This Data Processing Addendum ("DPA") is part of the terms and conditions of the Supaflow Master Subscription Agreement or any other agreement under which Supaflow LLC ("Supaflow") provides services to the Customer ("Agreement"), executed between the party identified as the "Customer" and Supaflow. This DPA is supplemental to the Agreement and outlines the roles and obligations applicable when Supaflow processes Personal Data on behalf of the Customer in connection with the Customer's use of Supaflow Products. If there is any conflict between the Agreement and this DPA, the terms of this DPA will take precedence to the extent of such conflict. Any capitalized terms not defined in this DPA will have the meanings given to them in the Agreement.
1. Definitions. For purposes of this DPA, the following terms will have the meanings set out below:
1.1 "controller," "processor," "data subject," "personal data," and "processing" (including "process") will have the meanings provided in Applicable Data Protection Law.
1.2 "Applicable Data Protection Law" means all data protection and privacy laws and regulations worldwide that apply to the Personal Data in question, including, where applicable, EU/EEA/UK Data Protection Law, US Data Protection Law, Canadian Data Protection Law, and the Swiss DPA.
1.3 “Breach” means any security breach that results in the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access to Personal Data, which violates Supaflow’s security obligations under this Agreement by Supaflow or its agents and that Supaflow becomes aware of. A breach does not include an unsuccessful breach, which is one that does not result in unauthorized access to Personal Data or to any Supaflow equipment or facilities that store Personal Data. It can involve, but is not limited to, pings and other broadcast attacks on firewalls or edge servers, port scans, failed login attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not breach beyond headers), or similar incidents.
1.4 "Canadian Data Protection Law" means: (i) the Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5; (ii) applicable provincial law; (iii) any and all applicable data protection laws made under, pursuant to, or that apply in conjunction with any of (i) or (ii); in each case as they may be amended or replaced from time to time.
1.5 “Data Privacy Framework” refers to the EU-U.S. Data Privacy Framework (“DPF”), the UK extension of the EU-U.S. Data Privacy Framework, and the Swiss-US Data Privacy Framework self-certification program managed by the US Department of Commerce.
1.6 “Data Privacy Principles” means the principles of the Data Privacy Framework, as supplemented by the Supplemental Principles, in each case as may be amended or replaced from time to time.
1.7 "EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons regarding the Processing of Personal Data and on the free movement of such data (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by section 3 of the United Kingdom's European Union Withdrawal Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive 2002/58/EC; and (iv) all applicable national data protection laws enacted under, pursuant to, or that apply in conjunction with any of (i), (ii), or (iii); in each case as may be amended or superseded from time to time.
1.8 "US Data Protection Law" means: (i) the California Consumer Privacy Act of 2018, including as amended by the California Privacy Rights Act of 2020, codified at Cal. Civ. Code §1798.100 et seq., upon the CPRA’s enforcement date of July 1, 2023 (together with its implementing regulations) (“CPRA”); (ii) the Virginia Consumer Data Protection Act; (iii) the Colorado Privacy Act; (iv) the Connecticut Personal Data Privacy and Online Monitoring Act; (v) the Utah Consumer Privacy Act; (vi) the Iowa Consumer Data Protection Act; (vii) the Indiana Consumer Data Protection Act; (viii) the Tennessee Information Protection Act; (ix) the Montana Consumer Data Privacy Act; (x) the Texas Data Privacy and Security Act; (xi) the Oregon Consumer Privacy Act; (xii) the Delaware Personal Data Privacy Act; and (xiii) any and all applicable comprehensive state data protection laws and regulations that are or are not yet in effect as of the Effective Date; in each case as may be amended or superseded from time to time.
1.9 “Standard Contractual Clauses” means: (i) where the EU GDPR or Swiss DPA applies, the standard contractual clauses set out in European Commission Implementing Decision (EU) 2021/914 of June 4, 2021; and (ii) where the UK GDPR applies, the standard data protection clauses adopted or permitted under Article 46 of the UK GDPR.
1.10 "Swiss DPA" means the revised Swiss Federal Act on Data Protection enacted on September 25, 2020, and effective September 1, 2023, as it may be amended or replaced over time.
2. Relationship of the Parties: Customer instructs Supaflow to process the personal data described in Annex I (the "Personal Data") on its behalf. In respect of such processing, Customer will be the controller (or, if Customer is instructing Supaflow on behalf of a third-party controller, a processor on behalf of that controller), and Supaflow will be a processor (or, if Customer is a processor on behalf of a third-party controller, Supaflow will be a subprocessor to Customer). Each party will comply with its obligations under Applicable Data Protection Law. Customer has provided, and will continue to provide, all notices and obtained, and will continue to obtain, all necessary consents, permissions, and rights for Supaflow and its subprocessors to lawfully process Customer’s Personal Data for the purposes contemplated by the Agreement (including this DPA).
3. Purpose Limitation; Processing Instructions: Supaflow will process Personal Data for the following purposes: (i) as described in Annex I attached hereto; (ii) in accordance with the documented reasonable instructions of the Customer (which instructions, where the Customer is a processor, will reflect the instructions of its controller) that are consistent with the terms of the Agreement, including this DPA and any applicable Order Forms, and Applicable Data Protection Law; and (iii) to comply with Supaflow’s legal obligations under Applicable Data Protection Law. The parties agree that the Agreement (including this DPA and the Customer's use of Supaflow Products in accordance with the Agreement) sets out the Customer's complete and final processing instructions and (if applicable) includes and is consistent with all instructions from third-party controllers. Any processing outside the scope of these instructions (if any) shall require prior written consent between the Customer and Supaflow. The Customer shall ensure that its instructions are lawful and that processing Personal Data in accordance with such instructions does not violate Applicable Data Protection Law. Under no circumstances will Supaflow process Personal Data for its own purposes or those of any third party. Each party will promptly notify the other if it becomes aware that such processing instructions violate Applicable Data Protection Law.
4. Cross-Border Transfer Mechanisms:
4.1 Order of precedence: If Customer’s use of Supaflow Products involves an onward transfer mechanism to lawfully transfer personal data from one jurisdiction to Supaflow outside of that jurisdiction (“Transfer Mechanism”), the terms outlined in this Section 4 will apply. The transfer of Personal Data will follow a single applicable Transfer Mechanism, in the following order of precedence: (i) the Data Privacy Framework as described in Section 4.2 of this DPA, but only where and for so long as Supaflow is self-certified thereunder; (ii) Standard Contractual Clauses as detailed in Section 4.3 of this DPA; and if neither (i) nor (ii) applies, then (iii) other applicable Transfer Mechanisms allowed under Applicable Data Protection Law.
4.2 Data Privacy Framework: Supaflow intends to pursue self-certification under the Data Privacy Framework. For so long as Supaflow is self-certified under the Data Privacy Framework, Supaflow will comply with the Data Privacy Principles when processing Personal Data subject to EU/UK Data Protection Law and/or the Swiss DPA. If the Customer is either located in the United States and is self-certified under the Data Privacy Framework or is subject to EU/UK Data Protection Law and/or the Swiss DPA, Supaflow additionally agrees, for so long as Supaflow’s self-certification remains active, to (i) provide at least the same level of protection for Personal Data as required by the Data Privacy Principles; (ii) notify the Customer in writing without undue delay if its self-certification under the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated; and (iii) upon written notice, collaborate with the Customer to take reasonable and appropriate steps to halt and remediate any unauthorized processing of Personal Data. Until Supaflow has completed such self-certification, transfers of Personal Data subject to EU/UK Data Protection Law and/or the Swiss DPA will rely on the Transfer Mechanisms set forth in Section 4.3.
4.3 Standard Contractual Clauses: For cross-border data transfers that are subject to the Standard Contractual Clauses, the Standard Contractual Clauses will be deemed entered into and incorporated into this DPA by reference, and completed as follows:
4.3(a) In relation to Personal Data protected by the EU GDPR, the EU SCCs will apply as follows:
(i) Module Two will apply to the extent that the Customer is a controller of Personal Data, and Module Three will apply to the extent that the Customer is a processor of Personal Data on behalf of a third-party controller.
(ii) in Clause 7, the optional docking clause will not apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes will be as set out in Section 8 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Republic of Ireland law;
(vi) in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;
(vii) Annex I of the EU SCCs will be deemed completed with the information set out in Annex I to this DPA;
(viii) Annex II of the EU SCCs will be deemed completed with the information set out in Annex II to this DPA; and
(ix) Annex III of the EU SCCs will be deemed completed with the information set out in Annex III to this DPA;
4.3(b) Regarding Personal Data protected by the UK GDPR, the UK SCCs will apply as follows:
(i) as long as Customer and Supaflow are legally allowed to rely on the EU SCCs for transferring Personal Data from the United Kingdom, subject to completing the International Data Transfer Addendum to the Standard Contractual Clauses (version B1.0 “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”)), issued by the Information Commissioner’s Office under s.119A1 of the Data Protection Act 2018, as revised in Section 18, then:
-
The EU SCCs, completed as set out above in Section 4.3(a) of this DPA, will also apply to transfers of such Personal Data, subject to sub-clauses B, C, and D below; and
-
The UK Addendum will be deemed executed between the transferring Customer and Supaflow, and the EU SCCs will be deemed amended as specified by the UK Addendum in respect of the transfer of such Personal Data; and
-
Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Annexes I and II and Section 7.1 of this DPA (as applicable); and
-
Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".
(ii) If the Customer and Supaflow are no longer allowed to rely on the EU SCCs and the UK Addendum, then the Customer and Supaflow will cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required or permitted by the UK GDPR without undue delay.
4.3(c) Concerning Personal Data protected under the Swiss DPA, the EU SCCs will apply as described in Section 4.3(a) above, with the following amendments:
(i) References to ‘Regulation (EU) 2016/679’ in the EU SCCs will be considered as referring to the Swiss DPA.
(ii) references to specific articles of ‘Regulation (EU) 2016/679’ will be considered replaced with the equivalent article or section of the Swiss DPA.
(iii) references to ‘EU’, ‘Union’, ‘Member State’, and ‘Member State Law’ will be considered replaced with ‘Switzerland’ or “Swiss law”;
(iv) Clause 13(a) of the EU SCCs is not used, and any references to the ‘competent supervisory authority’ and ‘competent courts’ (including in Part C of Annex I hereto) are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable).
(v) in Clause 17, the EU SCCs will be governed by the laws of Switzerland, and
(vi) in Clause 18(b), disputes will be resolved before the competent courts of Switzerland; and
4.3(d) If any provision of the Agreement (including this DPA) conflicts, directly or indirectly, with the Standard Contractual Clauses, the Standard Contractual Clauses will take precedence.
5. Onward transfers: Supaflow will not engage in (nor allow any subprocessor to engage in) any other cross-border transfers of Personal Data (whether as an exporter or importer of Personal Data) unless it has taken necessary measures to ensure the transfer complies with Applicable Data Protection Law. Without prejudice to the above, Customer consents to cross-border transfers of Personal Data when Supaflow has implemented a transfer solution that complies with Applicable Data Protection Law.
6. Confidentiality of processing: Supaflow will take appropriate measures to ensure the confidentiality of Personal Data as outlined in the Agreement.
7. Security:
7.1 Security Measures. Supaflow will put in place suitable technical and organizational measures to safeguard the Personal Data against breaches. These measures will consider current best practices, implementation costs, and the nature, scope, context, and purposes of processing, along with the varying likelihood and severity of risks to individuals' rights and freedoms. These measures will include, as appropriate:
- the pseudonymization and encryption of Personal Data;
- the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore availability and access to Personal Data promptly in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure processing security;
- At a minimum, the measures outlined in Annex II.
7.2 Customer Responsibilities. Notwithstanding the above, Customer is responsible for reviewing the information provided by Supaflow regarding data security and for making an independent decision about whether Supaflow Products, including the Customer’s configuration of those products, fulfill Customer's requirements and comply with legal obligations under Applicable Data Protection Law. Customer also agrees that it is responsible for using Supaflow Products securely, including, but not limited to, protecting its account authentication credentials and ensuring secure network access.
8. Subprocessing: Customer grants Supaflow general authorization to engage subprocessors to process Personal Data on the Customer’s behalf. If the Customer acts as a processor, this authorization will reflect the instructions of its controller. Notwithstanding this, Customer agrees that Supaflow may engage third-party subprocessors to process Personal Data provided that: (i) Supaflow gives at least 30 days' prior written notice of any addition or removal of a subprocessor (including sufficient detail about the processing activities, such as location, necessity for the change, and a summary of relevant impact assessments), and (ii) Supaflow imposes data protection terms on any subprocessor that are substantially at least as protective as those outlined in this DPA. A list of approved subprocessors as of this DPA's date is included in Annex III, and Supaflow will maintain and update this list when adding or removing subprocessors, providing such updates to the Customer in accordance with this Section. The Customer may object in writing on reasonable data protection grounds (if appointing a particular subprocessor would violate Applicable Data Protection Law or weaken protections for Customer Personal Data) by notifying Supaflow in writing at privacy@supa-flow.io within thirty (30) days of receiving notice from Supaflow. If the Customer objects to a proposed subprocessor, the parties will discuss the concerns in good faith to find a mutually acceptable resolution. If they cannot reach an agreement within a reasonable time, Supaflow may, at its sole discretion, either refrain from appointing that subprocessor or allow the Customer to suspend or terminate the Agreement.
9. Cooperation and Data Subjects' Rights: Supaflow will provide all reasonable and timely assistance to the Customer (at the Customer's expense) to enable the Customer (or, if the Customer is a processor, its controller) to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including rights of access, correction, objection, erasure, and data portability, as applicable); and (ii) any other correspondence, inquiry, or complaint received from a data subject, regulator, or other third party regarding the processing of Personal Data. If any such request, correspondence, inquiry, or complaint is made directly to Supaflow, Supaflow will (unless prohibited by applicable law) promptly inform the Customer (who, if the Customer is a processor, will then inform its controller) and provide full details of the matter.
10. Data Protection Impact Assessment: Supaflow will provide the Customer with all reasonable and timely assistance (at the Customer’s expense where such assistance exceeds the documentation generally made available by Supaflow to the Customer) as the Customer may require to enable it (or, where the Customer is a processor, to enable its controller) to conduct a data protection impact assessment in accordance with Applicable Data Protection Law, including, if necessary, assistance to the Customer (or, where the Customer is a processor, its controller) to consult with its relevant data protection authority.
11. Breach Notification: When Supaflow becomes aware of a Breach, it will inform the Customer promptly. If the Customer is a processor, it will then notify its controller. Supaflow will provide all necessary information and cooperation to help the Customer, or its controller if applicable, meet its data breach reporting requirements under applicable Data Protection Law and within the required timelines. Supaflow will also take all necessary measures to fix or lessen the impact of the Breach and keep the Customer updated on significant developments. This notification or response by Supaflow does not imply any fault or liability for the Breach.
12. Deletion or Return of Data: After receiving a written request from the Customer or upon termination or expiration of the Agreement, Supaflow will either destroy or return all Personal Data in its possession or control. This requirement does not apply if Supaflow: (i) is legally compelled to retain some or all Personal Data; and/or (ii) maintains Personal Data in backup systems until the backups are overwritten or deleted according to Supaflow’s backup policy. In such cases, Supaflow will isolate and secure the Personal Data from any further processing, except as necessary, until it can be deleted. Until the Personal Data is deleted or returned, Supaflow will continue to comply with its security and privacy obligations under the Agreement and this DPA. The parties agree that Supaflow will provide the certification of deletion of Personal Data, as described in Clauses 8.5 and 16(d) of the EU SCCs, to the Customer only upon the Customer's written request.
13. Audit: Customer (and, where Customer is a processor, its controller) acknowledges that Supaflow is undergoing an independent SOC 2 Type 2 examination. Upon Customer’s request, and once available, Supaflow will provide a copy or summary of the resulting report to Customer (and, where Customer is a processor, its controller), and such report will be subject to the confidentiality provisions of the Agreement. Supaflow will also respond to any written audit questions submitted by Customer and will meet, by teleconference or in person (at Customer’s expense), to address follow-up questions (and, where Customer is a processor, its controller). Such meetings will be limited to once a year unless required by the instructions of a competent data protection authority. Nothing herein shall require Supaflow to disclose: (i) trade secrets or proprietary information; (ii) information that would violate Supaflow’s confidentiality obligations, contractual commitments, or applicable law; or (iii) any information whose disclosure could threaten or compromise the security, confidentiality, or integrity of Supaflow’s infrastructure, networks, systems, or data.
14. Processing in accordance with US Data Protection Law:
14.1 Processing of Personal Data: Customer appoints Supaflow as a processor (or, if Customer is a processor, Customer appoints Supaflow as a sub-processor) to process Personal Data solely for the Business Purposes (as defined by CPRA) specified in Customer’s instructions under Annex I. The processing by Supaflow is detailed in Annex I, which sets out the processing instructions to which Supaflow is bound, including the nature and purpose of the processing, the type of Personal Data involved, and the duration of the processing. Supaflow will follow Customer instructions as outlined in Section 3 and Annex I and will assist Customer in meeting its obligations under US Data Protection Law. Supaflow will comply with all relevant provisions of US Data Protection Law, including providing the same level of protection for Personal Data as required by the law. Based on the nature of the processing and the information available to Supaflow, Supaflow will support the Customer by:
(a) taking appropriate technical and organizational measures, as far as possible, to fulfill the controller's obligation to respond to data subject rights requests as outlined in Section 9;
(b) helping the Customer meet its obligations regarding the security of processing Personal Data and the notification of a breach of system security, as outlined in Section 7, Section 11, and Annex II.
(c) providing the Customer with the information necessary to conduct and document any data protection assessments as outlined in Section 10. The Customer and Supaflow are each responsible only for the measures allocated to them.
(d) ensuring that each person handling Personal Data is bound by a duty of confidentiality regarding Personal Data as outlined in Annex II; and
(e) after giving the Customer an opportunity to object, engaging any subprocessor through a written contract in accordance with Section 8 that requires the subprocessor to fulfill the obligations of Supaflow regarding Personal Data.
14.2 Security measures: Considering the processing context, Customer and Supaflow will implement appropriate technical and organizational measures to ensure a security level commensurate with the risk and clearly define the responsibilities for implementing these measures as outlined in Annex II.
14.3 Deletion or Return of Personal Data: Supaflow will delete or return all Personal Data to the Customer at the end of providing Supaflow Products, as outlined in Section 12.
14.4 Audit Rights: Supaflow grants the Customer the right to take reasonable and appropriate steps to ensure that Supaflow uses Personal Data in accordance with US Data Protection Law and to halt and address unauthorized use of Personal Data. Supaflow will, upon the reasonable request of the Customer, provide the Customer with all information in its possession necessary to demonstrate Supaflow's compliance as outlined in Section 13. Supaflow will allow an audit of its policies and technical and organizational measures in support of its obligations under US Data Protection Law, and will provide an audit report to the Customer upon request, as outlined in Section 13.
14.5 Restrictions on Processing Personal Data: Supaflow is prohibited from: (i) processing Personal Data for any purpose other than the Business Purposes unless explicitly authorized by US Data Protection Law; (ii) processing Personal Data for any additional commercial purpose (besides the Business Purposes), including in the servicing of a different business, unless explicitly authorized by US Data Protection Law; (iii) processing Personal Data outside the direct business relationship between Customer and Supaflow unless explicitly authorized by US Data Protection Law; (iv) Selling or Sharing (as both are defined by CPRA Personal Data); (v) combining Personal Data with Personal Data received from, or on behalf of, another person or collected through interaction with a data subject, unless explicitly authorized by US Data Protection Law; or (vi) processing the Personal Data for any other purpose beyond what is permitted by this DPA.
14.6 Inability To Comply With US Data Protection Law: Supaflow shall notify the Customer once Supaflow determines it can no longer meet its obligations under this DPA or US Data Protection Law. If Supaflow cannot fulfill its obligations, the Customer may, at its discretion, (i) take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data; or (ii) terminate the Agreement.
14.7 Certification: Supaflow confirms that it understands and will adhere to the restrictions outlined in this Section 14.
15. System Data. Notwithstanding anything to the contrary in this Agreement, Supaflow may collect System Data and use it internally to develop, improve, support, and operate Supaflow Products. Supaflow’s use of System Data will comply with Applicable Data Protection Law. Supaflow may not share any System Data that includes Personal Data with a third party except when the System Data is aggregated and anonymized so that the Customer and Customer’s users cannot be identified.
16. Personnel background checks: Prior to hiring any employee who may access Personal Data, Supaflow will perform a background check, including, where permitted by law, checks related to sanctions, criminal history, ID/SSN, education, and employment.
17. Construction; Interpretation: This DPA is not a standalone agreement and only takes effect if an Agreement is in place between Supaflow and the Customer. This DPA is part of the Agreement and is governed by its terms and conditions, including the limitations of liability described therein. This DPA and the Agreement constitute the entire and exclusive understanding between the parties, superseding all prior written and oral agreements and communications related to the subject matter. Headings in this DPA are for convenience only and do not form part of this DPA.
18. Severability: If any provision of this DPA is found to be invalid or unenforceable, this DPA will be adjusted only as much as needed to maintain, as closely as possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any law that would make any part of this DPA prohibited or unenforceable in any way.
19. Amendment; Enforcement of Rights: No modification or amendment to this DPA, nor any waiver of rights under this DPA, will be effective unless in writing and signed by the parties. The failure of either party to enforce any rights under this DPA will not be considered a waiver of those rights. This DPA cannot be interpreted to create any rights or causes of action on behalf of a third party, except to the minimum extent required by applicable Data Protection Law. For clarity, Customer Affiliates may exercise their rights and remedies under this DPA to the extent the Agreement applies and where required under applicable Data Protection Laws; however, if applicable laws require the Affiliate to directly exercise a right or remedy against Supaflow, the parties agree that, to the extent permitted by law: (i) only the Customer that is the contracting entity of the Agreement will exercise such rights or seek remedies on behalf of the Affiliate; and (ii) the contracting Customer will exercise these rights collectively for all Affiliates instead of separately for each one. The Customer, as the contracting entity, is responsible for all communication with Supaflow under this DPA and may act on behalf of its Affiliates in all related communication.
20. Assignment: This DPA may only be assigned along with a valid assignment under the Agreement. If the Agreement is assigned by a party in accordance with its terms, this DPA will automatically be assigned by that same party to the same assignee.
21. Governing Law: This DPA will be governed by and interpreted according to the laws of the jurisdiction that governs the Agreement, unless otherwise required by EU/UK Data Protection Law or Applicable Data Protection Law. In such cases, this DPA will be governed by the laws outlined in the relevant section of this DPA.
22. Counterparts: This DPA may be signed and delivered by facsimile or electronic signature, and in two or more counterparts, each of which will be considered an original, but all together will constitute one and the same instrument.
23. Supplementary Terms to Standard Contractual Clauses (references in this section to Clauses refer to Clauses of the EU SCCs).
23.1 Documentation and compliance: The review and audit provisions in this DPA will apply for the purposes of Clause 8.9.
23.2 Notification and Transparency: For purposes of Clause 8.3 Modules 2 and 3 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Supaflow to make the appropriate communications to data subjects. Therefore, upon Supaflow's notification, the Customer will have the option to be the party responsible for communicating with the data subject, and Supaflow will provide the level of assistance outlined in this DPA.
23.3 Liability: For the purposes of Clause 12(a), the parties' liability will be limited as specified in the agreement's limitation of liability provisions.
23.4 Signatories: Although the Standard Contractual Clauses are incorporated herein by reference without being signed directly, Supaflow and the Customer each agree that their execution of the Agreement is considered to constitute their execution of the Standard Contractual Clauses, and that they are duly authorized to do so on behalf of, and to bind contractually, the data exporter or data importer (as applicable).
Annex I
Data Processing Description
This Annex I forms part of the DPA and describes the processing that the processor will perform on behalf of the controller.
A. LIST OF PARTIES
Controller(s) / Data exporter(s): Contact details and identity of the controller(s) / data exporter(s) and, if applicable, of their data protection officer and/or representative in the European Union.
| 1 | Name: | As provided by the Customer |
|---|---|---|
| Address: | As provided by the Customer | |
| Contact person’s name, position, and contact details: | As provided by the Customer | |
| Activities relevant to the data transferred under these Clauses: | Supaflow will process Customer Personal Data to facilitate migration of data to and from Customer’s data sources and data warehouse(s). The frequency and retention periods for storing Personal Data will vary based on the Customer’s configuration of Supaflow Products and are detailed at https://supa-flow.io/docs | |
| Role (controller/processor): | Controller/Processor |
| 1 | Name: | Supaflow LLC |
|---|---|---|
| Address: | 35881 Vivian Pl, Fremont, CA 94536 | |
| Contact person’s name, position, and contact details: | Puneet Gupta; Founder & CEO; privacy@supa-flow.io | |
| Activities relevant to the data transferred under these Clauses: | Supaflow will process Customer Personal Data to facilitate the transfer of data to and from Customer’s data sources and data warehouse(s). The frequency and retention periods for Personal Data storage will vary based on the Customer’s configuration of Supaflow Products and are described at https://supa-flow.io/docs | |
| Role (controller/processor): | Processor/Subprocessor |
B. DESCRIPTION OF TRANSFER
| Categories of data subjects whose Personal Data is transferred: | Individuals whose Personal Data is stored in the Customer’s data sources and processed by Supaflow. |
|---|---|
| Categories of Personal Data transferred: | Supaflow may access the Personal Data of individuals whose Personal Data is stored in the Customer’s data sources. The types of Personal Data processed are determined by the Customer and may include, without limitation: Name, Email address, Physical address, IP address and other online identifiers, Date of birth, Telephone/mobile number, and Location Data. |
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as, for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers, or additional security measures: | The types of Personal Data processed are determined by the Customer and may include sensitive data. |
| The transfer frequency (e.g., whether the data is transferred as a one-time event or continuously): | Duration of account/agreement life-cycle |
| Nature of the processing: | The data processing activities carried out by Supaflow under the Agreement. |
| Purpose(s) of the data transfer and further processing: | Supaflow will process Customer Personal Data in order to facilitate the migration of data to and from Customer’s data sources and Customer’s data warehouse(s). |
| The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: | The frequency and retention periods for which Personal Data may be stored will vary depending on the Customer’s configuration of Supaflow Products, which are described at https://supa-flow.io/docs |
| For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: | As outlined in Annex III |
C. COMPETENT SUPERVISORY AUTHORITY
| Identify the competent supervisory authority/ies in accordance (e.g., in accordance with Clause 13 SCCs) | DPC (Irish Supervisory Authority) |
|---|
Annex II
Technical and Organizational Security Measures
| Measure | Description |
|---|---|
| Measures of pseudonymisation and encryption of Personal Data | Technical and Organizational Security Measures Description of the technical and organizational security measures implemented by Supaflow in accordance with Applicable Data Protection Law: Security measures include: Transport Layer Security All data is transmitted to or from Supaflow using industry-standard encrypted protocols, including TLS 1.2 or higher. Supaflow redirects unencrypted HTTP requests to HTTPS. Physical & Environmental Security The Supaflow Products are hosted in Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Hosting providers maintain physical & environmental security protections, including: Physical access is restricted to approved employees based on the principle of least privilege Multi-factor authentication when approved personnel access facilities Closed-circuit television (CCTV) video recording of access points Fire detection and suppression systems; and Redundant infrastructure for power, networking, and cooling. Logical Access Controls Logical access to Supaflow Products is restricted to employees, in accordance with the principle of least privilege. All access is formally approved and requires multi-factor authentication. Access is removed upon employee termination or when an employee changes roles and no longer requires it, and is reviewed quarterly. Access activity is logged in a centralized logging infrastructure and protected from tampering. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Supaflow will: Prior to implementing changes to Supaflow’s information systems, follow a documented change management process to assess the potential impact of such changes on privacy, confidentiality, security, integrity, and availability of Personal Data, and determine whether such changes are consistent with Supaflow’s information security program. Maintain application security and software development controls designed to prevent the introduction of security vulnerabilities in software developed by Supaflow that processes Personal Data; Implement network security controls such as up-to-date firewalls, layered DMZs and updated intrusion detection/prevention systems, including firewalls between Supaflow’s information systems, the Internet (including internal networks connected to the Internet) and other public networks, and internal networks that are not necessary for processing Personal Data; the firewalls must be reasonably designed to maintain the security of Personal Data and relevant information systems; Implement and maintain software that detects, prevents, removes, and remedies malicious code designed to perform an unauthorized function on, or permit unauthorized access to, any information system, including, without limitation, computer viruses, Trojan horses, worms, and time or logic bombs; To the extent practicable, run malicious code detection software at least daily. To the extent practicable, update malicious code detection software at least daily, including by obtaining and implementing the most current available virus signatures; and Maintain vulnerability management and regularly apply operating system, application, and other infrastructure patching procedures and technologies to identify, assess, mitigate, and protect against new and existing security vulnerabilities and threats, including viruses, bots, and other malicious code. |
| Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident | Supaflow will: Maintain policies and procedures to detect, monitor, document, and respond to actual or reasonably suspected Breaches, and encourage the reporting of Breaches, through: Training personnel with access to Personal Data to recognize actual or potential Breaches and to escalate and notify senior management of such incidents; Mandatory post-Breach review of events and actions taken concerning the security of Personal Data; and Policies governing the reporting of Breaches to regulators and law enforcement agencies. Maintain policies and procedures for responding to an emergency or other occurrence that can compromise the privacy, confidentiality, integrity, or availability of Personal Data or damage to Supaflow’s information systems; such policies and procedures should provide for: Creating retrievable copies of Personal Data; Restoring loss of Personal Data; Enabling continuation of critical business processes involving Personal Data in emergency mode; Assessing the relative criticality of specific applications and Personal Data in support of other contingency plan components; and Periodic testing and updates of contingency plans. |
| Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing. | Supaflow is undergoing an independent SOC 2 Type 2 examination of its facilities, networks, and systems. |
| Measures for user identification and authorization | Supaflow will: Identify personnel, classes of personnel, and third parties whose documented business functions and responsibilities require access to Personal Data, relevant information systems, and Supaflow’s premises; Permit access to Personal Data, relevant information systems, and Supaflow’s premises only to such authorized personnel and third parties; Maintain a current record of personnel and third parties who are authorized to access Personal Data, relevant information systems, and Supaflow’s premises, and the purposes of such access; Maintain logical and physical access controls, secure user authentication protocols, secure access control methods, and firewall protection; Prevent terminated personnel, subcontractors, or other third parties from accessing Personal Data and information systems by immediately terminating their physical and electronic access to Personal Data and relevant information systems; and Manage access to Personal Data and relevant information systems: Maintain secure control over user IDs, passwords, and other authentication identifiers; Use multi-factor authentication or risk-based authentication to protect against unauthorized access to (i) Personal Data processed by the Supaflow Product and (ii) Supaflow’s information systems; Require Supaflow personnel to change passwords whenever there is any indication of possible system or password compromise; Require device trust to be configured to only allow trusted workstations to access the Supaflow environment. Restrict access to Personal Data and relevant information systems to only active users and accounts; Block user access after multiple unsuccessful login attempts or attempts to access Personal Data or relevant information systems. Terminate user access after a predetermined period of inactivity; and Promptly revoke or modify access when personnel are terminated or when their job roles change. |
| Measures for data protection during transmission | All data is transmitted to or from Supaflow using industry-standard encrypted protocols, including TLS 1.2 or higher. Supaflow redirects unencrypted HTTP requests to HTTPS |
| Measures for the protection of data during storage | Supaflow will: Apply encryption with industry-standard algorithms and key lengths to Personal Data: Stored on laptops, mobile devices, portable storage devices, and removable archival media; Stored on file servers or in application databases; Transmitted across any public network (such as the Internet) or wirelessly; Transmitted in email attachments; and In transit outside of Supaflow’s information systems. Maintain policies prohibiting such storage or transmission unless required encryption has been applied. |
| Measures for Ensuring the Physical Security of Locations Where Personal Data Are Processed | Supaflow will: Maintain reasonable restrictions on physical access to Personal Data and relevant information systems; Maintain adequate physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disasters. Lock workstations with access to Personal Data when unattended; and Document repairs and modifications to information security-related physical components of Supaflow’s information systems. |
| Measures for ensuring event logging | A list of data and digital assets that can be exported (including logs, Supaflow platform connector logs, and audit trail log events) is available in the Customer’s Supaflow account. |
| Measures for ensuring system configuration, including the default configuration | Supaflow will: Outline the duties and areas of responsibility of Supaflow’s personnel that are separated to minimize the risk of unauthorized or accidental modification or misuse of Personal Data or Supaflow’s information systems; and Implement measures to ensure the physical or logical separation of Personal Data to prevent it from being mixed with another party’s information unless approved by the Customer. |
| Measures for internal IT and IT security governance and management | Supaflow is undergoing an independent SOC 2 Type 2 examination of its facilities, networks, and systems. At the Customer’s request, and once available, Supaflow will provide the resulting report. Furthermore, Supaflow will: Assign an individual or a group of individuals the responsibility for developing, implementing, and managing a comprehensive written information security program for Supaflow. Ensure that relevant personnel are sufficiently trained, qualified, and experienced to fulfill these functions and any other functions that might reasonably be expected of the personnel responsible for safeguarding Personal Data. Develop, maintain, and document appropriate technological, physical, administrative, and procedural safeguards, including, but not limited to, policies, procedures, guidelines, practices, standards, and controls that: Ensure the privacy, confidentiality, security, integrity, and availability of Personal Data; protect against any anticipated threats or hazards to the security and integrity of Personal Data. Protect against Breach. Regularly test, monitor, and evaluate the sufficiency and effectiveness of the information security program, including Breach response procedures. Conduct information security risk assessments at least once a year and whenever there is a significant change in Supaflow’s business or technology practices that affects the privacy, confidentiality, security, integrity, or availability of Personal Data. Update and refine Supaflow’s information systems and security program to reduce threats and risks, and to respond to material changes in technology, business practices, Personal Data handling, and the sensitivity of data processed by Supaflow. Assess whether Supaflow’s information security program is functioning in a manner reasonably designed to prevent and mitigate breaches. Ensure risk assessments are performed by personnel independent of those who develop or maintain Supaflow’s information systems or information security programs. Conduct reasonable background checks, including criminal background checks, as permitted by local law, on any employee with access to Personal Data or relevant information systems. Regularly and periodically train personnel, subcontractors, and any third parties with access to Personal Data or relevant information systems on the following topics: Supaflow’s information security program The importance of security, confidentiality, and privacy of Personal Data; and The risks to Supaflow and its Customers related to Breaches. Supaflow’s risk assessments will: Identify and evaluate reasonably foreseeable internal and external threats and risks to the privacy, confidentiality, security, integrity, and availability of Personal Data. Assess the likelihood of, and potential damage that can be caused by, identified threats and risks; Assess the adequacy of personnel training concerning, and compliance with, Supaflow’s information security program; and Assess the adequacy of service provider arrangements. |
| Measures for Certification and Assurance of Processes and Products | Supaflow is undergoing an independent SOC 2 Type 2 examination of its facilities, networks, and systems. Upon the Customer’s request, and once available, Supaflow will provide the resulting report. |
| Measures for ensuring data minimization | Processing of Customer Data Supaflow does not store Customer Data beyond the transit period. Access to Customer resources necessary for connection functionality is logically separated within the host storage: Microsoft Azure, GCP, or AWS. Supaflow does not control the host's physical infrastructure. It relies on the fault-tolerant architecture of Microsoft Azure, GCP, and AWS across multiple availability zones and can redeploy the platform to another region if a catastrophic failure occurs. Supaflow processes Customer Data within the region specified by the Customer during configuration of the Supaflow Product. The currently supported geographic regions are described in the Supaflow documentation. Additionally, Supaflow will: Collect only the Personal Data necessary to fulfill the purpose for which it is collected; Avoid storing Personal Data on media connected to external networks unless needed for business reasons. * Prohibit the download and use of file sharing or other software that could create security vulnerabilities in areas or systems holding Personal Data; Securely dispose of records containing Personal Data so that the information cannot be read or reconstructed once it is no longer needed for business or legal purposes; and Securely erase media containing Personal Data before reuse. |
| Measures for ensuring data quality | Because Supaflow is a data pipeline, the accuracy of the Personal Data depends on whether the Customer has correctly configured the pipeline. |
| Measures for ensuring limited data retention | Supaflow does not store Customer Data at any time, except during transmission. Additionally, Supaflow will employ secure destruction procedures to sanitize any unencrypted hard drives, portable storage devices, or backup media containing Personal Data before sending them off-site for maintenance or disposal. |
| Measures for ensuring accountability | Supaflow has a Data Protection Officer, Chief Information Security Officer, and several security and privacy personnel responsible for ensuring security and privacy compliance, including appropriate security measures and safeguards. |
| Measures for allowing data portability and ensuring erasure | A list of data and digital assets that can be exported (including logs, Supaflow platform connector logs, and audit trail log events) is available in the Customer’s Supaflow account and is listed in Supaflow’s documentation. In addition, Customers may submit data portability requests to: privacy@supa-flow.io Supaflow does not store Customer Data at any time, except during transmission. |
For transfers to (sub-) processors, also specify the technical and organizational measures the (sub-) processor must take to assist the controller (and, for transfers from a processor to a sub-processor, to the data exporter).
| Measure | Description |
|---|---|
| Contractual language | Supaflow ensures that its subprocessors are subject to terms that are substantially similar and provide equivalent data protection. |
| Due Diligence | Supaflow performs due diligence on third parties, including necessary privacy and security reviews such as privacy thresholds and privacy impact assessments. Supaflow will: Take reasonable steps and conduct due diligence to select and retain subprocessors capable of maintaining the privacy, confidentiality, security, integrity, or availability of Personal Data in accordance with Supaflow’s contractual and legal obligations; Contractually require subprocessors to implement adequate safeguards for Personal Data sufficient for Supaflow to meet its contractual and legal requirements regarding data protection; and Assess and monitor subprocessors to ensure their compliance with applicable privacy and information security standards. |
Annex III
List of Subprocessors
A subprocessor is a third-party data processor engaged by Supaflow, who has or may have access to or process personal data on behalf of a Customer. Supaflow engages different types of subprocessors to perform various functions, as explained in the tables below. Supaflow refers to third parties that do not have access to or process personal data on behalf of a Customer but are otherwise involved in providing the Services as "subcontractors," not "subprocessors." The list includes an option for our Customers to request a preferred email contact to receive notifications of changes. Customers can send their preferred email contact to privacy@supa-flow.io
| NAME | NATURE OF PROCESSING | TERRITORY(IES) |
|---|---|---|
| Amazon, Inc. | AWS hosting environment for Supaflow services | Global |
| Google, LLC | Google Cloud hosting environment for Supaflow services | Global |
| Microsoft, Inc. | Azure hosting environment for Supaflow services | Global |
| Snowflake, Inc. | Snowflake SPCS hosting environment for Supaflow services | Global |
| Clerk, Inc. | Authentication and authorization for the Supaflow app | Global |
| Vercel, Inc. | Hosting of the Supaflow website and app | Global |
| Supabase, Inc. | Database service for the Supaflow app | Global |
| Anthropic PBC | Artificial intelligence services | Global |
| OpenAI, LLC | Artificial intelligence services | Global |