Data Processing Agreement (DPA)

Last updated: January 2026

1. Scope and Applicability

This Data Processing Agreement (DPA) applies to the processing of personal data by DocFlow on behalf of the customer (Organization) as a Data Processor, in the course of providing services under our Terms of Service.

2. Roles and Responsibilities

The Customer acts as the Data Controller, and DocFlow acts as the Data Processor. DocFlow will process personal data only in accordance with the Customer's documented instructions and for the purposes outlined in this DPA.

3. Technical and Organizational Measures

DocFlow has implemented and will maintain appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing and accidental loss, destruction, or damage.

4. Sub-processors

Customer consents to DocFlow engaging sub-processors to perform services on its behalf. We maintain an up-to-date list of sub-processors (including Clerk, Supabase, and Razorpay) and ensure they are bound by data protection obligations equivalent to those in this DPA.

5. Data Subject Rights & Audits

We will assist the Customer in responding to data subject access requests (DSARs) or regulatory compliance audits concerning the processing of personal data under this agreement.