1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller ("Customer"): The organization subscribing to the Service.
- Data Processor ("Processor"): Flowstate Industrial LLC, operating the Flowstate Industrial platform ("Service").
This DPA supplements and forms part of the Terms of Service and Privacy Policy.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Customer through the Service.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Customer.
- "Data Protection Laws" means GDPR (EU 2016/679), applicable US state privacy laws, and any other relevant data protection legislation.
3. Scope and Purpose of Processing
3.1 Categories of Data Subjects
- Customer employees and authorized users
- Customer's end users (if applicable)
3.2 Types of Personal Data
- Account data: names, email addresses, job titles
- Usage data: login activity, feature usage, session data
- Support data: chat transcripts, support tickets
- Device data: equipment identifiers, sensor readings, operational metrics (typically non-personal)
3.3 Purpose
Personal Data is processed solely to provide, maintain, and improve the Service as described in the Terms of Service, including:
- User authentication and access control
- IIoT device monitoring and alerting
- AI-assisted support and recommendations
- Billing and subscription management
- Email and SMS notifications
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Customer, unless required by law.
- Ensure that persons authorized to process Personal Data have committed to confidentiality obligations.
- Implement appropriate technical and organizational security measures (see Section 6).
- Not engage Sub-processors without prior written consent of the Customer (see Section 5).
- Assist the Customer in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection).
- Assist the Customer in ensuring compliance with obligations related to data protection impact assessments and prior consultation with supervisory authorities.
- At the Customer's choice, delete or return all Personal Data upon termination of the Service, unless retention is required by law.
- Make available all information necessary to demonstrate compliance and allow audits (with reasonable notice).
5. Sub-processors
5.1 Authorized Sub-processors
The Customer authorizes the use of the following Sub-processors as of the effective date:
| Sub-processor | Purpose | Location |
|---|
| Clerk | Authentication & user management | USA |
| Convex | Real-time database & backend | USA |
| Stripe | Payment processing | USA |
| Vercel | Application hosting & CDN | Global (edge) |
| Resend | Transactional email delivery | USA |
| Twilio | SMS notifications | USA |
| HiveMQ Cloud | MQTT message broker | USA/EU |
| InfluxDB Cloud | Time-series data storage | USA |
| Grafana Cloud | Data visualization | USA |
| Anthropic | AI support assistant | USA |
5.2 Changes to Sub-processors
The Processor will notify the Customer at least 30 days before adding or replacing a Sub-processor. The Customer may object in writing within 14 days. If the objection cannot be reasonably resolved, the Customer may terminate the affected Service.
6. Security Measures
The Processor implements the following technical and organizational measures:
6.1 Technical Measures
- TLS 1.3 encryption for all data in transit
- Encryption at rest for stored data (AES-256 via cloud providers)
- Role-based access control with organization-level tenant isolation
- Input validation and rate limiting on all public-facing endpoints
- Automated security scanning of dependencies
6.2 Organizational Measures
- Access to production systems limited to authorized personnel
- Secrets management via 1Password (never stored in code)
- Audit logging of administrative actions
- Regular review of access permissions
7. Data Breach Notification
In the event of a Personal Data breach, the Processor shall:
- Notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach.
- Provide sufficient detail to enable the Customer to fulfill its own breach reporting obligations, including: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate.
- Cooperate with the Customer in investigating and remediating the breach.
- Document the breach, its effects, and remedial actions taken.
8. Data Subject Rights
The Processor shall assist the Customer in responding to requests from data subjects exercising their rights under Data Protection Laws, including:
- Access: Providing copies of Personal Data processed.
- Rectification: Correcting inaccurate Personal Data.
- Erasure: Deleting Personal Data when requested and legally permissible.
- Portability: Exporting Personal Data in a structured, machine-readable format.
- Restriction: Limiting processing when requested.
- Objection: Ceasing processing for specific purposes.
The Processor will respond to Customer requests regarding data subject rights within 10 business days.
9. International Data Transfers
Personal Data may be transferred to and processed in the United States. For transfers from the EU/EEA, the Processor relies on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission.
- The EU-U.S. Data Privacy Framework, where applicable.
- Adequacy decisions by the European Commission for relevant jurisdictions.
The Processor ensures that all Sub-processors provide equivalent data protection safeguards for international transfers.
10. Data Retention and Deletion
Personal Data is retained only for the duration of the Service agreement plus any legally required retention period. Upon termination:
- The Customer may request export of all their data within 30 days of termination.
- After the 30-day export window, the Processor will delete all Customer Personal Data within 60 days, except where retention is required by law.
- The Processor will provide written confirmation of deletion upon request.
Data retention periods by tier are described in the Terms of Service.
11. Audits
The Customer may audit the Processor's compliance with this DPA, subject to:
- Reasonable prior written notice (minimum 30 days).
- Audits conducted during normal business hours.
- The Customer bearing its own audit costs.
- Confidentiality obligations regarding any information obtained during the audit.
The Processor may satisfy audit requests by providing relevant compliance certifications or reports from independent auditors.
12. Term and Termination
This DPA remains in effect for as long as the Processor processes Personal Data on behalf of the Customer. It terminates automatically when the Service agreement ends and all Personal Data has been deleted or returned.
13. Contact
For questions about this DPA or to exercise rights under it:
14. Governing Law
This DPA is governed by the laws of the State of Ohio, United States, without regard to conflict of law principles. For EU/EEA data subjects, the provisions of GDPR shall prevail to the extent of any conflict with this DPA.