FlowRunner Data Processing Agreement (DPA)

Last Updated: February 28, 2026

Applicability

This Data Processing Agreement ("DPA") applies between Midnight Coders, Inc. ("Company," "Processor," "we," or "us"), a Texas corporation with its principal office at 539 W. Commerce St, Suite 2023, Dallas, TX 75208, and any Customer who has agreed to the FlowRunner Terms of Service (the "Agreement"), to the extent that the Company Processes Customer Personal Data subject to applicable Data Protection Laws.

This DPA is incorporated into and forms part of the Agreement. By agreeing to the Agreement, the Customer agrees to this DPA. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing and protection of Personal Data.

This DPA applies when the Processing of Customer Personal Data is subject to the European General Data Protection Regulation (EU) 2016/679 ("GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Texas Data Privacy and Security Act ("TDPSA"), or any other applicable data protection legislation (collectively, "Data Protection Laws").

Where the Customer has entered into a separate Master Service Agreement or Enterprise Agreement with the Company, this DPA supplements that agreement. Enterprise Customers who require a countersigned copy of this DPA for their compliance records may contact legal@flowrunner.ai to request an executable version.

Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

1. Definitions

"Customer Personal Data" means any Personal Data that is uploaded to, transmitted through, stored in, or processed using the Service by or on behalf of the Customer, including data processed through Workflows, AI Agents, Human-in-Loop interactions, and MCP server connections. Customer Personal Data does not include Account Data (as defined in our Privacy Policy) that the Company collects as a controller.

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including GDPR, UK GDPR, FADP, CCPA/CPRA, TDPSA, and any other applicable data protection or privacy legislation, as amended from time to time.

"Data Subject" means an identified or identifiable natural person to whom Customer Personal Data relates.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in the applicable Data Protection Laws.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

"Processing" (and "Process") means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"SCCs" means the Standard Contractual Clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, and any successor or replacement clauses.

"Sub-Processor" means any third party engaged by the Company to Process Customer Personal Data on behalf of the Customer in connection with the Service.

"Supervisory Authority" means an independent public authority established by an EU/EEA Member State, the UK Information Commissioner's Office, or any other competent data protection authority under applicable Data Protection Laws.

"Technical and Organizational Measures" or "TOMs" means the security measures described in Annex II of this DPA.

2. Roles and Scope of Processing

2.1 Roles

For the purposes of this DPA:

(a) The Customer is the Controller (or, where the Customer itself acts as a processor on behalf of a third-party controller, the Customer is a Processor) of Customer Personal Data.

(b) The Company is the Processor (or, where the Customer acts as a Processor, the Company is a Sub-Processor) of Customer Personal Data.

Where the Customer acts as a Processor, the Customer represents and warrants that: (i) it has obtained all necessary authorizations from the relevant Controller to engage the Company as a Sub-Processor; (ii) its instructions to the Company comply with the instructions of the relevant Controller; and (iii) it has entered into a data processing agreement with the relevant Controller that is compliant with applicable Data Protection Laws.

2.2 Scope of Processing

The subject matter, duration, nature and purpose of processing, types of Customer Personal Data, and categories of Data Subjects are described in Annex I of this DPA.

The Company shall Process Customer Personal Data only: (a) to provide, operate, and maintain the Service as described in the Agreement; (b) in accordance with the Customer's documented instructions as set forth in the Agreement, this DPA, and any subsequent written instructions agreed to by the parties; and (c) as required by applicable law, in which case the Company shall (to the extent permitted by law) inform the Customer of the legal requirement before Processing.

2.3 Customer Obligations

The Customer is responsible for:

(a) Ensuring that it has a lawful basis for Processing Customer Personal Data and for instructing the Company to Process Customer Personal Data on its behalf;

(b) Ensuring that all necessary consents, notices, and authorizations have been obtained from Data Subjects or other relevant parties as required by applicable Data Protection Laws;

(c) Determining the lawfulness and appropriateness of any Customer Personal Data transmitted through the Service, including through Workflows, AI Agents, Human-in-Loop interactions, and MCP server connections;

(d) Configuring the Service appropriately for the sensitivity and regulatory classification of the Customer Personal Data being processed, including selecting a Subscription Plan with adequate compliance features.

2.4 Company Obligations

The Company shall:

(a) Process Customer Personal Data only on documented instructions from the Customer, unless required to do so by applicable law;

(b) Immediately inform the Customer if, in the Company's reasonable opinion, an instruction from the Customer infringes applicable Data Protection Laws;

(c) Ensure that persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(d) Implement and maintain the Technical and Organizational Measures described in Annex II;

(e) Comply with the Sub-Processor requirements set forth in Section 4;

(f) Assist the Customer in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws, as described in Section 6;

(g) Assist the Customer in ensuring compliance with its obligations under Articles 32 through 36 of the GDPR (and equivalent provisions under other applicable Data Protection Laws), including obligations relating to security of processing, breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities, taking into account the nature of the Processing and the information available to the Company;

(h) At the Customer's choice, delete or return all Customer Personal Data to the Customer upon termination of the Agreement, as described in Section 8;

(i) Make available to the Customer all information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable Data Protection Laws, and allow for and contribute to audits as described in Section 7.

3. Security Measures

The Company shall implement and maintain appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk, as described in Annex II of this DPA. These measures are designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

The Company shall regularly test, assess, and evaluate the effectiveness of its Technical and Organizational Measures. The Customer acknowledges that security measures are subject to technical progress and development, and the Company may update its measures from time to time, provided that any update does not materially decrease the overall level of protection.

The Customer is responsible for reviewing the Technical and Organizational Measures described in Annex II to determine whether they meet the Customer's security requirements. The Customer is also responsible for implementing its own security measures for systems and credentials under its control, including BYOK API keys, MCP server configurations, and Self-Hosted Deployment infrastructure.

4. Sub-Processors

4.1 General Authorization

The Customer provides a general written authorization to the Company to engage Sub-Processors to Process Customer Personal Data. The current list of Sub-Processors is set forth in Annex III of this DPA and is also maintained at flowrunner.ai/sub-processors.

4.2 Notification of Changes

The Company shall notify the Customer at least thirty (30) days before engaging any new Sub-Processor or replacing an existing Sub-Processor that Processes Customer Personal Data. Notification shall be provided by email to the address associated with the Customer's Account or by posting an update at flowrunner.ai/sub-processors.

4.3 Right to Object

If the Customer objects to a new or replacement Sub-Processor on reasonable data protection grounds, the Customer shall notify the Company in writing within thirty (30) days of receiving the Company's notification. Upon receipt of such objection:

(a) The Company shall use commercially reasonable efforts to make available to the Customer a change in the Service or recommend a commercially reasonable alternative to avoid Processing of Customer Personal Data by the objected-to Sub-Processor;

(b) If the Company is unable to provide such an alternative within thirty (30) days of receiving the Customer's objection, the Customer may terminate the affected portion of the Agreement (or the Agreement in its entirety) by providing written notice to the Company. The Company will refund any prepaid fees covering the remainder of the term following the effective date of termination.

4.4 Sub-Processor Obligations

The Company shall:

(a) Enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those set forth in this DPA;

(b) Ensure that each Sub-Processor provides sufficient guarantees to implement appropriate Technical and Organizational Measures;

4.5 BYOK and Customer-Directed Third Parties

(a) Where the Customer elects to use third-party AI service providers, communication channels, MCP servers, or other third-party services through bring-your-own-key ("BYOK") functionality or other Customer-configured integrations, such third parties are engaged directly by the Customer and not by the Company.

(b) In such cases, the Company acts solely as a conduit for Customer-directed transmissions and does not independently determine the purposes or means of Processing performed by such third parties. The Customer acknowledges that it enters into a direct relationship with such third parties and is solely responsible for executing any required data processing agreements with them.

(c) To the extent Customer Personal Data is transmitted through Company infrastructure solely for routing purposes to a Customer-designated third party, the Company's Processing is limited to facilitating such transmission in accordance with the Customer's instructions and does not render the third party a Sub-Processor of the Company.

(d) The Customer is responsible for assessing whether such third parties provide adequate data protection safeguards under applicable Data Protection Laws.

5. Personal Data Breach Notification

5.1 Notification

The Company shall notify the Customer without undue delay and, where feasible, within seventy-two (72) hours after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data. Notification shall be provided to the Customer's Account administrator email address and, where available, through any dedicated security contact designated by the Customer.

5.2 Notification Content

The Company's notification shall include, to the extent reasonably available:

(a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;

(b) The name and contact details of the Company's point of contact for further information;

(d) A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

If it is not possible to provide all information simultaneously, the Company may provide it in phases without undue further delay.

5.3 Company Cooperation

The Company shall cooperate with the Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of any Personal Data Breach. The Company shall also assist the Customer in fulfilling its own breach notification obligations under applicable Data Protection Laws.

5.4 Customer Responsibilities

The Customer is solely responsible for determining whether a Personal Data Breach triggers notification obligations under applicable Data Protection Laws and for fulfilling those obligations, including notifications to Supervisory Authorities and affected Data Subjects.

5.5 No Admission; Privileged Communications

Any notifications, communications, or information provided pursuant to this Section 5 are made without prejudice and shall not constitute an admission or acknowledgment of fault or liability. Nothing in this Section shall require the disclosure of information protected by attorney-client privilege, work product doctrine, or other applicable legal protections.

6. Data Subject Rights

The Company shall, taking into account the nature of the Processing, provide reasonable assistance to the Customer in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

If the Company receives a request directly from a Data Subject regarding Customer Personal Data, the Company shall promptly redirect the Data Subject to the Customer and notify the Customer of the request, unless prohibited by law. The Company shall not respond to the Data Subject directly unless instructed to do so by the Customer or required by applicable law.

The Service provides built-in tools that enable the Customer to access, export, correct, and delete Customer Personal Data directly. The Customer should use these self-service tools as the primary means of responding to Data Subject requests. Where the self-service tools are insufficient, the Company shall provide additional assistance upon the Customer's written request, subject to a reasonable fee for extraordinary requests that require significant manual effort.

7. Audit Rights

The Company shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and applicable Data Protection Laws.

7.1 Documentation and Reports

The Company shall, upon the Customer's written request and subject to appropriate confidentiality obligations:

(a) Provide summaries or copies of relevant audit reports, certifications, or independent third-party security assessments (such as SOC 2 Type II reports, if and when available) that relate to the Company's Processing of Customer Personal Data;

(b) Provide written responses to reasonable information requests regarding the Company's data protection practices and Technical and Organizational Measures.

7.2 On-Site Audits

If the Customer reasonably determines that the documentation provided under Section 7.1 is insufficient to verify the Company's compliance, the Customer may conduct or commission an independent third-party audit of the Company's Processing activities, subject to the following conditions:

(a) The Customer shall provide at least thirty (30) days' prior written notice of any audit;

(b) Audits shall be conducted during normal business hours, no more than once per twelve-month period, unless a Personal Data Breach or regulatory requirement necessitates an additional audit;

(c) The auditor must execute a confidentiality agreement reasonably acceptable to the Company before commencing the audit;

(d) The audit scope shall be limited to the Company's Processing of Customer Personal Data and shall not extend to data or systems of other customers;

(e) The Customer shall bear the costs of the audit and any third-party auditor engaged by the Customer. The Company shall bear its own internal costs of compliance unless the audit reveals a material breach of this DPA, in which case the Company shall reimburse the Customer for reasonable audit costs directly attributable to such material breach;

(f) The Customer shall provide the Company with a copy of audit findings before disclosing them to any third party (other than the Customer's advisors or a Supervisory Authority as required by law).

7.3 Supervisory Authority Audits

The Company shall cooperate with any audit or inspection by a Supervisory Authority to the extent relating to the Company's Processing of Customer Personal Data under this DPA, provided the Supervisory Authority has the legal authority to conduct such audit or inspection.

8. Data Return and Deletion

Upon termination or expiration of the Agreement, the Customer may:

(a) Export Customer Personal Data using the Service's built-in export tools during the thirty (30) day post-termination retention period described in the Agreement;

(b) Request return of Customer Personal Data in a structured, commonly used, machine-readable format by contacting the Company at legal@flowrunner.ai during the thirty-day retention period;

If the Customer does not export, request return, or request deletion during the thirty (30) day retention period, the Company shall delete Customer Personal Data from its active systems. Residual copies may persist in encrypted backups for up to ninety (90) days following deletion from active systems, after which they will be permanently purged.

Residual backup copies are not actively processed and are retained solely for disaster recovery and business continuity purposes. Such copies are subject to strict access controls and will be automatically overwritten or securely deleted in accordance with the Company's backup retention schedule.

The Company may retain Customer Personal Data to the extent required by applicable law, and only for the period and purposes required by such law. The Company shall inform the Customer of any such retention requirement (to the extent permitted by law) and shall ensure that the retained data is processed only for the purposes required by law and protected by appropriate Technical and Organizational Measures.

Execution logs and audit trail data are retained in accordance with the retention periods specified in the Customer's Subscription Plan (7 days for Growth, 30 days for Professional, 90 days for Business, and as configured for Enterprise). These retention periods apply regardless of the thirty-day post-termination window for Customer Content. To the extent audit logs contain Customer Personal Data, such logs are retained for security, fraud prevention, and regulatory compliance purposes. Where feasible, the Company shall restrict, redact, or anonymize personal data within logs in response to valid erasure requests, unless retention is required by applicable law or necessary to establish, exercise, or defend legal claims.

9. International Data Transfers

The Service is hosted in the United States. Where the Customer is located in the EEA, United Kingdom, or Switzerland, the transfer of Customer Personal Data to the Company in the United States shall be governed by the following mechanisms:

9.1 Standard Contractual Clauses

The parties agree that the Standard Contractual Clauses (SCCs) approved by the European Commission in Implementing Decision (EU) 2021/914 are incorporated into this DPA by reference and shall apply to transfers of Customer Personal Data from the EEA to the United States. Specifically:

(a) Module Two (Controller to Processor) applies where the Customer is a Controller and the Company is a Processor;

(b) Module Three (Processor to Sub-Processor) applies where the Customer is a Processor and the Company is a Sub-Processor;

(c) The details required under Annex I and Annex II of the SCCs are set forth in Annex I and Annex II of this DPA, respectively;

(d) The optional Clause 7 (Docking Clause) is included to allow additional parties to accede to the SCCs;

(e) For Clause 9 (Use of Sub-Processors), Option 2 (General Written Authorization) is selected, with a notification period of thirty (30) days as described in Section 4.2 of this DPA;

(f) For Clause 11 (Redress), the optional language regarding independent dispute resolution is not included;

(g) For Clause 17 (Governing Law), the SCCs shall be governed by the laws of Ireland or, where required by applicable law, the Member State in which the Customer is established;

(h) For Clause 18 (Choice of Forum and Jurisdiction), disputes shall be resolved before the courts of Ireland.

9.2 UK International Data Transfer Addendum

For transfers of Customer Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU Standard Contractual Clauses (as issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018) is incorporated into this DPA by reference and shall apply to such transfers.

9.3 Swiss Data Transfers

For transfers of Customer Personal Data from Switzerland, the SCCs shall apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner, including that references to GDPR shall be interpreted as references to the Swiss Federal Act on Data Protection (FADP).

9.4 Alternative Transfer Mechanisms

To the extent an alternative lawful transfer mechanism becomes available (such as an adequacy decision covering transfers to the United States, or the Company's self-certification under the EU-US Data Privacy Framework), the parties may rely on such mechanism as an alternative to or in addition to the SCCs. The Company may elect to self-certify under the EU-US Data Privacy Framework or any successor framework. If and when self-certification becomes effective, the Company shall notify the Customer and may rely on such mechanism as a primary lawful transfer mechanism.

10. Data Protection Impact Assessments

The Company shall provide reasonable assistance to the Customer, upon written request, in conducting data protection impact assessments ("DPIAs") and prior consultations with Supervisory Authorities to the extent required under applicable Data Protection Laws, taking into account the nature of the Processing and the information available to the Company.

The Company's assistance under this section shall be limited to providing information about the Company's Processing activities, Technical and Organizational Measures, and Sub-Processors. The Company may charge reasonable fees for assistance beyond what is necessary to fulfill its obligations under Article 28(3)(f) of the GDPR.

11. CCPA/CPRA Service Provider Addendum

To the extent that the Company Processes Customer Personal Data that constitutes "Personal Information" (as defined in the CCPA/CPRA) on behalf of a Customer who is a "Business" (as defined in the CCPA/CPRA), the Company acts as a "Service Provider" (as defined in the CCPA/CPRA) and the following additional provisions apply:

(a) The Company shall not sell or share (as those terms are defined in the CCPA/CPRA) Customer Personal Data;

(b) The Company shall not retain, use, or disclose Customer Personal Data for any purpose other than providing the Service as specified in the Agreement, or as otherwise permitted under the CCPA/CPRA;

(c) The Company shall not retain, use, or disclose Customer Personal Data outside of the direct business relationship between the Company and the Customer;

(d) The Company shall not combine Customer Personal Data with Personal Information received from or on behalf of other persons, or collected from its own interactions with Data Subjects, except as permitted under the CCPA/CPRA;

(e) The Company shall assist the Customer in responding to verifiable consumer requests as described in Section 6 of this DPA;

(f) The Company shall notify the Customer if it determines that it can no longer meet its obligations under the CCPA/CPRA;

(g) The Company grants the Customer the right to take reasonable and appropriate steps to ensure that the Company uses Customer Personal Data in a manner consistent with the Customer's obligations under the CCPA/CPRA;

(h) The Company certifies that it understands and will comply with the restrictions set forth in this Section 11;

(i) The Company shall permit the Customer to take reasonable and appropriate steps to monitor the Company's compliance with this Section 11, consistent with Section 7 (Audit Rights) of this DPA.

12. Relationship to Business Associate Agreement (HIPAA)

Where the Customer has executed a Business Associate Agreement ("BAA") with the Company under the Health Insurance Portability and Accountability Act ("HIPAA"):

(a) The BAA shall govern the Processing of Protected Health Information ("PHI") as defined under HIPAA;

(b) This DPA shall govern the Processing of Customer Personal Data that does not constitute PHI and is subject to Data Protection Laws;

(c) Where Customer Personal Data constitutes both PHI and Personal Data subject to Data Protection Laws (e.g., GDPR), both the BAA and this DPA shall apply, with the more protective substantive data protection provision prevailing in the event of a conflict; provided, however, that breach notification timelines for Protected Health Information shall be governed by the applicable Business Associate Agreement to the extent required by HIPAA, and nothing herein shall limit obligations under applicable non-HIPAA Data Protection Laws;

(d) The execution of this DPA does not satisfy the Customer's obligation to execute a BAA prior to Processing PHI through the Service. A separate BAA is required as described in the Agreement and Privacy Policy.

13. General Provisions

13.1 Term

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiration of the Agreement, subject to the Company's obligations regarding data return and deletion under Section 8, which shall survive termination.

13.2 Order of Precedence

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing and protection of Customer Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.

13.3 Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement, except that the limitations of liability shall not apply to the extent prohibited by applicable Data Protection Laws. Nothing in this DPA shall exclude or limit liability where such exclusion or limitation is prohibited by applicable Data Protection Laws, including Article 82 of the GDPR.

13.4 Governing Law

Except as otherwise specified in the SCCs (which are governed by the law of Ireland or, where applicable, the Member State in which the Customer is established), this DPA shall be governed by and construed in accordance with the governing law provisions of the Agreement (State of Texas).

13.5 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The parties shall negotiate in good faith to replace the invalid provision with a valid provision that achieves the same or substantially similar purpose.

13.6 Amendments

This DPA may be amended only in accordance with the modification procedures set forth in the Agreement. The Company may update Annex II (Technical and Organizational Measures) and Annex III (Sub-Processors) in accordance with Sections 3 and 4 of this DPA, respectively.

13.7 Contact

Questions regarding this DPA should be directed to:

Midnight Coders, Inc.Attn: Legal / Data Protection539 W. Commerce St, Suite 2023Dallas, TX 75208Email: legal@flowrunner.ai

Annex I: Description of Processing

A. List of Parties

Data Exporter (Controller): The Customer as identified in the Agreement.

Data Importer (Processor): Midnight Coders, Inc., 539 W. Commerce St, Suite 2023, Dallas, TX 75208, USA. Contact: legal@flowrunner.ai.

B. Description of Processing

Subject matter: Processing of Customer Personal Data through the FlowRunner workflow automation and AI agent orchestration platform.

Duration: For the term of the Agreement, plus post-termination retention periods as described in Section 8 of this DPA.

Nature and purpose: Automated workflow execution, AI agent orchestration, Human-in-Loop communication facilitation, data transformation, integration with Customer-designated third-party services, execution logging, and audit trail generation — all as instructed by the Customer through Workflow configuration.

Types of Personal Data: Determined by the Customer based on Workflow configuration. May include: names, email addresses, phone numbers, postal addresses, IP addresses, employee identifiers, customer/patient identifiers, financial account references, health-related data (if BAA is in place), and any other personal data the Customer transmits through Workflows.

Categories of Data Subjects: Determined by the Customer. May include: Customer's employees, customers, patients (if BAA in place), vendors, contractors, business contacts, and any other individuals whose data is processed through Customer's Workflows.

Sensitive data (if applicable): The Customer may process special categories of data (health data, financial data) if appropriate agreements (BAA, etc.) and Subscription Plan features (audit trails, RBAC) are in place. The Company does not determine whether sensitive data is processed — the Customer does.

C. Competent Supervisory Authority

The competent Supervisory Authority shall be determined in accordance with Clause 13 of the SCCs. Where the Customer is established in the EEA, the Supervisory Authority of the Customer's Member State of establishment shall be the competent authority.

Annex II: Technical and Organizational Measures

The Company implements and maintains the following Technical and Organizational Measures to protect Customer Personal Data:

1. Encryption

(a) Encryption in transit: All data transmitted between the Customer and the Service is encrypted using TLS 1.2 or higher.

(b) Encryption at rest: Customer Personal Data is encrypted at rest using AES-256 or equivalent encryption.

(c) API key encryption: BYOK API keys provided by the Customer are encrypted at rest and are not accessible to Company personnel in plaintext.

2. Access Controls

(a) Authentication: Multi-factor authentication (MFA) is required for all Company personnel accessing systems that store or process Customer Personal Data.

(b) Authorization: Access to Customer Personal Data is restricted to authorized personnel on a need-to-know basis, using role-based access controls.

(c) Customer RBAC: The Service provides role-based access control features (available on Professional, Business, and Enterprise Subscription Plans) enabling Customers to control which Authorized Users can create, edit, view, or execute Workflows.

(d) SSO/SAML: The Service supports single sign-on authentication via SAML 2.0 (available on Business and Enterprise Subscription Plans) for centralized Customer access management.

3. Infrastructure Security

(a) Hosting: Cloud Deployment infrastructure is hosted by DigitalOcean in SOC 2-audited data centers.

(b) Network security: Firewalls, intrusion detection systems, and network segmentation are used to protect against unauthorized access.

(c) Patching: Security patches are applied to production systems on a regular schedule, with critical patches applied promptly upon release.

(d) SOC 2 certification: The Company is pursuing SOC 2 Type II certification and will update Customers upon completion.

4. Data Segregation

(a) Customer data is logically segregated to prevent unauthorized cross-customer access.

(b) Each Customer's Workflows, configurations, and execution data are accessible only through that Customer's authenticated Account.

5. Monitoring and Logging

(a) Security monitoring: Continuous monitoring of infrastructure and application logs for anomalous activity and potential security incidents.

(b) Audit logging: The Service maintains audit trails of administrative actions and Workflow executions (retention periods vary by Subscription Plan).

6. Personnel Security

(a) Confidentiality: All Company employees and contractors with access to Customer Personal Data are bound by confidentiality obligations.

(b) Training: Personnel with access to Customer Personal Data receive data protection and security awareness training.

(c) Background checks: Background checks are conducted for personnel in roles with access to Customer Personal Data, to the extent permitted by applicable law.

7. Business Continuity and Disaster Recovery

(a) Backups: Customer Personal Data is backed up regularly. Backups are encrypted and stored in geographically separate locations.

(b) Recovery: Disaster recovery procedures are documented and tested to ensure the availability of Customer Personal Data.

8. Vendor Management

(a) Sub-Processors are evaluated for security practices before engagement.

(b) Sub-Processor agreements include data protection obligations no less protective than those in this DPA.

Annex III: Sub-Processors

As of the effective date of this DPA, the Company engages the following Sub-Processors to Process Customer Personal Data:

DigitalOcean, Inc. - Cloud infrastructure hosting and compute. Location: United States. Data processed: All Customer Personal Data stored in the Service (encrypted at rest).

Stripe, Inc. - Payment processing. Location: United States. Data processed: Transaction confirmations, Stripe customer identifiers (no payment card data stored by Company).

MailserSend - Transactional email delivery. Location: [Location]. Data processed: Email addresses, notification content.

Alphabet - Website analytics (marketing site only). Location: [Location]. Data processed: Device/access info, anonymized usage patterns (no Customer Personal Data).

The current list is also maintained at flowrunner.ai/sub-processors.

The Customer acknowledges that third-party AI service providers accessed through the Customer's BYOK API keys and Customer-registered MCP servers are not Sub-Processors of the Company, as described in Section 4.5 of this DPA.