Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service of Product Flow and governs the processing of personal data by the Provider on behalf of the Customer in accordance with Article 28 GDPR.

  1. Parties

1.1 Data Controller

The Customer as defined in the Terms of Service.

1.2 Data Processor

Yevgen Yeshchenko
Founder – SaaS Product Flow
Im Egerten 7/1
74391 Erligheim
Germany
Email: [email protected]

  1. Subject Matter and Duration of Processing

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Product Flow software-as-a-service platform.

The processing is carried out for the duration of the contractual relationship and any statutory retention periods.

  1. Nature and Purpose of Processing

The processing of personal data includes, in particular:

  • hosting and technical operation of the Service,
  • user and access management,
  • storage of customer-provided business data,
  • error analysis, debugging, and system monitoring,
  • ensuring security, availability, and stability of the Service,
  • further development of the Service within an Early-Access / Beta environment.
  1. Categories of Data and Data Subjects

4.1 Categories of Personal Data

  • business contact data,
  • user account and authentication data,
  • contractual and billing metadata,
  • usage, log, and technical system data.

4.2 Categories of Data Subjects

  • employees, representatives, and agents of the Customer,
  • authorized users of the Service.
  1. Obligations of the Processor

The Processor undertakes to:

  • process personal data only on documented instructions of the Controller,
  • ensure confidentiality of all persons authorized to process personal data,
  • implement appropriate technical and organizational measures pursuant to Art. 32 GDPR,
  • assist the Controller in responding to data subject requests to the extent legally required,
  • notify the Controller without undue delay in the event of a personal data breach,
  • ensure compliance with this DPA when engaging sub-processors.
  1. Technical and Organizational Measures (TOMs)

The Processor implements reasonable technical and organizational measures, including but not limited to:

  • access control and authentication mechanisms,
  • role-based authorization and least-privilege access,
  • logical separation of customer data,
  • encrypted communication channels,
  • monitoring and logging for security purposes.

The Controller acknowledges that the Service is provided as an Early-Access / Beta offering and that TOMs may evolve accordingly.

  1. Sub-Processors

7.1 Authorized Sub-Processors

The Controller grants general authorization for the engagement of sub-processors necessary for the operation of the Service, including in particular:

  • Supabase (database services, authentication, backend infrastructure),
  • Vercel (hosting, deployment, and content delivery),
  • Stripe (payment processing – acting as an independent data controller where applicable).

7.2 Changes to Sub-Processors

The Processor reserves the right to engage additional or alternative sub-processors.

Where required by law, the Controller will be informed of material changes.

  1. International Data Transfers

Where personal data is transferred to countries outside the EU/EEA, such transfers are carried out in accordance with Art. 44 et seq. GDPR, in particular through the use of Standard Contractual Clauses (SCCs) or other appropriate safeguards.

  1. Assistance and Cooperation

Taking into account the nature of the processing, the Processor assists the Controller in fulfilling its obligations under the GDPR to a reasonable and legally required extent.

  1. Deletion or Return of Data

Upon termination of the contractual relationship, the Processor may delete personal data unless statutory retention obligations apply.

The Controller is solely responsible for exporting or securing its data prior to termination.

  1. Audits and Compliance

The Controller may request information reasonably necessary to demonstrate compliance with this DPA.

On-site audits are excluded unless mandatory law requires otherwise.

  1. Liability

Liability under this DPA is governed exclusively by the limitation of liability provisions set forth in the Terms of Service.

  1. Governing Law

This DPA is governed by the laws of the Federal Republic of Germany.

In case of conflict, the Terms of Service prevail.