Skip to main content
Get UI Flow
中文

Data Processing Agreement

Effective date: April 12, 2026 · Version 1.0

To request a signed DPA, contact us at legal@getuiflow.com .

This Data Processing Agreement ("DPA") forms part of the service agreement between Get UI Flow ("Processor") and the customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Controller" means the customer who determines the purposes and means of Processing.
  • "Processor" means Get UI Flow, which processes Personal Data on behalf of the Controller.
  • "Sub-Processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Subject" means the individual whose Personal Data is being Processed.
  • "Applicable Data Protection Laws" means all applicable laws relating to data protection, including GDPR, UK GDPR, and CCPA as relevant.

2. Scope & Purpose

This DPA applies to all Processing of Personal Data carried out by the Processor in connection with providing the Get UI Flow platform to the Controller. The details of Processing are:

  • Subject matter: Provision of the Get UI Flow enterprise workflow automation platform.
  • Duration: The term of the service agreement between Controller and Processor.
  • Nature and purpose: Hosting, processing, and displaying workflow data; user authentication and account management; transactional communications.
  • Categories of Data Subjects: Controller's employees, contractors, and end users.
  • Categories of Personal Data: Name, email address, company affiliation, technical identifiers (IP, user agent), and workflow data as input by users.

3. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Assist the Controller in fulfilling its obligations to respond to Data Subject requests.
  • Assist the Controller in ensuring compliance with breach notification obligations.
  • Delete or return all Personal Data upon termination of the service agreement, at the Controller's choice.
  • Make available all information necessary to demonstrate compliance and allow for audits.

4. Security Measures

The Processor implements the following security measures:

  • Encryption: TLS 1.3 for data in transit; AES-256 at rest (via Cloudflare infrastructure).
  • Authentication: Argon2id password hashing, JWT-based session management with rotation and reuse detection.
  • Access control: Role-based access with principle of least privilege.
  • Audit logging: All security-relevant events logged with timestamps and anonymized on account deletion.
  • PII scrubbing: Email addresses are SHA-256 hashed before transmission to error monitoring services (Sentry).
  • Backup: Daily automated backups of all database tables to encrypted object storage (R2), with weekly restore verification.
  • Incident response: Documented incident response procedures with containment targets of 15 minutes and notification within 72 hours.

5. Sub-Processors

The Controller authorizes the Processor to engage the following Sub-Processors. The Processor will notify the Controller at least 30 days before adding or replacing a Sub-Processor, providing an opportunity to object.

Sub-Processor Purpose Jurisdiction DPA
Cloudflare, Inc. CDN, compute, database, object storage, DNS, DDoS protection, bot verification United States Cloudflare Customer DPA
Resend, Inc. Transactional email delivery United States Resend DPA
Functional Software, Inc. (Sentry) Error monitoring (PII-scrubbed) United States Sentry DPA
HubSpot, Inc. CRM and lead management United States HubSpot DPA
Better Stack, Inc. (Better Uptime) Uptime monitoring and status page European Union Better Stack DPA

6. International Transfers

Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or other jurisdictions with data transfer restrictions, the Processor ensures appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).
  • The UK International Data Transfer Agreement (IDTA) for transfers from the UK.
  • Sub-Processor DPAs that include equivalent transfer mechanism commitments.

7. Data Subject Rights

The Processor shall:

  • Promptly notify the Controller of any Data Subject request received directly.
  • Assist the Controller in responding to Data Subject requests for access, rectification, erasure, portability, restriction, and objection.
  • Provide self-service tools where feasible (data export via /api/user/export, account deletion via /api/user/delete).
  • Not respond directly to Data Subject requests unless authorized by the Controller or required by law.

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

  • Notify the Controller without undue delay, and no later than 48 hours after becoming aware of the breach.
  • Provide the Controller with sufficient information to meet its notification obligations under applicable law, including:
    • The nature of the breach (categories and approximate number of affected Data Subjects and records).
    • The likely consequences of the breach.
    • Measures taken or proposed to address the breach and mitigate its effects.
  • Cooperate with the Controller's investigation and remediation efforts.

9. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. Audits shall be conducted:

  • No more than once per calendar year, unless a breach or compliance concern arises.
  • With at least 30 days' advance written notice.
  • During normal business hours and in a manner that minimizes disruption.
  • At the Controller's expense, unless the audit reveals material non-compliance.

The Processor will make available relevant documentation, records, and personnel to support reasonable audit requests.

10. Termination & Data Return

Upon termination of the service agreement:

  • The Processor shall, at the Controller's choice, either return or delete all Personal Data within 30 days.
  • The Controller may request a copy of their data in a structured, machine-readable format (JSON) via the data export endpoint before account closure.
  • The Processor may retain Personal Data to the extent required by applicable law, with continued application of the protections in this DPA.
  • Anonymized audit logs (with user_id removed) may be retained for platform security purposes, as they no longer constitute Personal Data.

Contact

For questions about this DPA or to request a signed copy, contact us at legal@getuiflow.com.