Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the AgencyFlo Terms of Service and applies whenever you (the “Customer”) use the AgencyFlo Service to process personal data on behalf of others (for example, your clients or your end-users).

In that context, you are the Controller and AgencyFlo Ltd is the Processor. For your own account data (name, work email, billing details) AgencyFlo is the Controller, and processing is governed by our Privacy Policy.

Subject matter: processing of personal data necessary for the provision of the AgencyFlo Service.

Duration: the term of your subscription, plus any wind-down period agreed in the Terms.

Nature and purpose: hosting, transmitting, displaying, analysing, and otherwise processing Customer Content to deliver the Service.

Categories of data subjects: typically your employees, contractors, clients, and end-users whose data you choose to put into AgencyFlo.

Types of personal data: typically contact details, role/title, project assignments, time records, communications, and similar operational data.

We will process Customer personal data only on your documented instructions, including with regard to international transfers, except where required to do so by law.

We will ensure persons authorised to process the data are committed to confidentiality.

We will implement appropriate technical and organisational measures (see section 6).

We will assist you, taking into account the nature of the processing, in responding to data subject requests.

We will assist you in ensuring compliance with security obligations and data protection impact assessments.

We will notify you of a personal data breach without undue delay after becoming aware of it.

At the end of provision of the Service, we will delete or return the Customer personal data and delete existing copies, except where storage is required by law.

We will make available all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.

You authorise AgencyFlo to engage sub-processors to provide the Service, subject to a written contract imposing data protection obligations at least as strict as those in this DPA.

The current sub-processor list is published at this page and includes, at the date of this DPA:

Hosting and infrastructure: Amazon Web Services (EU regions)

Marketing site hosting: Vercel (US/EU edge)

Transactional email: Postmark

Product analytics: PostHog (EU)

Marketing analytics: Google Analytics 4, Google Tag Manager (US)

Marketing session insight: Microsoft Clarity (US)

Error monitoring: Sentry

Customer support: Intercom

Billing: Stripe

We will notify you in advance of any intended addition or replacement of sub-processors, giving you an opportunity to object on reasonable data protection grounds.

Where personal data is transferred outside the UK or EEA, the transfer will be governed by appropriate safeguards including the UK International Data Transfer Addendum and EU Standard Contractual Clauses (Module Two: Controller-to-Processor), which are incorporated into this DPA by reference where applicable.

Encryption: all data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

Access control: least-privilege access, MFA on all employee accounts, regular access reviews, audit logging.

Network security: segregated production environment, private subnets, intrusion detection.

Application security: secure development lifecycle, dependency scanning, regular penetration testing.

Backups: automated daily backups with 30-day retention, tested restore procedures.

Vendor management: annual review of sub-processor security posture.

Personnel: background checks, security training on hire and annually thereafter.

Incident response: documented procedure with defined notification timelines.

We will notify you of any personal data breach affecting Customer personal data without undue delay and in any event within 72 hours of becoming aware of it.

Our notification will include, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.

If we receive a request from a data subject in respect of Customer personal data, we will refer them to you. We will assist you with the technical means necessary to respond to such requests in accordance with applicable law.

On termination of your subscription, we will make Customer personal data available for export for at least 30 days. After the export window expires, we will delete the data from active systems within 30 days and from backups within the standard backup retention period.

Liability under this DPA is subject to the liability provisions in the Terms of Service.

DPA enquiries, sub-processor objections, and data breach notifications should be addressed to privacy@agencyflo.ai.