explicitly agreed in writing.

 ### 11.2 Transfer Mechanisms

 Personal Data may be processed outside the EEA, UK, or Switzerland. Where required,
							Flowdrive relies on:

 - EU Standard Contractual Clauses (SCCs)
 - UK International Data Transfer Addendum
 - Swiss equivalent safeguards

 Appropriate safeguards (encryption, access controls, contractual protections) are
							applied.

 ### 11.3 Order of Precedence

 In case of conflict between this DPA and the Standard Contractual Clauses, the
							Standard Contractual Clauses take precedence.

 ## 12. Data Subject Rights

 Flowdrive will assist Customer in responding to requests for:

 Access

Correction

Deletion

Portability

Restriction

Objection

 If Flowdrive receives a request directly, it will forward it to Customer unless
							legally prohibited.

 ## 13. Data Breach Notification

 Flowdrive will notify Customer **without undue delay**, and where
							feasible within **72 hours**, after becoming aware of a Personal Data
							Breach.

 Notification will include:

 - Nature of the breach
 - Data affected
 - Likely consequences
 - Remediation steps

 ## 14. Data Retention and Deletion

 Upon termination:

 - Customer Data is deleted within 30–90 days from active systems
 - Backups are deleted according to retention cycles (up to ~90 additional days)
 - Logs may be retained for security purposes for limited periods

 Customer may request earlier deletion.

 ## 15. Audits

 Customer may request reasonable information to demonstrate compliance. Audits:

 - Limited to once per year unless required otherwise
 - Must not disrupt operations
 - May rely on third-party security reports (SOC 2, etc.) where available

 ## 16. Limitation of Liability

 Liability is governed by the main Terms of Service agreement.

 ## 17. Term and Termination

 This DPA remains in effect for as long as Flowdrive processes Customer Data.

 Obligations regarding confidentiality, deletion, and liability survive termination.

 ## 18. Governing Law

 This DPA is governed by the laws applicable to the main Agreement (United States),
							unless otherwise required by applicable data protection law.

 ## 19. Flowdrive Contact

 For all privacy and data protection matters:

 Manuel Ogomigo LLC (Flowdrive)

 General [manuel@tryflowdrive.com](mailto:manuel@tryflowdrive.com)

 Privacy [support@tryflowdrive.com](mailto:support@tryflowdrive.com)

 Security [support@tryflowdrive.com](mailto:support@tryflowdrive.com)

 ## Annex A — Technical & Organizational Measures

 Flowdrive maintains the following safeguards:

 - · TLS encryption in transit
- · AES-256 encryption at rest
- · MFA for all internal systems
- · Role-based access control
- · Secure API authentication
- · WAF + DDoS protection via Cloudflare
- · Continuous monitoring and logging
- · Vulnerability scanning and patching
- · Incident response procedures
- · Regular backup and restore testing
- · Production/staging separation

 ## Annex B — Subprocessor Details

 The following third parties process Personal Data on Flowdrive’s behalf:

 ProviderPurposeRegionCloudflareInfrastructure, CDN, storageGlobalStripePaymentsUS / EUPostHogAnalyticsEU / USSendPulseEmail deliveryEU / USSentryError trackingGlobal