Skip to main content
FlowFn
IntegrationsTemplatesPricingDocsBlogSign inStart free
All legal documents

Legal & Compliance

Data Processing Agreement

Version1.0UpdatedJul 4, 2026Reading time10 min read

1. Introduction and Definitions

This Data Processing Agreement ("DPA") governs the processing of personal data by FLOW FN PTE. LTD. (UEN 202617303Z), a company incorporated in Singapore ("Processor", "we", "us"), on behalf of the customer ("Controller", "you") when using FlowFn services. This DPA is incorporated into and forms part of the Terms of Service. "Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data. "Data Subject" means the individual to whom Personal Data relates.

2. Roles and Responsibilities

You are the Data Controller and determine the purposes and means of processing Personal Data. We are the Data Processor and process Personal Data only as instructed by you and in accordance with this DPA and applicable data protection laws. You are responsible for ensuring you have a lawful basis for processing Personal Data and for obtaining necessary consents from Data Subjects.

3. Scope of Processing

We process Personal Data solely for the purpose of providing FlowFn services, including: (a) executing workflows and automations you create; (b) storing and managing form submissions; (c) processing data through AI models as instructed; (d) integrating with third-party services you connect; (e) storing artifacts and workflow outputs; (f) storing and serving Playground source code, Playground assets, Playground Data Sheets, and (where you opt-in) Playground visitor-submitted content (files visitors upload via flowfn.upload and rows visitors insert / update / delete via the public flowfn.data primitives); (g) running Agents you configure — autonomous AI workers that invoke a Controller-approved allow-list of platform-tool actions, MCP servers, workflows and AI models on the Controller's behalf, in one of four modes (interactive chat widget, webhook-triggered, schedule-triggered, playground-triggered), and which may collect end-user input through embedded widgets or webhook payloads where the Controller has deployed them; (h) connecting to Model Context Protocol (MCP) servers the Controller has explicitly enabled, forwarding tool invocations and context selected by the agent to those servers under the Controller's credentials — MCP servers are third-party endpoints, treated as Sub-Processors when they are FlowFn-hosted partners published on the Sub-Processors page, and otherwise as Controller-selected third parties for which the Controller is responsible; (i) where you host a FlowFn MCP server (the MCP Server feature), exposing the workflows, agents, data sheets, and platform-tool actions you select to external Model Context Protocol clients (such as Claude Desktop or Cursor) that authenticate with a bearer token you hold and rotate, and forwarding those clients' tool invocations to run on your behalf under your credentials — you determine what is exposed and to which clients, and remain the Controller for those external clients, which are Controller-selected tools and not Sub-Processors; and (j) providing support and maintenance. We process Personal Data only in accordance with your documented instructions and do not process Personal Data for any other purpose without your prior written consent.

4. Processing Instructions

You instruct us to process Personal Data through: (a) your use of FlowFn services; (b) workflow configurations you create; (c) form designs you implement; (d) API calls you make; and (e) any written instructions you provide. We will process Personal Data in accordance with these instructions unless required by applicable law, in which case we will inform you (unless prohibited by law). We will not process Personal Data in a manner inconsistent with your instructions.

5. Security Measures

We implement appropriate technical and organizational measures to protect Personal Data, including: (a) encryption in transit (TLS/SSL) and AES-256-GCM typed-envelope encryption at rest, with a per-entity Data Encryption Key (user, team, workflow, app, form, playground, visualizer) wrapped by a master Key Encryption Key, providing cryptographic isolation between entities; (b) access controls and authentication mechanisms; (c) regular security assessments and audits; (d) secure development practices; (e) employee training on data protection; (f) incident response procedures; (g) data backup and recovery systems; and (h) physical security measures for data centers. We regularly review and update our security measures to address evolving threats.

6. Sub-Processors

We may engage sub-processors to assist in providing services. Our current sub-processors and their processing locations are published at https://www.flowfn.com/legal/subprocessors. We ensure all sub-processors are bound by data protection obligations equivalent to this DPA. We will update the published list before engaging a new sub-processor or replacing an existing one. Every active account holder receives advance notice by email at least 30 days before a new sub-processor begins processing personal data, and may object in writing as set out in the published Sub-Processors page. This notice is a transactional service communication required by Article 28(2) GDPR / UK GDPR and by this DPA — there is no opt-out, and it is not affected by any marketing-email preferences. Customers under this DPA additionally receive these notices through their DPA contact. Where you (the Controller) choose to enable a Model Context Protocol (MCP) server that is not on the published Sub-Processors list — for example a self-hosted MCP endpoint or a third-party MCP server you have an independent contract with — you act as the Controller for that engagement and are responsible for any sub-processor or transfer obligations to the underlying provider; we forward tool invocations and context to that server on your instruction but do not act as a sub-processor controller for it.

7. Data Subject Rights

We will assist you in responding to Data Subject requests to exercise their rights under applicable data protection laws, including: (a) right of access; (b) right to rectification; (c) right to erasure; (d) right to restrict processing; (e) right to data portability; (f) right to object; and (g) rights related to automated decision-making. We will forward any Data Subject requests we receive directly to you and will not respond to such requests without your authorization. We will provide reasonable assistance to help you respond to Data Subject requests.

8. Data Retention and Deletion

We retain Personal Data for as long as necessary to provide services and as required by applicable law. Upon termination of services or upon your request, we will delete or return all Personal Data to you within 30 days, unless we are required by law to retain it. Where the volume or complexity of an export or deletion request requires disproportionate effort (for example, multi-terabyte file stores or extensive workflow run history), we may extend the timeframe by up to a further 60 days on written notice, fulfil the request in part, or make the data available through API or self-service export. You may request deletion of specific Personal Data at any time through your account or by contacting support. We will confirm deletion upon completion.

9. Data Breach Notification

In the event of a Personal Data breach, we will: (a) notify you without undue delay (and in any event within 72 hours) after becoming aware of the breach so that you can meet your obligations under Article 33 GDPR; (b) where Singapore Personal Data Protection Act 2012 applies and the breach is, or is likely to be, a notifiable data breach under section 26B of the PDPA, notify the Personal Data Protection Commission (PDPC) no later than 3 calendar days after we have assessed the breach to be notifiable, and assist you in notifying affected individuals where required; (c) provide you with information about the nature of the breach, categories of affected Data Subjects, likely consequences, and measures taken or proposed; (d) cooperate with you in investigating and remediating the breach; and (e) assist you in meeting your breach notification obligations to supervisory authorities, regulators (including the PDPC), and Data Subjects. We will maintain records of all Personal Data breaches.

10. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA) or your jurisdiction. We ensure appropriate safeguards are in place for such transfers, including: (a) Standard Contractual Clauses (SCCs) approved by relevant authorities; (b) adequacy decisions where applicable; (c) Binding Corporate Rules where applicable; and (d) other mechanisms recognized under applicable data protection laws. By using our services, you consent to such transfers subject to these safeguards.

11. Cross-Team Transfers (Controller-to-Controller)

FlowFn lets a Controller transfer an app, or an individual asset (workflow, form, visualizer, agent, playground or stream) together with the Personal Data it holds, from one team to another team, where each team is a separate Controller account. Such a transfer is a Controller-to-Controller disclosure that you instruct by performing the transfer action; we act solely on that instruction and do not initiate transfers ourselves. The initiating Controller represents and warrants that it is authorised to effect the transfer and has a lawful basis, and any necessary consents, notices or contractual arrangements, for disclosing the Personal Data to the destination Controller. Transfers are only available between teams that the same person owns or administers; where Personal Data must move between organisations that do not share an administrator, you must use account sharing or a separate data-sharing arrangement instead, and not this feature. On completion of a transfer, the destination team becomes the Controller for the transferred Personal Data and is responsible for its subsequent processing, including responding to Data Subject requests, and the source Controller's processing instructions cease to govern it. In performing a transfer we re-assign the data to the destination team's account, clear credentials and bindings that belonged to the source team (so that no processing continues under the source team's connections or keys), and record the transfer in both teams' audit trails; we do not otherwise alter the Personal Data, and no Sub-Processors change as a result of a transfer. We are not a party to, and accept no responsibility for, the arrangement between the two Controllers; each Controller remains responsible for its own compliance with applicable data protection laws before, during and after the transfer.

12. Data Protection Impact Assessments

We will assist you in conducting Data Protection Impact Assessments (DPIAs) where required by applicable law, including: (a) providing information about our processing activities; (b) describing security measures we implement; (c) identifying risks and mitigation measures; and (d) cooperating in the assessment process. You are responsible for conducting DPIAs for your processing activities.

13. Audits and Compliance

We will make available to you information necessary to demonstrate compliance with this DPA and applicable data protection laws. Upon reasonable notice, we will allow you or your authorized representatives to audit our compliance with this DPA, subject to: (a) confidentiality obligations; (b) reasonable limitations on frequency and scope; (c) advance notice of at least 30 days; and (d) your bearing the costs of such audits. We will promptly address any non-compliance identified.

14. Records of Processing Activities

We maintain records of our processing activities as required by applicable data protection laws, including: (a) categories of processing activities; (b) purposes of processing; (c) categories of Personal Data processed; (d) categories of Data Subjects; (e) recipients of Personal Data; (f) international transfers; (g) retention periods; and (h) security measures. We retain system audit logs for at least 13 months. Upon a reasonable, documented request from you or from a supervisory authority, we will make the relevant records and excerpts of audit logs available within 10 business days, subject to redaction of information about other customers and our own confidential security details.

15. Confidentiality

We will keep Personal Data confidential and will not disclose it to any third party except: (a) as necessary to provide services; (b) to sub-processors bound by confidentiality obligations; (c) as required by law or court order; (d) with your prior written consent; or (e) as otherwise permitted by this DPA. Our employees and contractors are bound by confidentiality obligations.

16. Liability and Indemnification

Our liability for data protection breaches is limited as set forth in the Terms of Service. We are liable only for damages directly caused by our breach of this DPA or applicable data protection laws, excluding indirect or consequential damages. You agree to indemnify us against claims arising from your instructions or your breach of this DPA or applicable laws.

17. Termination

This DPA terminates upon termination of the Terms of Service or upon your request. Upon termination, we will: (a) cease processing Personal Data; (b) delete or return all Personal Data to you within 30 days; and (c) delete existing copies unless required by law to retain them. Provisions that by their nature should survive termination (including confidentiality, data deletion, and audit rights) shall survive.

18. Changes to This DPA

We may update this DPA from time to time to reflect changes in our services or applicable laws. Material changes will be notified via email or through the Service. Your continued use of services after changes become effective constitutes acceptance of the updated DPA. If you do not agree to changes, you may terminate services in accordance with the Terms of Service.

19. Governing Law and Disputes

This DPA is governed by the laws of Singapore, without regard to its conflict-of-laws principles. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service. This DPA does not affect the rights of Data Subjects under applicable data protection laws, which continue to apply in addition to, and override where inconsistent with, this DPA.

20. Contact Information

For questions about this DPA or to exercise your rights, contact our Data Protection Officer at legal@flowfn.com — this is the single intake address for all privacy, data-protection, GDPR, CCPA, and PDPA correspondence. The public data-subject request form is at https://www.flowfn.com/legal/data-request. For non-privacy general support, visit https://www.flowfn.com/dashboard/support.

Questions about this document?

legal@flowfn.com
Submit a data request →