Legal

Data processing agreement (DPA)

Last updated: June 10, 2026

1. Scope

This Agreement (the "DPA") governs the processing of personal data carried out by the Provider on behalf of the Customer to deliver the Service, in compliance with applicable data protection regulations (GDPR, LGPD, LFPDPPP, among others).

2. Roles

The Customer acts as the data controller for the personal data uploaded to the Service. The Provider acts as the data processor and processes data only following the Customer's instructions, set out in the Terms and this DPA.

3. Nature and purpose of processing

  • Nature: storage, organization, consultation, modification and deletion of Customer Data.
  • Purpose: deliver the Service described in the Terms.
  • Duration: the term of the contract plus 30 additional days for export.

4. Categories of data and data subjects

The specific categories depend on what the Customer decides to upload to the Service. They may include identification data, contact data, transactional data, business identifiers and, optionally, special categories if the Customer decides to process them (in which case the Customer must have its own legal basis).

5. Provider obligations

  1. Process data only on documented instructions from the Customer (including the Terms and this DPA).
  2. Ensure that personnel authorized to access the data are bound by confidentiality.
  3. Apply appropriate technical and organizational measures as described at /en/security.
  4. Assist the Customer in responding to data subject requests and meeting security, breach notification and impact assessment obligations.
  5. Delete or return Customer Data at the end of the contract.
  6. Make available to the Customer the information needed to demonstrate compliance with this DPA.

6. Subprocessors

The Customer authorizes the Provider to use the subprocessors listed in the Privacy Policy. The Provider will give reasonable prior notice before adding a new subprocessor and will allow the Customer to object on reasonable grounds.

7. Breach notification

The Provider will notify the Customer without undue delay after becoming aware of a security breach affecting Customer Data, providing the information reasonably needed for the Customer to comply with notification obligations to authority and, where applicable, data subjects.

8. Return and deletion

At the end of the contract, the Customer can export data for 30 days. After that period, the Provider will delete Customer Data from its active systems, except where retention is required by law.

9. Audit

Once per year and with reasonable notice, the Customer can request documented evidence of compliance with this DPA (security reports, certifications, audit logs). On-site audits require prior agreement.

10. Term

This DPA enters into force when the Terms are accepted and remains in force while the Provider processes Customer Data. In case of conflict between this DPA and the Terms, this DPA prevails on data protection matters.

Legal questions? Email us at hola@rnflows.com.

Start building today

Create your workspace in minutes. No credit card, nothing to install.