How FlowTux handles GDPR and EU data protection

FlowTux processes tickets, linked code context, and the personal data of the people who file and resolve issues. For customers in the European Union and EEA, that processing falls under the General Data Protection Regulation (GDPR). This is how we structure FlowTux to meet it.

Short version: you are the data controller for the support data you put into FlowTux, and FlowTux is your data processor. Our obligations to you are set out in a Data Processing Agreement (DPA) you can sign before going live.

FlowTux only processes ticket and identity data to deliver the service you asked for — triage, routing, resolution, and reporting. We do not use your support content to train shared models, and we do not repurpose it for advertising or resale. Processing is scoped to the legitimate interest of running your support workflow, with the controller relationship documented in the DPA.

GDPR gives individuals the right to access, correct, export, and delete their personal data. FlowTux supports each: workspace admins can export a user’s ticket history, redact or correct fields, and issue a hard delete that propagates to backups within the retention window. Requests you receive as a controller can be fulfilled from the admin console without a support escalation.

We maintain Article 30 records of processing and publish a current list of sub-processors (hosting, email delivery, error monitoring). Each sub-processor is bound by equivalent data-protection terms. If a breach affecting your data occurs, we notify you without undue delay so you can meet your own 72-hour reporting obligation to the supervisory authority.

Where data leaves the EEA, transfers rely on Standard Contractual Clauses plus supplementary technical measures (encryption in transit and at rest, access controls). EU customers who require it can pin storage to an EU region — see our post on data residency for the detail.