Data Processing Addendum

1.1 This DPA governs the processing of Personal Data that dFlo.ai performs on behalf of the Customer under the TOS.

1.2 The DPA ensures compliance with all Applicable Privacy Laws, including the EU GDPR, UK GDPR, Singapore PDPA, Japan APPI, Malaysia PDPA, Indonesia PDP Law, China PIPL, California CPRA, and equivalent global regulations.

1.3 In the event of conflict between this DPA and the TOS, this DPA prevails for matters concerning Personal Data.

"Personal Data": any information relating to an identified or identifiable natural person.

"Processing / Process": any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Sub-processor": a third party engaged by dFlo.ai to process Personal Data on behalf of the Customer.

"Data Subject": the individual whose Personal Data is processed.

"Applicable Privacy Laws": the data-protection laws applicable to each party's processing activities.

"Sensitive Personal Data": categories of data afforded enhanced protection (health, biometrics, beliefs, sexual orientation, etc.).

3.1 The Customer acts as the Controller, determining the purposes and means of processing.

3.2 dFlo.ai acts as the Processor, processing Personal Data only on documented instructions from the Customer.

3.3 If dFlo.ai acts as a Controller for certain data (e.g., billing, user-account management, or marketing leads), that processing is governed by dFlo.ai's public Privacy Policy and not this DPA.

Purpose: To provide and improve the dFlo.ai agentic-AI SaaS platform, automation services, and professional support.

Duration: For the term of the TOS plus 30 days thereafter for retrieval and deletion.

Categories of Data Subjects: Customer's users, employees, contractors, clients, suppliers, or other individuals whose data is submitted to the platform.

Categories of Personal Data: identifiers, contact data, device identifiers, login data, activity logs, uploaded content, and where applicable, Sensitive Personal Data processed under explicit consent.

6.1 dFlo.ai maintains industry-standard safeguards including:

• Encryption at rest (AES-256) and in transit (TLS 1.3);
• Multi-factor authentication and role-based access;
• Network segregation and firewalls;
• Continuous monitoring, vulnerability scanning, and patch management;
• Secure development lifecycle (SDLC) and code review;
• Data-center compliance with ISO 27001 or SOC 2 Type II;
• Business-continuity and disaster-recovery plans.

6.2 A full summary of technical and organizational measures (TOMs) is available upon request.

7.1 dFlo.ai shall, to the extent permitted by law, assist the Customer in fulfilling requests for:

• Access, rectification, and erasure ("right to be forgotten");
• Restriction of processing;
• Portability;
• Objection to automated decision-making.

7.2 Customer bears responsibility for verifying the requester's identity and legality of the request.

8.1 dFlo.ai may engage Sub-processors to provide hosting, infrastructure, support, or analytics.

8.2 A current list is published at https://dflo.ai/legal/subprocessors.

8.3 dFlo.ai shall:

• Ensure each Sub-processor is bound by data-protection obligations no less protective than this DPA;
• Remain liable for Sub-processor acts or omissions;
• Provide notice of new Sub-processors; Customer may object on reasonable grounds within 15 days.

9.1 Transfers outside the originating jurisdiction will be conducted under one or more of:

• EU Standard Contractual Clauses (SCC 2021/914);
• UK International Data Transfer Addendum (IDTA);
• Singapore PDPA Part IX requirements;
• Japan APPI cross-border safeguards;
• Other legally recognized transfer mechanisms or explicit consent.

9.2 If any mechanism becomes invalid, dFlo.ai will cooperate in good faith to establish a valid alternative.

11.1 Upon termination of the Services, Personal Data will be retained for 30 days for retrieval.

11.2 After that period, data will be securely deleted or anonymized from production and backup systems unless retention is legally required.

11.3 Certification of deletion shall be provided upon written request.

12.1 dFlo.ai will make available information necessary to demonstrate compliance, including independent audit summaries (SOC 2, ISO 27001).

12.2 Customer may, at its expense, conduct a reasonable audit (once per year) or review audit reports, subject to confidentiality and minimal disruption to operations.

12.3 If requested, the parties shall execute a mutual non-disclosure agreement prior to the audit.

13.1 Processing of Sensitive Personal Data requires explicit consent and lawful basis under Applicable Privacy Laws.

13.2 dFlo.ai shall apply additional safeguards, including restricted access controls, pseudonymization, encryption, and separation of environments.

13.3 Customer is responsible for obtaining, documenting, and maintaining valid consent from Data Subjects.

15.1 Liability of each party under this DPA is subject to the limitations set forth in the TOS.

15.2 Each party shall be responsible for damages or regulatory fines only to the extent such breach results from its own failure to comply with this DPA or Applicable Privacy Laws.