Data Processing Agreement

This Data Processing Agreement governs how FlowPilot Studio processes personal data on behalf of customers, in compliance with GDPR and applicable data protection laws.

Version 1.1 — Last updated: February 24, 2026

Prior versions of this document are available upon request at support@flowpilot.studio.

1. Definitions
Key terms used in this agreement.
“Agreement”
This Data Processing Agreement, including all annexes and schedules attached hereto.
“Controller”
The Customer, as the entity that determines the purposes and means of Processing Personal Data through use of the Service.
“Processor”
Zen Coders, S.C. (RFC: ZCO180607U55), a company registered in Mexico, operating FlowPilot Studio.
“Data Protection Laws”
All applicable laws relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and any implementing or supplementary legislation.
“Personal Data”
Any information relating to an identified or identifiable natural person that is Processed by the Processor on behalf of the Controller through the Service.
“Processing”
Any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
“Service”
The FlowPilot Studio SaaS application and related services provided by the Processor to the Controller.
“Subprocessor”
A third party engaged by the Processor to Process Personal Data on behalf of the Controller.
“Data Subject”
An identified or identifiable natural person whose Personal Data is Processed.
2. Scope & Purpose
What this agreement covers.

This Agreement applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the Service. The Processor shall Process Personal Data only to the extent necessary to provide the Service and as instructed by the Controller.

Purpose of Processing

  • Providing AI-powered data visualization from Flow Production Tracking (FPT) databases
  • User authentication and account management
  • Processing natural language queries via AI models
  • Executing automations and webhook-based workflows
  • Payment processing and subscription management

Nature of Processing

  • Collection and storage of account data and encrypted FPT credentials
  • Transient processing of FPT production data (not stored)
  • AI query interpretation using schema metadata only
  • Transmission of billing data to payment processor
  • Webhook event processing for automations
3. Processing Details
Categories of data and data subjects.

Categories of Data Subjects

  • Controller’s employees and contractors who use the Service
  • Individuals whose data is referenced in the Controller’s FPT instance (e.g., artist names, task assignees)

Categories of Personal Data

  • Account data: name, email address, organization name
  • FPT credentials: session tokens and script API keys (encrypted AES-256-GCM)
  • FPT metadata: project names, entity types, field definitions
  • AI interaction logs: natural language queries and AI responses
  • Billing data: name, email, payment method tokens (via Stripe)
  • Usage data: IP address, browser type, timestamps
  • Security event logs: IP addresses, user agent strings, user/org UUIDs, event types, timestamps — retained up to 455 days

Sensitive Data

The Processor does not intentionally Process special categories of Personal Data (e.g., racial or ethnic origin, health data, biometric data). The Controller should not submit such data through the Service.

FPT Production Data

FPT production data (the actual content of your FPT database) is processed transiently in memory to generate visualizations and is never stored by the Processor. This data is pulled in real-time from the Controller’s FPT instance and discarded immediately after rendering.

4. Processor Obligations
The Processor’s commitments under this agreement.

The Processor shall comply with the following obligations with respect to all Personal Data Processed on behalf of the Controller:

4.1 Lawful Processing

Process Personal Data only on documented instructions from the Controller, including with respect to transfers to third countries, unless required by applicable law. The Processor shall promptly inform the Controller if it becomes aware that an instruction infringes Data Protection Laws.

4.2 Confidentiality

Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 8.

4.4 Data Breach Notification

Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification shall include the nature of the breach, categories of data affected, approximate number of Data Subjects concerned, likely consequences, and measures taken or proposed to address the breach.

4.5 Assistance

Assist the Controller in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of Processing and information available to the Processor.

4.6 Deletion and Return

At the Controller’s choice, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies unless retention is required by applicable law.

5. Subprocessor Management
How we manage third-party data processors.

The Controller provides general authorization for the Processor to engage Subprocessors. The current list of Subprocessors is maintained on the Subprocessors page. The Processor shall:

Current Subprocessors

  • Supabase — Database & authentication (US East, Virginia)
  • Anthropic — AI language model (US)
  • Stripe — Payment processing (US)
  • AWS — Webhook workers (US East, us-east-1)
  • Vercel — Application hosting (US East, iad1)

Subprocessor Obligations

  • Provide at least 30 days’ notice before adding new Subprocessors or making material changes
  • Impose contractual obligations on each Subprocessor no less protective than those in this Agreement
  • Remain fully liable for the acts and omissions of its Subprocessors
  • Provide the Controller with the opportunity to object to new Subprocessors within the notice period. If the Controller’s objection cannot be reasonably accommodated, the Controller may terminate the Service without penalty upon written notice.
For detailed information about each Subprocessor, including what data they receive, their data regions, certifications, and retention policies, see the Subprocessors page.
6. Data Subject Rights
How we support the exercise of individual rights.

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:

Supported Rights

  • Right of access to Personal Data
  • Right to rectification of inaccurate data
  • Right to erasure (“right to be forgotten”)
  • Right to restriction of Processing
  • Right to data portability
  • Right to object to Processing

Response Process

  • The Processor shall promptly notify the Controller of any Data Subject request received directly
  • The Processor shall assist the Controller with technical measures to fulfill requests
  • Account deletion requests can be submitted to support@flowpilot.studio
  • Deletion is performed via cascade delete, removing all associated data immediately
7. International Transfers
How data is transferred across borders.

All infrastructure is hosted in the United States. Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, the following safeguards apply:

Transfer Mechanisms

  • Standard Contractual Clauses (SCCs) as adopted by the European Commission
  • Subprocessor compliance mechanisms, including EU-US Data Privacy Framework certifications where available
  • Additional safeguards where required by the data exporting country’s laws

Data Locations

  • Primary database: US East (Virginia) via Supabase
  • Application hosting: US East (iad1) via Vercel
  • Webhook workers: US East (us-east-1) via AWS
  • AI processing: US via Anthropic
  • Payment processing: US via Stripe
[Forthcoming] Standard Contractual Clauses (Module 2: Controller-to-Processor) will be attached as an annex to this Agreement.
[Forthcoming] A Transfer Impact Assessment is available upon request.
8. Security Measures
Technical and organizational measures to protect data.

The Processor implements and maintains the following technical and organizational security measures. For a comprehensive overview, see the Security page.

Encryption

  • AES-256-GCM encryption at rest for stored credentials (session tokens, script API keys), with 256-bit keys and random 16-byte IV per operation
  • Encryption keys stored separately from the database in the hosting provider’s encrypted environment configuration
  • TLS 1.2+ encryption for all data in transit

Access Control

  • Row-Level Security (RLS) enforcing strict organization isolation at the database level
  • Multi-factor authentication on all infrastructure provider accounts
  • HTTP-only, SameSite, Secure session cookies
  • Application-level rate limiting on sensitive endpoints (AI and authentication), with per-user and per-IP sliding window limits

Infrastructure Compliance

  • All Subprocessors are independently SOC 2 Type II audited
  • Stripe is PCI DSS Level 1 certified
  • AWS is ISO 27001 certified
  • Regular security review of infrastructure and access controls

Data Minimization

  • FPT production data processed transiently, never stored
  • AI model receives schema metadata only, never production data or credentials
  • Payment card data handled entirely by Stripe, never touches FlowPilot servers
  • FPT permissions model fully respected for all data access
9. Audit Rights
The Controller’s right to verify compliance.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and Data Protection Laws, and shall allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.

Audit Process

  • The Controller may request an audit with at least 30 days’ written notice
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor’s operations
  • The Processor may satisfy audit requests by providing relevant SOC 2 Type II reports from its infrastructure providers
  • Audit frequency is limited to once per twelve-month period, unless required by a supervisory authority or following a data breach

Available Documentation

[Forthcoming] A designated privacy contact will be named in a future update to this Agreement.
10. Term & Termination
Duration of the agreement and data handling upon termination.

This Agreement shall remain in effect for the duration of the Controller’s use of the Service, and shall automatically terminate upon termination of the underlying service agreement.

Data Retention After Termination

  • Account data: permanently deleted upon account deletion request via cascade delete
  • FPT credentials: deleted immediately upon disconnection
  • AI interaction logs: automatically deleted after 90 days
  • Live data access logs: 7 days detailed, summary statistics retained indefinitely
  • Payment records: retained by Stripe per financial regulations

Survival

  • Obligations regarding confidentiality, data deletion, and audit rights shall survive termination of this Agreement
  • The Controller may request immediate deletion of all data at any time by contacting support@flowpilot.studio
  • The Processor shall confirm deletion in writing within 30 days of the request
11. Governing Law
Applicable law and dispute resolution.

This Agreement shall be governed by and construed in accordance with the laws of Mexico, without regard to its conflict of law provisions. For Controllers in the EU/EEA, the provisions of the GDPR shall apply to the extent they override local law.

Dispute Resolution

Any disputes arising under this Agreement shall first be attempted to be resolved through good-faith negotiation. If unresolved within 30 days, the dispute shall be submitted to the competent courts of Mexico City, Mexico, unless the Controller is entitled to bring proceedings in their local jurisdiction under Data Protection Laws.

Incorporation

[Forthcoming] This Agreement will be incorporated by reference into the Terms of Service.

Severability

If any provision of this Agreement is found to be unenforceable, the remaining provisions shall continue in full force and effect. The unenforceable provision shall be modified to the minimum extent necessary to make it enforceable while preserving its intent.

Questions?
We’re here to help.

If you have questions about this Data Processing Agreement or need a customized version for your organization, please reach out to us at support@flowpilot.studio.

Custom DPAs

If your organization requires modifications to this standard DPA, we are happy to work with your legal team to accommodate specific requirements. Please contact us at the email above.

Related Documents

This DPA should be read in conjunction with our other legal and security documentation for a complete picture of our data practices.

See also our Privacy Policy, Terms of Service, Subprocessors, and Security pages.