windflow
FeaturesSyncWorkflowFAQ
Download

Data Processing Agreement

Windflow · Last updated July 16, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Windflow (the “Processor”) and a business customer (the “Controller”) that uses Windflow to process personal data on behalf of others. It applies only where, and to the extent, Windflow processes personal data as a processor on the Controller’s behalf. If you use Windflow as an individual for your own purposes, this DPA does not apply and our Privacy Policy governs instead.

1. Definitions

Terms such as “personal data”, “processing”, “controller”, “processor”, “sub-processor”, and “data subject” have the meanings given to them under applicable data protection law, including the EU General Data Protection Regulation (GDPR) where it applies.

2. Scope and applicability

This DPA applies when the Controller uses Windflow to process personal data for which the Controller is responsible. The Controller determines the purposes and means of that processing; Windflow processes such personal data only on the Controller’s documented instructions, including as set out in the Terms of Service and this DPA.

3. Data processing details

  • Subject matter & duration. Processing lasts for the term of the Controller’s use of Windflow.
  • Nature & purpose. To provide the Windflow service — operating web pages and running AI tasks at the Controller’s direction.
  • Categories of data subjects. The Controller’s authorized users and any individuals whose data appears in the content Windflow processes.
  • Types of personal data. Account details (such as email addresses) and any personal data contained in the browsing content processed through Windflow’s official AI service.
  • Local-first exclusion. Where you use your own AI provider key (BYOK), browsing content is sent directly from your device to your chosen provider and is not processed by Windflow; such data is outside the scope of this DPA.

4. Controller and processor obligations

The Controller is responsible for ensuring it has a lawful basis for the processing and for the accuracy and legality of the instructions it gives. Windflow (Processor) will: process personal data only on the Controller’s documented instructions; ensure persons authorized to process the data are bound by confidentiality; and implement appropriate security measures as described below.

5. Security measures

Windflow maintains reasonable technical and organizational measures appropriate to the risk, including encryption in transit, access controls, and reliance on established infrastructure providers. No system is perfectly secure, but we take commercially reasonable steps to protect personal data.

6. Data subject rights

Taking into account the nature of the processing, Windflow will provide reasonable assistance to help the Controller respond to requests from data subjects to exercise their rights (such as access, correction, or deletion).

7. Sub-processors

The Controller authorizes Windflow to engage the following sub-processors:

  • Cloudflare, Inc. — hosting, official AI model inference, bot protection (Turnstile), and email delivery.
  • Google LLC — sign-in / authentication.
  • Stripe, Inc. — payment processing (only where paid features are enabled; not currently in use).

Windflow imposes data protection obligations on its sub-processors comparable to those in this DPA, and will inform the Controller of intended changes to its sub-processors so the Controller has an opportunity to object.

8. International data transfers

Where personal data is transferred across borders, Windflow relies on an appropriate transfer mechanism under applicable law, such as the European Commission’s Standard Contractual Clauses (SCCs) or an applicable adequacy decision.

9. Data retention and deletion

Personal data processed through Windflow’s official AI service is not retained — it is forwarded to complete the task and not stored. Account data is retained for the duration of the account and deleted following account closure or on the Controller’s request, unless retention is required by law.

10. Audit rights

On reasonable prior notice, no more than once per year, and subject to confidentiality, Windflow will make available information reasonably necessary to demonstrate compliance with this DPA.

11. Limitation of liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

12. Data protection contact

For data protection matters, contact us at support@windflow.app.

13. Governing law and jurisdiction

This DPA is governed by the law and jurisdiction set out in the Terms of Service.

14. Amendments

Windflow may update this DPA from time to time. Material changes will be reflected by updating the “Last updated” date above.

15. Standard Contractual Clauses

Where required for international transfers, the parties agree that the European Commission’s Standard Contractual Clauses are incorporated into this DPA by reference and apply to the relevant transfers.

16. Conflict

In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA prevails to the extent of that conflict.