Legal · GDPR Art. 28

Data Processing Agreement

Our DPA, ready to complete, sign and return — an English convenience translation of our German AV-Vertrag.

Important: This English text is a non-binding convenience translation. The German version (AV-Vertrag) is the legally binding contract; in case of any conflict, the German version prevails. How it works: complete the marked Customer fields, print or save as PDF, sign, and send to hello@flowsentric.com. We counter-sign and return the full copy.

between
Customer name / company
Street, postcode, city
— hereinafter the "Customer" (controller within the meaning of Art. 4(7) GDPR) —

and
FlowSentric, Reclamstr. 2, 22111 Hamburg, Germany
— hereinafter the "Processor" (processor within the meaning of Art. 4(8) GDPR) —

Recital

The Processor provides services to the Customer under the FlowSentric AI workspace platform (the "Main Agreement"). In providing those services, the Processor processes personal data on behalf of the Customer. This agreement sets out the data-protection obligations of the parties under Art. 28 GDPR. In data-protection matters it prevails over conflicting terms of the Main Agreement.

§ 1 Subject matter and duration

The subject matter is the processing of personal data by the Processor to provide the FlowSentric platform (incl. chat with AI models, autonomous agents, workflow automation, knowledge base/RAG, file processing, image/video generation, embedded widgets). The term matches that of the Main Agreement and ends when it ends.

§ 2 Nature, scope and purpose of processing

(1) Nature and purpose

Processing takes place solely to provide the platform as agreed and in accordance with the Customer's documented instructions. The Processor does not process the data for its own purposes — in particular not to train AI models.

(2) Types of personal data

Master and contact data (name, email, phone where applicable, company)
Usage and content data (conversations, uploaded documents/files, agent and workflow configurations)
Technical data (IP address, timestamps, browser/user-agent)
Any further data contained in content the Customer submits

The Customer decides what data it submits to the platform. Special categories of personal data (Art. 9 GDPR) are not a standard subject; where the Customer submits such data, the Customer is responsible for the required legal basis.

(3) Categories of data subjects

The Customer's staff and users
The Customer's customers, prospects and business partners
End users of widgets/agents the Customer embeds

§ 3 Obligations of the Processor

Bound by instructions: the Processor processes data only on the Customer's documented instructions (Art. 28(3)(a) GDPR), unless required to process by law. If it considers an instruction unlawful, it informs the Customer without delay.
Confidentiality: the Processor commits persons involved in processing to confidentiality (Art. 28(3)(b), Art. 29, 32(4) GDPR).
Data security: it implements the technical and organisational measures required by Art. 32 GDPR (see Annex 1).
Assistance: it assists the Customer, as far as possible, in fulfilling data-subject rights (§ 6) and the obligations under Art. 32–36 GDPR (security, breach notification, data protection impact assessment).
Contact for data protection: hello@flowsentric.com.

§ 4 Technical and organisational measures (TOMs)

The Processor guarantees the technical and organisational measures described in Annex 1 under Art. 32 GDPR. Measures may be adapted to the state of the art over time but must not fall below the agreed level of protection. A current overview is published at flowsentric.com/security.

§ 5 Sub-processors

The Customer consents to the use of the sub-processors listed in Annex 2 (general written authorisation, Art. 28(2) GDPR). The current list is maintained at flowsentric.com/subprocessors. The Processor notifies the Customer of intended changes at least 14 days in advance; the Customer may object on important data-protection grounds. The Processor binds each sub-processor to equivalent data-protection obligations.

§ 6 Rights of data subjects

The Processor assists the Customer with appropriate technical and organisational measures in responding to data-subject requests for access, rectification, erasure, restriction, portability and objection (Art. 15–22 GDPR). If a data subject contacts the Processor directly, the Processor forwards the request to the Customer without delay.

§ 7 Customer's audit rights

The Processor makes available all information necessary to demonstrate compliance with Art. 28 GDPR and allows for and contributes to audits (Art. 28(3)(h) GDPR). Evidence may be provided via current attestations, certificates or reports. On-site inspections are possible with reasonable notice and without disrupting operations.

§ 8 Notification of personal data breaches

The Processor notifies the Customer of personal data breaches without undue delay after becoming aware, as a rule within 48 hours, and supports the Customer with its obligations under Art. 33 and 34 GDPR (notification to the supervisory authority and to data subjects).

§ 9 Deletion and return after termination

On termination, the Processor, at the Customer's choice, deletes or returns the personal data processed on the Customer's behalf, unless a statutory retention obligation applies (Art. 28(3)(g) GDPR). Deletion takes place no later than 30 days after termination or the Customer's corresponding request.

§ 10 International transfers

Processing outside the EU/EEA takes place only where the Customer selects corresponding AI providers/regions. In that case transfers rely on an adequacy decision or the EU Standard Contractual Clauses together with appropriate supplementary safeguards. The Customer can pin requests to EU regions.

§ 11 Liability

Liability follows Art. 82 GDPR and the terms of the Main Agreement. Between the parties, the limitation of liability agreed in the Main Agreement applies to the extent legally permitted.

§ 12 Final provisions

Amendments require text form. Should a provision be invalid, the validity of the remaining provisions is unaffected. German law applies; place of jurisdiction is — where permitted — Hamburg. The German version of this agreement is binding.

Customer · Place, date, signature

Name:

FlowSentric (Processor) · Place, date, signature

Hamburg,

Annex 1 — Technical and organisational measures (Art. 32 GDPR)

Confidentiality

Tenant isolation: strictly tenant-separated data storage; access always limited to your own organisation/data (authorisation enforced on every read/write).
Access control: role-based permissions, authentication via secure http-only session cookies, passwords stored only as hashes.
Encryption: TLS 1.3 in transit, AES-256 at rest; secrets encrypted with Fernet.
PII masking: optional removal of sensitive data before handing off to external AI providers.

Integrity

Input/transfer control: audit trail of relevant actions; SSRF protection on outbound tool/database connections.
Protection against unauthorised modification through role- and tenant-based access checks.

Availability and resilience

EU hosting, regular backups, recoverability.
Monitoring/logging to detect incidents.

Procedures for regular review

Regular security audits and review of measures.
Oversight of sub-processors.

Annex 2 — Approved sub-processors

Sub-processor	Purpose	Place of processing
Infrastructure / hosting provider	Hosting of application and database	EU
Stripe	Payment processing (PCI-DSS compliant)	EU / USA (SCC)
Microsoft 365	Delivery of transactional & contact-enquiry email	EU
AI providers (chosen by the customer: OpenAI, Anthropic, Google, etc.)	Processing of the prompts/content sent by the customer	EU / third country (SCC; can be pinned to EU region)

The always-current list is published at flowsentric.com/subprocessors.

Note: this document is a template and does not constitute legal advice. Please have it reviewed by a lawyer or data-protection officer before use.