Legal

Data Processing Agreement

Effective: 2026-04-10 · Last updated: 2026-04-10 · Version 0.1 (Draft)

This Data Processing Agreement ("DPA") forms part of the Flownex Terms of Service between Flownex Ltd ("Processor", "we") and the customer identified in the main agreement ("Controller", "you"). It applies whenever Flownex processes personal data on behalf of the Controller under the UK GDPR, EU GDPR, and applicable data protection laws.

1. Definitions

"Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, the EU GDPR (Regulation 2016/679), and any other data protection laws applicable to the processing.
"Personal Data", "Controller", "Processor", "Sub-processor", "Data Subject" have the meanings given in Applicable Data Protection Law.
"Services" means the Flownex Android Studio plugin, backend, and related offerings provided under the Flownex Terms of Service.

2. Roles and scope

The Controller determines the purposes and means of processing Personal Data. The Processor processes Personal Data on behalf of and in accordance with the Controller's documented instructions. The types and categories of Personal Data processed are set out in Exhibit A.

3. Processor obligations

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries.
Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
Implement appropriate technical and organisational measures (see Exhibit B).
Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
Notify the Controller without undue delay — and in any event within 48 hours — upon becoming aware of a Personal Data breach affecting Controller Personal Data.
Assist the Controller in carrying out Data Protection Impact Assessments (DPIAs) and consultations with supervisory authorities where required.
Delete or return all Personal Data to the Controller upon termination of the Services, unless Union or Member State law requires retention.
Make available to the Controller all information necessary to demonstrate compliance with the obligations in Article 28 UK/EU GDPR.

4. Sub-processors

The Controller provides general authorisation for the Processor to engage the sub-processors listed in Exhibit C. The Processor will notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object on reasonable grounds within 30 days of notification.

5. International transfers

Where Personal Data is transferred outside the UK or EEA, the parties rely on: (a) an adequacy decision by the UK government or European Commission where available, or (b) Standard Contractual Clauses (SCCs) incorporated into this DPA by reference, with supplementary measures where required by Schrems II.

6. Audit rights

The Controller may, upon reasonable notice and no more than once per year (except in response to a confirmed breach), audit the Processor's compliance with this DPA. In lieu of an on-site audit, the Processor may provide independent third-party audit reports (such as a SOC 2 Type II report, once available) and respond to a reasonable written security questionnaire.

7. Liability and term

This DPA takes effect on the Effective Date and remains in force for as long as the Processor processes Personal Data on behalf of the Controller. Liability under this DPA is subject to the limitation of liability set out in the Flownex Terms of Service.

Exhibit A

Details of processing

A.1 Subject matter

Provision of the Flownex AI execution platform (plugin and backend) to the Controller.

A.2 Duration

For the duration of the Controller's active Flownex subscription, plus retention periods set out in the Privacy Policy.

A.3 Nature and purpose

Account management, WorkUnit lifecycle tracking, billing, support, security monitoring, and service improvement. The Processor does not process source code, LLM prompts, LLM responses, or third-party tool content (Jira, Linear, Figma, Sentry) on its servers — these are processed directly between the plugin and the relevant third-party service under the Controller's direct control.

A.4 Categories of Data Subjects

Controller's authorised users (developers, team admins, billing contacts).
Controller's organisation administrators.

A.5 Categories of Personal Data

Identifiers: user ID (UUID), email address, full name (optional), OAuth provider identifier.
Authentication: bcrypt password hash, JWT tokens, session identifiers.
Account metadata: tier, organisation membership, role, created/updated timestamps.
Usage metadata: WorkUnit ID, status, node name, retry count, outcome, timestamps, execution mode, target framework.
Billing: subscription tier, Stripe customer ID, billing email.
Optional plugin diagnostics: anonymised crash reports and performance metrics (only if opted in).

A.6 Special category data

Flownex does not require or intentionally process any special category Personal Data under Article 9 UK/EU GDPR. The Controller agrees not to submit special category data to the Services.

Exhibit B

Technical and organisational measures

Encryption in transit: TLS 1.3 for all client–backend and backend–sub-processor connections.
Encryption at rest: AES-256 for database volumes. Secrets encrypted via the hosting provider's KMS.
Authentication: JWT (RS256 with 2048-bit keys), 24-hour access token, 7-day refresh token, revocation list in Redis.
Password storage: bcrypt with work factor 12.
Access control: role-based access control at the application level, Postgres row-level security, principle of least privilege for internal admin access.
Network security: Fly.io Frankfurt with default-deny firewall, outbound allow-list for sub-processors.
Logging & monitoring: 30-day audit logs (no code content), Sentry for backend exceptions, rate limiting on authentication endpoints.
Secure development: Semgrep + Snyk Code in CI, OWASP Dependency Check, JetBrains Plugin Verifier, 30-payload LLM injection regression test suite.
Penetration testing: 6-phase pentest plan (static analysis, dynamic plugin, backend API, LLM security, integration security, supply chain) executed before each major release.
Backup: daily encrypted Postgres snapshots retained for 30 days.
Incident response: written incident response plan, 48-hour breach notification commitment.
Data minimisation: backend has no API endpoint that accepts source code, LLM prompts, or LLM responses. Architectural boundary, not a policy setting.

Exhibit C

Authorised sub-processors

Sub-processor	Purpose	Location
Fly.io	Backend application hosting	Frankfurt (EU)
Fly.io Postgres / Supabase	Managed database	Frankfurt (EU)
Upstash Redis	Rate limiting, session cache, token revocation list	Frankfurt (EU)
Stripe	Payment processing	US / EU (SCCs in place)
Sentry (EU region)	Backend error tracking — source code never included in payloads	EU
Postmark or Resend	Transactional email (email verification, password reset, receipts)	US (SCCs in place)

This list is subject to change with prior notice to the Controller. The current list is always available at this URL.

Signatures

By accepting the Flownex Terms of Service or executing a separate Order Form that incorporates this DPA by reference, both parties acknowledge and agree to be bound by this DPA.

Processor: Flownex Ltd · [REGISTERED ADDRESS] · legal@flownex.dev
Controller: as identified in the Flownex account or Order Form.

This DPA is governed by the laws of England and Wales. In case of conflict between this DPA and the Flownex Terms of Service, this DPA controls with respect to the processing of Personal Data.