1. Parties

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller: The organisation or individual subscribing to GetFlowSuite ("Client" or "Controller"), identified by the company name and email address provided at registration.
• Data Processor: Łukasz Biniecki, trading as GetFlowSuite, registered in Poland under JDG (PKD 62.01.Z), with registered address at Unruga 65a, 30-394 Kraków, Poland. Email: contact@getflowsuite.com ("GetFlowSuite" or "Processor").

This DPA forms part of and is incorporated into the GetFlowSuite Terms of Service. By using GetFlowSuite, the Client agrees to the terms of this DPA.

2. Definitions

Terms used in this DPA have the meaning given to them in EU Regulation 2016/679 ("GDPR"). In addition:

• "Services" means the GetFlowSuite suite of tools: OfficeFlow, ResourceFlow, TimeFlow, and CostFlow.
• "Personal Data" means any information relating to an identified or identifiable natural person processed by GetFlowSuite on behalf of the Client.
• "Processing" means any operation performed on Personal Data, including storage, retrieval, and transmission.
• "Sub-processor" means any third party engaged by GetFlowSuite to process Personal Data on the Client's behalf.

3. Subject Matter and Nature of Processing

GetFlowSuite processes Personal Data on behalf of the Client solely to provide the Services. The processing is necessary for the performance of the contract between the parties.

3.1 Categories of data subjects

• Employees and contractors of the Client
• Authorised administrators designated by the Client

3.2 Categories of personal data processed

Data Type	Purpose	Tool
Full name	Employee identification and display	All tools
Email address	Authentication, notifications, account setup	All tools
Work hours logged	Timesheet management and reporting	TimeFlow
Project allocations	Capacity planning	ResourceFlow
Desk/resource bookings	Office resource management	OfficeFlow
Labour cost data	Project financial management	CostFlow
Hourly rates	Cost calculation for approved timesheets	CostFlow / TimeFlow

3.3 Duration of processing

GetFlowSuite processes Personal Data for the duration of the Client's active subscription. Upon termination, data is retained for 30 days to allow export, then deleted. See Section 9.

4. Obligations of GetFlowSuite (Processor)

GetFlowSuite shall:

• Process Personal Data only on documented instructions from the Controller (i.e. the use of the Services) and not for any other purpose.
• Ensure that persons authorised to process Personal Data have committed to confidentiality or are under a statutory obligation of confidentiality.
• Implement appropriate technical and organisational security measures as described in Section 6.
• Assist the Controller, taking into account the nature of the processing, in responding to requests from data subjects exercising their GDPR rights.
• Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, impact assessments).
• At the Controller's choice, delete or return all Personal Data after the end of the provision of Services, unless applicable law requires storage.
• Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or a mandated auditor.
• Notify the Controller without undue delay if GetFlowSuite believes a processing instruction infringes applicable data protection law.

5. Obligations of the Client (Controller)

The Client shall:

• Ensure there is a lawful basis for processing the Personal Data provided to GetFlowSuite (e.g. employment contract, legitimate interest).
• Inform employees that their data is being processed using GetFlowSuite.
• Only provide Personal Data that is necessary for the Services.
• Ensure that employee access is removed promptly when an employee leaves the organisation.

6. Security Measures

GetFlowSuite implements the following technical and organisational measures:

• Authentication: Firebase Authentication with email/password. Passwords are hashed by Firebase; GetFlowSuite never has access to plaintext passwords.
• Encryption in transit: All data transmitted over HTTPS/TLS. Enforced by Netlify (frontend) and Google Cloud (backend).
• Encryption at rest: All data stored in Google Cloud Firestore, which encrypts data at rest by default using AES-256.
• Access control: Workspace data is strictly isolated by workspace ID stored in authenticated JWT claims. No cross-workspace data access is possible.
• Admin access: Only the Processor (Łukasz Biniecki) has access to the Firebase console. Access is protected by 2-factor authentication.
• Data location: All data stored in Google Cloud region europe-west1 (Belgium), within the EU/EEA.
• Audit logging: Firebase and Google Cloud provide audit logs for data access events.

7. Sub-processors

The Controller provides general authorisation for GetFlowSuite to engage the following sub-processors. GetFlowSuite will notify the Controller of any intended changes to this list with at least 14 days' notice, giving the Controller the opportunity to object.

Sub-processor	Role	Data processed	Location
Google Firebase / Firestore Google LLC	Database, authentication, cloud functions	All personal data	EU (europe-west1, Belgium)
Netlify Netlify, Inc.	Frontend hosting and CDN	IP addresses (request logs only)	Global CDN / US
Twilio SendGrid Twilio Inc.	Transactional email delivery	Email addresses, name (first name only)	US (SCCs in place)
Stripe Stripe, Inc.	Payment processing	Billing email, subscription status	US / EU (SCCs in place)

All sub-processors outside the EEA (SendGrid, Stripe, Netlify) operate under Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection for international transfers.

8. Data Subject Rights

Employees have the following rights under GDPR that the Controller is responsible for fulfilling:

• Right of access — employees may request a copy of their personal data held in GetFlowSuite
• Right to rectification — incorrect data can be corrected by the workspace admin
• Right to erasure — employees can be removed from the workspace by the admin, which deletes their data subject to the retention policy below
• Right to data portability — timesheet and allocation data can be exported as CSV by workspace admins
• Right to object — the Controller should contact GetFlowSuite at contact@getflowsuite.com

GetFlowSuite will assist the Controller in responding to data subject requests within the timeframes required by GDPR (one month).

9. Data Retention and Deletion

• Personal data is retained for the duration of the active subscription.
• Upon cancellation or expiry, data is accessible for 30 days to allow data export.
• After 30 days, all workspace data including personal data is permanently deleted from Firestore.
• Backups managed by Google Cloud are purged within their standard 7-day backup retention cycle.
• The Controller may request immediate deletion by emailing contact@getflowsuite.com.

10. Personal Data Breach Notification

In the event of a personal data breach, GetFlowSuite shall:

• Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
• Provide the Controller with sufficient information to allow them to meet their own breach notification obligations to supervisory authorities and data subjects.
• Take immediate steps to contain and remediate the breach.

Breach notifications should be sent to the Controller's registered email address. The Controller should report suspected breaches to contact@getflowsuite.com.

11. Audit Rights

The Controller has the right to audit GetFlowSuite's compliance with this DPA. In practice, this means:

• GetFlowSuite will respond to reasonable written information requests within 14 business days.
• On-site audits may be requested with 30 days' written notice, at the Controller's cost, no more than once per year.
• GetFlowSuite may satisfy audit requests by providing third-party certifications or audit reports where available (e.g. Google Cloud SOC 2 reports).

12. Governing Law

This DPA is governed by the laws of Poland. Any disputes shall be subject to the jurisdiction of the courts of Kraków, Poland, without prejudice to the Controller's right to lodge a complaint with their national supervisory authority (e.g. the ICO in the UK, UODO in Poland, or the relevant DPA in their member state).

13. Changes to this DPA

GetFlowSuite may update this DPA from time to time. Material changes will be notified to the Controller by email at least 30 days before they take effect. Continued use of the Services after that date constitutes acceptance of the updated DPA. The Controller may terminate the Services if they do not accept the updated terms.

14. Contact

For all data protection enquiries, requests, or to exercise rights under this DPA: