Data Processing Addendum
GDPR Article 28 · CCPA/CPRA Service-Provider Terms
This Data Processing Addendum (“DPA”) forms part of, and is governed by, the agreement between the Customer and the Provider for the use of the Flowent AI platform (the “Agreement”). It applies where the Provider processes personal data on the Customer’s behalf. The platform and these terms are offered to businesses (B2B) only and are not intended for consumers. In the event of a conflict between this DPA and the Agreement with respect to the processing of personal data, this DPA prevails.
1. Roles and Definitions
Provider / Processor: Luis Ens – Flowent, Am Neugraben 9, 79112 Freiburg, Germany (email anfrage@flowent.de). Flowent is a sole proprietorship.
Customer / Controller: the business entity that has entered into the Agreement and that determines the purposes and means of the processing of personal data.
For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, the Customer acts as the controller and Flowent acts as the processor (or sub-processor, where the Customer itself acts as a processor for its own customers). For the purposes of the California Consumer Privacy Act (CCPA) as amended by the CPRA, the Customer is the business and Flowent is a service provider.
Terms such as “personal data”, “processing”, “data subject”, “personal data breach”, “controller”, “processor” and “sub-processor” have the meanings given to them in the GDPR. “Personal information”, “sell”, “share”, “business purpose” and “service provider” have the meanings given to them in the CCPA/CPRA.
2. Subject-Matter, Duration, Nature and Purpose
Subject-matter: the processing of personal data by Flowent that is necessary to provide the Flowent AI platform to the Customer under the Agreement.
Nature and purpose: provision of AI-agent services, execution of automated workflows (pipelines), storage of conversation histories, optional voice (telephony) processing, and the associated technical infrastructure (hosting, storage, caching, transactional email and error monitoring).
Duration: the processing continues for the term of the Agreement. On termination, personal data is deleted or returned in accordance with Section 4 of this DPA.
3. Categories of Data and Data Subjects
Categories of personal data:
- Conversation data (inputs to AI agents and generated outputs)
- User profile data (name, email address, company name)
- Workflow configurations and pipeline definitions
- Metadata (timestamps, token counts, model selection, session IDs)
- Where voice features are used: call audio, transcripts and related call metadata
- Where the Customer connects optional integrations: the records it chooses to import (e.g. CRM contacts, documents, messages)
Categories of data subjects: the Customer’s employees, agents and other representatives who use the platform in the course of their professional activity, and any individuals whose personal data is contained in the content the Customer submits to or imports into the platform.
4. Obligations of the Processor
Flowent undertakes to:
- Documented instructions. Process personal data only on the documented instructions of the Customer, including with regard to international transfers, unless required to do so by EU or Member State law to which Flowent is subject; in such a case, Flowent will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Agreement and this DPA constitute the Customer’s complete and final instructions. Flowent will inform the Customer without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.
- Confidentiality. Ensure that all persons authorized to process personal data are bound by an appropriate duty of confidentiality and have been informed of the applicable data protection requirements.
- Security. Implement and maintain the technical and organizational measures set out in Section 9 (TOMs) in accordance with Article 32 GDPR.
- Data-subject requests. Taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, in responding to requests by data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability and objection). Where a data subject contacts Flowent directly, Flowent will forward the request to the Customer without undue delay and will not respond to it itself except on the Customer’s instructions.
- Breach notification. Notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s personal data, and in any event in good time to enable the Customer to meet its obligation to notify the competent supervisory authority within 72 hours under Article 33 GDPR. The notification will include the information required under Article 33(3) GDPR to the extent then available, and Flowent will provide further information as it becomes known.
- Assistance with DPIAs. Provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities (Articles 35–36 GDPR), taking into account the nature of the processing and the information available to Flowent.
- Deletion and return. At the Customer’s choice, delete or return all personal data after the end of the provision of the services and delete existing copies, unless EU or Member State law requires further storage. Deletion is completed within 30 days of termination; where return is requested, data is provided in a machine-readable format (JSON/CSV).
Flowent makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA.
5. Sub-Processors
The Customer grants Flowent a general authorization to engage sub-processors. Flowent will inform the Customer of any intended addition or replacement of a sub-processor, giving the Customer the opportunity to object on reasonable, data-protection-related grounds within 14 days of the notice. Flowent imposes on each sub-processor, by contract, data protection obligations that are no less protective than those set out in this DPA, and remains fully liable to the Customer for the performance of each sub-processor’s obligations.
Current sub-processors:
| Sub-processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Telnyx LLC | Telephony / SIP trunking, raw audio transport, phone numbers | USA | SCCs (Impl. Dec. 2021/914) + DPA |
| Deepgram, Inc. | Speech-to-text (raw audio stream) | EU region (EU endpoint enforced) | DPA; SCCs for residual components |
| Anthropic PBC (via AWS Bedrock) | Voice LLM inference (primary and exclusive) | EU (AWS eu-central-1, Frankfurt) | AWS DPA, EU inference |
| Fish Audio Co., Ltd. | Text-to-speech (primary) | Singapore | SCCs + transfer-impact assessment (no adequacy decision / DPF) |
| ElevenLabs, Inc. | Text-to-speech (fallback) | USA | SCCs + DPA |
| Cartesia, Inc. | Text-to-speech (fallback) | USA | SCCs |
| Cloudflare, Inc. (R2) | Audio storage & transcript storage | EU (Frankfurt) | SCCs + DPA |
| OpenAI, Inc. | LLM inference for text-chat agents ONLY (not in the voice path) | USA | EU-US DPF + SCCs |
| Vercel, Inc. | Hosting & edge functions | USA/EU | EU-US DPF + SCCs |
| Supabase, Inc. | PostgreSQL database (primary data residency) | EU (Frankfurt / Ireland) | EU hosting |
| Stripe, Inc. | Payment processing | USA/EU | EU-US DPF + SCCs |
| Sentry / Functional Software, Inc. | Error monitoring (error-only, no content PII) | USA | EU-US DPF |
| Resend, Inc. | Transactional email | USA | SCCs |
| Redis Labs / Upstash | Cache & queues | EU region | SCCs where US-based |
| GitHub, Inc. | OAuth sign-in | USA | EU-US DPF |
Integration sub-processors (optional, user-connected): The following sub-processors are engaged only where a user actively connects the relevant integration (OAuth authorization). They are optional and are not required to operate the platform. The legal basis for their use is the user’s consent through the active connection of the integration. OAuth tokens issued on connection are stored AES-256-GCM encrypted.
| Sub-processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| HubSpot, Inc. (Cambridge, MA, USA) | CRM contact import (name, email, phone, company, position) | USA | EU-US DPF + SCCs |
| Notion Labs, Inc. (San Francisco, USA) | Import of page / database content | USA | SCCs + transfer-impact assessment (no DPF) |
| Dropbox, Inc. (San Francisco, USA) | File / document import | USA | SCCs + TIA |
| Formagrid, Inc. (Airtable, San Francisco, USA) | Import of tables / records | USA | SCCs + TIA |
| Intercom, Inc. (San Francisco, USA) | Import of help-center articles | USA | EU-US DPF + SCCs |
| Microsoft Ireland Operations Ltd. / Microsoft Corp. (Microsoft 365, OneDrive/SharePoint) | Login + file import + profile (User.Read) | EU/USA | EU Data Boundary + SCCs |
| Google Ireland Ltd. (Google Workspace: Gmail, Calendar, Drive, Sheets, Tasks, Contacts) | OAuth, read and write access (incl. gmail.send/modify, calendar.events) | EU/USA | EU-US DPF + SCCs |
| Slack (Salesforce, Inc., USA) | Import of messages / channels | USA | EU-US DPF + SCCs |
An up-to-date list of sub-processors is maintained as the single source of truth and is reflected in this table. For changes, the notification and objection process described above applies.
6. International Transfers and Data Residency
Data residency. Primary data and the database are hosted in the EU (Frankfurt — Supabase), and call audio is stored on Cloudflare R2 in the EU (Frankfurt). Voice LLM inference runs exclusively on Anthropic via AWS Bedrock in the EU (eu-central-1, Frankfurt). Speech-to-text (Deepgram) runs through an enforced EU endpoint.
Transfer mechanisms. Where personal data is transferred outside the EEA to a country without an adequacy decision, the transfer is governed by the Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914), using Module Two (controller-to-processor) and, where Flowent onward-transfers to a sub-processor, Module Three (processor-to-processor). For transfers subject to UK law, the SCCs are supplemented by the UK International Data Transfer Addendum (UK Addendum) issued by the ICO. Where the EU-US Data Privacy Framework applies to a certified importer, it is relied upon as a complementary basis.
Supplementary measures. In line with the EDPB recommendations, Flowent applies supplementary technical and organizational measures, including encryption in transit (TLS 1.3), encryption at rest (AES-256), strict access controls, and documented transfer-impact assessments for transfers to countries without an adequacy decision (notably Singapore for the primary TTS and the US-based TTS fallbacks).
Voice-path transport via Telnyx (USA) and text-chat LLM inference via OpenAI (USA — not part of the voice path) are each safeguarded by the applicable transfer mechanism shown in Section 5.
7. Audit Rights
Flowent makes available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Audits must be announced with at least 14 days’ prior notice, be limited to once per year (unless required by a supervisory authority or following a personal data breach), take place during normal business hours, and be conducted in a manner that does not unreasonably disrupt Flowent’s operations or compromise the confidentiality or security of other customers’ data.
8. CCPA / CPRA Service-Provider Terms
To the extent the CCPA (as amended by the CPRA) applies, the Customer is the “business” and Flowent is a “service provider”. Flowent processes personal information solely on behalf of the Customer and only for the specific business purpose of providing the services under the Agreement. Specifically, Flowent:
- processes personal information only for the business purpose(s) set out in the Agreement and does not process it for any other purpose;
- does not sell and does not share personal information (as “sell” and “share” are defined under the CCPA/CPRA), and does not use it for cross-context behavioral advertising;
- does not retain, use, or disclose personal information outside the direct business relationship with the Customer, or for any purpose other than the business purposes specified in the Agreement, except as permitted by the CCPA/CPRA;
- does not combine the personal information it receives from the Customer with personal information received from or on behalf of others, except as permitted by the CCPA/CPRA;
- will notify the Customer if it determines it can no longer meet its obligations under the CCPA/CPRA, and will, on reasonable notice, take steps to stop and remediate unauthorized use of personal information.
Flowent certifies that it understands the restrictions set out in this Section and will comply with them. Flowent will provide the same level of privacy protection as is required of the business under the CCPA/CPRA and will assist the Customer in responding to verifiable consumer requests.
Flowent does not sell or share personal information and honors the Global Privacy Control (GPC) browser signal as a valid opt-out request. A privacy-choices page is available for “Do Not Sell or Share My Personal Information” preferences.
9. Technical and Organizational Measures (TOMs)
In accordance with Article 32 GDPR, Flowent maintains the following technical and organizational measures to protect the personal data it processes:
Encryption at rest
Personal data and call recordings are stored encrypted at rest using AES-256 (Cloudflare R2 with server-side encryption; optional customer-managed key / SSE-C). API keys and third-party credentials are stored AES-256 encrypted.
Encryption in transit
All data transfers, including audio streams (Telnyx, Deepgram, text-to-speech), are carried exclusively over TLS 1.3.
Access control (RBAC)
Access to data is role-based (RBAC). Multi-factor authentication (MFA) is available, and access to cloud management consoles is protected by MFA and IP allow-listing. Sessions are managed through time-limited JWT tokens; session cookies are httpOnly and Secure. Strict tenant isolation is enforced at the database level so that cross-tenant access is technically excluded.
Audit logs
Comprehensive, tamper-evident audit logging records user ID, action, timestamp and the affected resource. Every access to recordings and transcripts is logged. A consent log records, per call, the recording notice that was played and any objections raised.
Retention enforcement
Deletion is enforced through automated retention jobs rather than manual deletion, so configured retention periods are applied consistently. Access to transcripts is pseudonymized and restricted under RBAC combined with workspace (tenant) isolation.
Availability and resilience
Daily automated PostgreSQL backups via Supabase with point-in-time recovery. Disaster-recovery procedures are documented.
This Data Processing Addendum becomes legally effective on acceptance of the Terms of Service on registration for the Flowent AI platform and forms an integral part of the Agreement. This English-language DPA is provided for the convenience of international (B2B) customers; the German-language legal documents remain authoritative where required by applicable law.
Last updated: 2026-06-06