Data Processing Agreement (DPA)
Last updated: January 2026
1. Scope and Applicability
This Data Processing Agreement (DPA) applies to the processing of personal data by DocFlow on behalf of the customer (Organization) as a Data Processor, in the course of providing services under our Terms of Service.
2. Roles and Responsibilities
The Customer acts as the Data Controller, and DocFlow acts as the Data Processor. DocFlow will process personal data only in accordance with the Customer's documented instructions and for the purposes outlined in this DPA.
3. Technical and Organizational Measures
DocFlow has implemented and will maintain appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing and accidental loss, destruction, or damage.
4. Sub-processors
Customer consents to DocFlow engaging sub-processors to perform services on its behalf. We maintain an up-to-date list of sub-processors (including Clerk, Supabase, and Razorpay) and ensure they are bound by data protection obligations equivalent to those in this DPA.
5. Data Subject Rights & Audits
We will assist the Customer in responding to data subject access requests (DSARs) or regulatory compliance audits concerning the processing of personal data under this agreement.