LoginLast updated: 8/25/2025
This Data Processing Agreement ("DPA") is entered into on the Effective Date, by and between Customer ("Controller") and Company ("Processor").
This DPA is incorporated into and part of the Terms of Service ("TOS") between the Controller and Processor (collectively, the "Parties"). This DPA reflects the Parties' rights and obligations with respect to Personal Data Processed as part of the Services (all as defined below). In the event of a conflict between the terms of this DPA and the TOS with respect to the subject matter herein, the terms of this DPA govern. Any prior data protection agreements between the Parties are superseded and replaced by this DPA in their entirety. All capitalized terms not defined in this DPA will have the meaning given to them in the TOS.
For the purposes of this DPA, the following terms shall have the meanings specified below:
• "Breach Event" means any incident where security is compromised, resulting in unintentional or illegal destruction, misplacement, modification, or unauthorized sharing or access to Personal Data that has been transmitted, stored, or otherwise processed.
• "Data Subject" refers to the identified or identifiable natural person whose Personal Data is processed.
• "Parties" means the Controller and Processor collectively.
• "Personal Data" refers to any information that is tied to an identified or identifiable natural person (Data Subject) that is protected as personal data, personal information, or personally identifiable information.
• "Personnel" refers to the employees or other individuals who are in a contractual relationship with the Processor, including employees or other individuals who are in a contractual relationship with the Sub-Processor.
• "Processing" means actions performed by the Processor on the Personal Data whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Services" means any products or services provided by the Processor pursuant to the TOS.
• "Subprocessor" or "Subcontractor" refers to any third party appointed by the Processor to assist in fulfilling its obligations in providing Services to the Controller.
The purpose of this DPA is to define the conditions under which the Processor shall process Personal Data on behalf of the Controller.
The Controller has sole responsibility for the quality and accuracy of the Personal Data and how it acquired such data. The Controller is also responsible for complying with transparency and consent requirements for the collection, use, and transfer of the Personal Data.
As between the Parties, all Personal Data processed by the Processor in performing the Services shall remain the property of the Controller.
Processing obligations under this DPA will begin on the Effective Date and run until the end of the Processor's provision of Services to the Controller.
The Processor will process the categories of Personal Data provided by the Controller as set forth in Schedule 1.
The Processor shall only process Personal Data in accordance with this DPA, including specific instructions set forth in Schedule 2.
The Processor shall promptly notify the Controller of any requests from a Data Subject to exercise their rights under applicable data privacy laws and shall assist the Controller in responding to a Data Subject's request as provided in the processing instructions, Schedule 2.
The Processor shall assist the Controller in performing data protection impact assessments. At the Controller's request, the Processor shall provide all necessary information the Controller needs to meet their data protection assessment obligations, including but not limited to information about data transmittal, data storage, methods of processing, encryption, and data destruction.
Both Parties agree to maintain the confidentiality of Personal Data and not to disclose such data except as expressly permitted under these Terms. The Processor shall ensure that all personnel authorized to process Personal Data are subject to binding confidentiality obligations.
Subject to the limitations of liability in the TOS, the Parties agree to indemnify one another against any claims, including but not limited to damages and fines, arising out of their respective breaches of these Terms. Each Party's liability is limited to the amount of damages directly caused by its breach of this DPA.
The Processor shall, at all times, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risk to protect the Personal Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access.
The Processor shall promptly notify the Controller of a Breach Event involving the Controller's data, or in any event within 48 hours.
The Processor shall not use or authorize the use of the Personal Data for any purpose other than those outlined in this DPA or for purposes other than performing its obligations under the TOS. The Processor is prohibited from: selling or sharing Personal Data it collects pursuant to the TOS with the Controller; retaining, using, or disclosing the Personal Data for any purpose other than the specified business purpose(s) or as otherwise permitted; retaining, using, or disclosing the Personal Data for any commercial purpose other than the business purpose(s) specified in this DPA, including the specific instructions set forth in Schedule 2; and retaining, using, or disclosing the Personal Data outside the direct business relationship between the Processor and Controller.
The Processor may engage a Subcontractor (alternatively referred to herein as Subprocessor) to process Personal Data with the Controller's consent. The Subcontractor must agree in writing to uphold all the Processor's obligations under the DPA or substantively similar obligations. Company makes available the current list of Subprocessors used by Company to process Personal Data at trust.reflow.ai/subprocessors (“Subprocessor List”). The Subprocessor List as of the date of first use of the Services by Customer is hereby authorized and in any event shall be deemed authorized by Customer as updated unless Customer provides a written reasonable objection within thirty (30) calendar days following the signing of this DPA or notification of an update to the Subprocessor List. In order to receive notification concerning the intention of including a new Subprocessor into the Subprocessor List, please subscribe by sending an email to hello-at-reflow-dot-ai of your request to receive notifications of any new Subprocessors used to process Personal Data. Once subscribed, Company shall provide notification of any new Subprocessors before authorizing such new Subprocessors to process Personal Data in connection with the provision of the Services.
The Processor agrees to, at the Controller's choice, securely delete or return the Personal Data within ten (10) business days upon the Controller's written request at any time during the TOS term or upon termination or expiration of the TOS except to the extent that storage of any such data is required by applicable law (and, if so, the Processor shall inform the Controller of any such requirement and shall securely delete such data as soon as it is permitted to do so under applicable law). Controller acknowledges and agrees that any deletion by Processor is irreversible and such deleted data will be unrecoverable. Upon Controller’s request, Processor may enable the periodic deletion of certain locally stored data (e.g. screenshot and audio) at the organization or user level or upload such locally stored data to secure Processor or Subprocessor servers for processing or storage to enable continuity of service features.
The Processor shall permit the Controller, or an independent auditor appointed by the Controller, to conduct audits or inspections with reasonable notice during regular business hours to ensure compliance with the terms of this DPA. The scope of the audit shall be limited by the Parties to the systems, procedures, and documentation relevant to the processing of Personal Data. The Processor agrees to provide the Controller with all necessary cooperation, access, and support to conduct such audits. The Parties shall consider the findings of any such audit confidential information subject to the terms of this agreement.
The Processor shall use commercially reasonable efforts to maintain complete, accurate, and up to date written records of all categories of processing activities carried out on behalf of the Controller and ensure such records shall include all information:
• Necessary to demonstrate its compliance with this DPA;
• That the Controller may reasonably require from time to time
The Processor shall make copies of such records available to the Controller promptly on request from time to time. Notwithstanding the foregoing, Controller acknowledges and agrees that any request to delete Personal Data will be irreversible and such Personal Data will be unrecoverable.
Dependent on the specific features and Services provided by Processor, the following types of Personal Data may be processed under the DPA and the categories of Data Subjects are as follows:
Categories of Data Subjects may include:
• Employees and contractors of Customer
• End users or customers of Customer’s goods and services.
• Other individuals whose Personal Information may be visible via user activity, such as in screenshots or call recordings
Categories of Data:
• Identifiers
• Name or username
• User ID or employee ID
• IP address and device identifiers
• Phone numbers, addresses or other criteria used by employees to identify customers
• Email address
• Audio, Electronic, Visual, or Similar Information
• Screen captures of user activity while using Customer's software or systems
• Audio recordings of phone calls for performance and quality assurance
• System usage logs and timestamps
• Screen resolution and hardware configuration details (as applicable)
• Internet or Other Electronic Network Activity Information
• Application usage data (e.g., time spent in software applications, clickstream data)
• Website or system access logs
• Keystroke activity or input behavior, if applicable
• Professional or Employment-Related Information
• Job title or role
• Department or team affiliation
• Work performance metrics or task completion logs
• Geolocation Data
• Approximate location inferred from IP address or device metadata (if collected)
• Sensitive Personal Information may be incidentally captured
Specific Processing Instructions:
• Purpose of Processing
• To provide Services as described in the Agreement, including:
• Task mining and productivity tracking via local and cloud-based collection of user data
• Monitoring and compliance features, including screen and audio capture and processing
• Suspicious activity detection
• Context detection using third-party (e.g. AI) processors
• Hosting and storage of user data for analysis and reporting
• Support and maintenance, including accessing Customer data where necessary to troubleshoot issues
• Authorized Processing Activities
• Processor is specifically instructed to:
• Collect and store Locally Stored Data (LSD), including audio and screen capture, user interactoin, and application activity
• Upload certain LSD to Reflow or third-party servers for limited time processing, as required for feature functionality
• Transmit visual, audio and other data to third-party AI services for processing, subject to deletion requests and safeguards
• Delete Customer data within 10 business days upon written request, and all data within 20 business days following account termination
• Provide access to customer data only to authorized personnel on a need-to-know basis
• Prohibited Uses
• Processor shall not:
• Use Personal Information for any purpose other than providing the Services
• Sell or share Personal Information
• Use Personal Information to train models that are accessible to other customers or the public
• Data Deletion
• Processor shall use commercially reasonable efforts to permanently delete Personal Information from all systems upon:
• Written request from Customer, within 10 business days
• Termination of services, within 20 business days
• Third-Party Subprocessors
• Processor may use third-party service providers for hosting and AI processing.
• Customer must not disapprove each Subprocessor
• Processor shall use commercially reasonable efforts to ensure such Subprocessors are contractually bound to the same or substantially similar restrictions as this DPA
• Additional Instructions
• Customer may request updates to processing instructions
• Processor shall promptly notify Customer if it determines it can no longer comply with these instructions