Data Processing Agreement (DPA)

2.1 Controller Responsibilities

As the Data Controller, you are responsible for:

• **Lawful Basis:** Establishing a lawful basis for collecting Personal Data (typically consent) under applicable Data Protection Laws.
• **Consent:** Obtaining explicit, informed consent from Data Subjects before collecting their email addresses through CreatorFlow.
• **Privacy Notice:** Providing Data Subjects with a clear privacy notice explaining how their Personal Data will be used, stored, and protected.
• **Data Subject Rights:** Responding to Data Subject requests for access, rectification, erasure, restriction, portability, and objection.
• **Data Accuracy:** Ensuring that Personal Data collected is accurate, up-to-date, and relevant.
• **Purpose Limitation:** Using collected Personal Data only for the purposes disclosed to Data Subjects.
• **Data Security:** Implementing appropriate security measures when accessing or exporting Personal Data from CreatorFlow.
• **Compliance:** Complying with all applicable Data Protection Laws in your jurisdiction.
• **Third-Party Sharing:** Not sharing Personal Data with third parties without proper authorization and safeguards.

2.2 Processor Responsibilities

As the Data Processor, CreatorFlow is responsible for:

• **Instructions:** Processing Personal Data only on your documented instructions (including these Terms and DPA).
• **Confidentiality:** Ensuring that personnel authorized to process Personal Data have committed to confidentiality.
• **Security Measures:** Implementing appropriate technical and organizational measures to protect Personal Data.
• **Sub-processors:** Engaging Sub-processors only with your prior authorization and ensuring they comply with equivalent data protection obligations.
• **Data Subject Rights:** Assisting you in responding to Data Subject requests to the extent possible.
• **Data Breach Notification:** Notifying you without undue delay upon becoming aware of a Personal Data breach.
• **Audits:** Making available to you information necessary to demonstrate compliance with this DPA and allowing for audits.
• **Data Deletion:** Deleting or returning Personal Data at your request upon termination of the Service.
• **International Transfers:** Ensuring that any international transfers of Personal Data comply with Data Protection Laws.

3.1 Nature and Purpose of Processing

CreatorFlow processes Personal Data for the following purposes:

• Storing email addresses collected through Instagram DM automations
• Enabling you to access, export, and manage collected email addresses through your CreatorFlow dashboard
• Providing analytics and reporting on email collection performance
• Ensuring Service functionality and technical support

3.2 Duration of Processing

Processing will continue for the duration of your use of the Service and for a period of up to 90 days after account termination (unless longer retention is required by law or you request earlier deletion).

3.3 Types of Personal Data

• Email addresses
• Timestamps of email collection
• Associated Instagram usernames (if collected)
• Any custom fields you configure in the email collection form

3.4 Categories of Data Subjects

• Your Instagram followers who provide their email addresses through automated DM flows
• Individuals who respond to your Instagram comments, stories, or direct messages with their email addresses

4.1 Technical Measures

• **Encryption:** Data encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption
• **Access Controls:** Role-based access controls and multi-factor authentication for CreatorFlow personnel
• **Network Security:** Firewalls, intrusion detection/prevention systems, and regular vulnerability scanning
• **Secure Development:** Secure coding practices, code reviews, and regular security testing
• **Data Backups:** Regular encrypted backups with secure storage and tested recovery procedures

4.2 Organizational Measures

• **Confidentiality Agreements:** All personnel with access to Personal Data have signed confidentiality agreements
• **Security Training:** Regular data protection and security training for personnel
• **Access Limitation:** Access to Personal Data is limited to personnel who need it to perform their job functions
• **Incident Response:** Documented incident response procedures to detect, respond to, and recover from security incidents
• **Vendor Management:** Due diligence and contractual safeguards for Sub-processors
• **Regular Audits:** Periodic security assessments, penetration testing, and compliance audits

6.1 Transfer Mechanisms

• **Standard Contractual Clauses (SCCs):** We use the European Commission-approved Standard Contractual Clauses for data transfers.
• **Adequacy Decisions:** Where available, we rely on adequacy decisions for data transfers to approved countries.
• **Supplementary Measures:** We implement additional technical and organizational measures to ensure data protection equivalent to GDPR requirements.

6.2 Data Localization

If you require data to be stored in a specific geographic region, please contact us to discuss available options. Regional data storage may be available for certain subscription plans.

7.1 Data Subject Rights

• **Right of Access:** We will provide you with tools to access Personal Data stored in your account.
• **Right to Rectification:** You can update or correct Personal Data through your dashboard.
• **Right to Erasure:** You can delete individual email addresses or bulk delete Personal Data from your account.
• **Right to Data Portability:** You can export Personal Data in CSV or JSON format at any time.
• **Right to Restriction:** You can restrict processing by pausing automations or removing email addresses from active use.
• **Right to Object:** We will assist in identifying and ceasing processing upon Data Subject objection.

7.2 Request Process

• **Direct Requests:** If CreatorFlow receives a Data Subject request directly, we will redirect the Data Subject to you (the Controller) unless legally required to respond directly.
• **Your Requests:** If you receive a Data Subject request, you can use your dashboard to fulfill the request or contact support@creatorflow.so for assistance.
• **Response Time:** We will provide assistance within 5 business days of receiving your request for help.

8.1 Notification Obligation

If CreatorFlow becomes aware of a Personal Data breach affecting your data, we will:

• **Notify You:** Inform you without undue delay and no later than 72 hours after becoming aware of the breach.
• **Breach Details:** Provide available information about the nature of the breach, categories and approximate number of affected Data Subjects and records, and the likely consequences.
• **Remedial Measures:** Describe measures taken or proposed to address the breach and mitigate potential harm.
• **Contact Point:** Provide a contact point for further information and assistance.

8.2 Your Obligations

As the Controller, you are responsible for assessing whether the breach must be reported to supervisory authorities and/or Data Subjects under applicable Data Protection Laws. We will provide reasonable assistance with such notifications.

8.3 Investigation

CreatorFlow will conduct a thorough investigation of any Personal Data breach, document findings, and implement measures to prevent recurrence.

9.1 Upon Termination

Upon termination of the Service or at your request, CreatorFlow will:

• **Delete Personal Data:** Securely delete all Personal Data from our systems within 90 days, unless longer retention is required by law.
• **Return Data:** Provide you with an export of your Personal Data before deletion if requested.
• **Confirmation:** Provide written confirmation of deletion upon request.
• **Backup Data:** Delete Personal Data from backup systems in accordance with our standard backup retention schedule (typically within 12 months).

9.2 Exceptions

We may retain Personal Data longer if required to:

• Comply with legal obligations (e.g., tax laws, fraud prevention)
• Establish, exercise, or defend legal claims
• Maintain security logs for incident investigation
• Comply with lawful requests from public authorities

10.1 Information Requests

Upon reasonable written request, CreatorFlow will provide you with information necessary to demonstrate compliance with this DPA, including:

• Summaries of our security policies and procedures
• Third-party audit reports or certifications (e.g., SOC 2, ISO 27001) where available
• Information about Sub-processors and their data protection measures

10.2 Audits

• **Right to Audit:** You may conduct audits or inspections of CreatorFlow's processing of Personal Data, subject to reasonable notice (at least 30 days) and limitations to protect confidentiality and avoid disruption.
• **Frequency:** Audits may be conducted no more than once per year unless required by a supervisory authority or in response to a data breach.
• **Costs:** You are responsible for the costs of conducting audits. CreatorFlow may charge reasonable fees for audit assistance exceeding 8 hours.
• **Third-Party Auditors:** You may use independent third-party auditors bound by confidentiality obligations.
• **Alternative:** In lieu of an onsite audit, you may accept our third-party audit reports or certifications as evidence of compliance.

11.1 Liability Allocation

• **GDPR Article 82:** Each party's liability shall be determined in accordance with GDPR Article 82 (liability and right to compensation) and applicable Data Protection Laws.
• **Joint and Several Liability:** To the extent both parties are liable for the same damage, liability shall be apportioned according to the degree of responsibility.
• **Limitation:** Nothing in the Terms of Service limiting CreatorFlow's liability shall apply to liability under this DPA for violations of Data Protection Laws.

11.2 Indemnification

You agree to indemnify and hold CreatorFlow harmless from any claims, damages, or penalties arising from your failure to comply with your obligations as a Data Controller under this DPA and applicable Data Protection Laws.