Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Procestoppers BV ("Processor") and reflects the parties' obligations under the GDPR.

1. Subject matter. The Processor processes Personal Data on behalf of the Controller solely to operate the FlowTopper Service.

2. Categories of data subjects. Your end users, members of your organization, and any individuals whose information appears in the process models, interviews, or documents you upload.

3. Categories of Personal Data. Email, name, locale, and any Personal Data the Controller includes in process content. We do not request special-category data (Article 9 GDPR); the Controller must not upload it.

4. Sub-processors. Microsoft (Azure hosting, AI Foundry), Stripe (billing), Resend (email), Anthropic (AI). Current list available on request; material changes are announced 30 days in advance.

5. Security. TLS 1.2+ in transit; encrypted at rest; row-level security in the database; principle of least privilege for staff access; audit logging on all admin actions.

6. Breach notification. We notify the Controller without undue delay upon becoming aware of a Personal Data breach, with the information required by Article 33(3) GDPR.

7. Data subject rights. We assist the Controller in responding to data subject requests. Erasure of an end user account can be performed self-serve from Settings → Danger zone.

8. International transfers. Data is processed within the EEA (West Europe Azure region). Sub-processor transfers outside the EEA rely on Standard Contractual Clauses where applicable.

9. Termination. Upon termination, Personal Data is returned or deleted at the Controller's choice, subject to a 30-day grace window.