Last updated: June 16, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Flowtux ("Processor") and the customer ("Controller") for the provision of Flowtux services. It governs the processing of personal data carried out by Flowtux on the Controller's behalf and is intended to meet the requirements of Article 28 of the GDPR, the UK GDPR, and equivalent applicable data protection laws. A countersigned copy is available on request at privacy@flowtux.com.
"Controller", "Processor", "Personal Data", "Processing", "Data Subject", "Personal Data Breach", and "Sub-processor" have the meanings given in the GDPR (Regulation (EU) 2016/679) and, where applicable, the UK GDPR and the Indian Digital Personal Data Protection Act, 2023. The customer is the Controller and Flowtux is the Processor in respect of personal data processed to provide the services.
Flowtux processes personal data only as a Processor, on documented instructions from the Controller, for the sole purpose of providing and supporting the services. The Controller's use of the services and its configuration of integrations constitute its documented instructions. The subject matter, duration, nature, purpose, categories of data subjects, and types of personal data are set out in Annex I. Flowtux does not use customer personal data to train its own foundation models, and does not sell personal data.
The Controller may audit Flowtux's compliance once per twelve-month period on at least thirty (30) days' written notice, or more frequently where required following a confirmed Personal Data Breach or by a supervisory authority. Flowtux may satisfy audit requests by providing current security documentation and third-party reports where available.
The Controller provides general authorization for Flowtux to engage the sub-processors listed below. Flowtux imposes data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. Flowtux will give the Controller at least thirty (30) days' prior notice of any intended addition or replacement of a sub-processor, during which the Controller may object on reasonable data-protection grounds.
| Sub-processor | Purpose | Location | Applies to |
|---|---|---|---|
| Google Cloud Platform (Google LLC) | Application hosting and infrastructure, and AI processing of ticket, diagnostic, and assistant content | United States | All customers |
| Microsoft Azure (Microsoft Corporation) | Cloud hosting and infrastructure | India | All customers |
| Meta Platforms, Inc. (WhatsApp Business) | WhatsApp message delivery | United States | Only where the customer enables WhatsApp notifications |
Customer-connected third-party systems (for example Slack, GitHub, Sentry, Jira, PagerDuty, Notion, or Microsoft Teams) are integrations chosen and controlled by the Controller and are not Flowtux sub-processors; the Controller's use of them is governed by its own agreements with those providers.
Flowtux implements appropriate technical and organizational measures to protect personal data, including encryption of integration credentials and sensitive data at rest using AES-256-GCM, encryption in transit using TLS 1.2 or higher, HMAC verification with timing-safe comparison and timestamp windows on inbound webhooks, role-based access control on the principle of least privilege, an encrypted credential store, continuous error and security monitoring, and access and activity audit logging. A fuller description is set out in Annex II and on the Security page.
Flowtux provides self-service tooling within the product (Settings → Privacy) that enables the Controller and its authorized users to export personal data in a machine-readable format, manage consent, and request erasure. Taking into account the nature of the processing, Flowtux assists the Controller in fulfilling its obligation to respond to data-subject requests for access, rectification, erasure, restriction, portability, and objection. Where Flowtux receives a request directly from a data subject, it will, unless legally required to act, refer the request to the relevant Controller.
Personal data is hosted on Google Cloud Platform and Microsoft Azure, with data residing securely in the United States (Google Cloud) and India (Azure). Where personal data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country without an adequacy decision, the parties rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), together with supplementary technical measures including the encryption described in Section 5. The Standard Contractual Clauses are incorporated into this DPA by reference and prevail in the event of a conflict regarding such transfers.
Flowtux will notify the Controller without undue delay, and in any event no later than seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Controller's personal data. The notification will describe the nature of the breach, the likely consequences, the categories and approximate number of data subjects and records affected to the extent known, and the measures taken or proposed to address it, so that the Controller can meet its own notification obligations.
On termination or expiry of the services, Flowtux will, at the Controller's choice, delete or return the personal data, and will delete existing copies within thirty (30) days unless retention is required by law. Personal data is removed from active systems within that period and expires from encrypted backups in the ordinary backup rotation cycle. Erasure performed through the in-product tooling anonymizes personal identifiers in records that must be retained as legitimate business records while permanently removing strictly personal artifacts.
Subject matter: provision of the Flowtux internal support and ticketing platform and related AI and diagnostic features.
Duration: the term of the agreement, plus the deletion period in Section 9.
Nature and purpose: ingesting operational signals (such as Slack messages, Sentry alerts, CI/CD and PagerDuty events, and GitHub issues), creating and routing tickets, AI categorization, deduplication and resolution assistance, device diagnostics, notifications, and analytics.
Categories of data subjects: the Controller's employees, administrators, and authorized end users.
Types of personal data: name, work email address, role and team, account credentials, IP address and approximate location, device and diagnostic metadata, ticket and comment content, integration settings, notification identifiers (including phone or WhatsApp number where enabled), and usage and activity history.
Special categories: none are intended to be processed; the services are not designed for special-category data.
For DPA execution or questions, contact privacy@flowtux.com.