Legal Document

Data Processing Agreement (DPA)

Pursuant to Article 28 of the EU General Data Protection Regulation (GDPR) 2016/679

Version 1.0 Effective: 1 January 2026 GDPR Art. 28 Compliant

1. Parties to this Agreement

Data Controller ("Customer")

The legal entity or individual that has entered into a subscription agreement with FlowCRM and uses the Service to process personal data of its own contacts, leads, and customers.

Referred to herein as: "Controller" or "Customer"

Data Processor ("FlowCRM")

ConsulenteCrediti Srl

P.IVA IT06139990870

Via Ravanzusa N. 13, 95030 Tremestieri Etneo (CT), Italy

PEC: [email protected]

Referred to herein as: "Processor" or "FlowCRM"

2. Subject Matter and Duration

2.1 Subject Matter. This DPA governs the processing of personal data by FlowCRM on behalf of the Customer in connection with the provision of the FlowCRM platform services, including email marketing, WhatsApp messaging automation, contact management, and related analytics features.

2.2 Duration. This DPA is effective for the duration of the Customer's active subscription to FlowCRM services and shall automatically terminate upon expiration or termination of the underlying service agreement, subject to the data retention obligations set forth in Section 7.

3. Nature, Purpose, and Categories of Processing

3.1 Nature of Processing

Collection, storage, organisation, structuring, retrieval, use, disclosure by transmission, and deletion of personal data through the FlowCRM platform infrastructure.

3.2 Purpose of Processing

To provide the Customer with email marketing campaign management, WhatsApp messaging automation, contact relationship management (CRM), marketing analytics, and automated workflow execution as described in the FlowCRM Terms of Service.

3.3 Categories of Data Subjects

The Customer's end-users, subscribers, and newsletter recipients
The Customer's leads and prospective clients
The Customer's existing clients and contacts

3.4 Categories of Personal Data

Identification data: full name, email address, phone number (including WhatsApp number)
Behavioural data: email open rates, click-through data, message delivery status
Technical data: IP addresses, device identifiers, browser type (for analytics)
Custom fields: any additional data fields created by the Customer within the platform

4. Obligations of the Processor (FlowCRM)

FlowCRM undertakes to:

1.Process personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country or an international organisation (Art. 28(3)(a) GDPR).
2.Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
3.Implement all measures required pursuant to Article 32 GDPR (security of processing), including encryption of data at rest and in transit, access controls, and regular security assessments.
4.Respect the conditions referred to in paragraphs 2 and 4 of Article 28 GDPR for engaging another processor (sub-processor).
5.Assist the Customer in ensuring compliance with obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to FlowCRM.
6.At the choice of the Customer, delete or return all personal data to the Customer after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage.
7.Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits.
8.Notify the Customer without undue delay (within 72 hours) after becoming aware of a personal data breach affecting Customer data.

5. Sub-Processors

The Customer grants FlowCRM general authorisation to engage sub-processors. FlowCRM shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object.

Sub-Processor	Purpose	Location	Safeguard
Amazon Web Services (SES)	Email delivery infrastructure	EU / USA	SCCs + AWS DPA
Meta Platforms Ireland Ltd.	WhatsApp Business API messaging	Ireland (EU)	GDPR compliant
Stripe Inc.	Payment processing & billing	USA	SCCs + Stripe DPA
IONOS SE	Cloud hosting & infrastructure	Germany (EU)	GDPR compliant

6. Technical and Organisational Security Measures (Art. 32 GDPR)

Encryption

All data encrypted at rest (AES-256) and in transit (TLS 1.3). Database connections use SSL.

Access Control

Role-based access control (RBAC). Multi-factor authentication for admin accounts. Principle of least privilege.

Data Isolation

Strict multi-tenant architecture. Each Customer's data is logically isolated at the database level.

Audit Logging

All data access and modifications are logged with timestamps and user identifiers.

Backup & Recovery

Daily automated backups with 30-day retention. Recovery time objective (RTO): 4 hours.

Incident Response

Documented breach response procedure. Customer notification within 72 hours of discovery.

7. Data Retention and Deletion

7.1 Upon termination of the service agreement, FlowCRM will retain Customer data for a period of 30 days to allow the Customer to export their data.

7.2 After the 30-day retention period, all Customer personal data will be permanently and irreversibly deleted from FlowCRM's production systems and backups within 90 days.

7.3 The Customer may request immediate deletion of all data at any time by contacting [email protected]. FlowCRM will confirm deletion within 30 days.

8. Assistance with Data Subject Rights

FlowCRM shall assist the Customer in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III of the GDPR, including:

Right of access (Art. 15)

Right to rectification (Art. 16)

Right to erasure / 'right to be forgotten' (Art. 17)

Right to restriction of processing (Art. 18)

Right to data portability (Art. 20)

Right to object (Art. 21)

The Customer remains responsible for responding to data subject requests. FlowCRM will provide the Customer with the technical means to fulfil such requests within the platform (e.g., contact deletion, data export).

DPA Inquiries & Data Protection Contact

For questions regarding this DPA, data protection matters, or to exercise your rights as a data subject, contact:

ConsulenteCrediti Srl

Via Ravanzusa N. 13, 95030 Tremestieri Etneo (CT), Italy

Email: [email protected]

PEC: [email protected]