Legal · DPA
Data Processing Agreement
Effective date: 2026-05-20
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement, Terms of Service, or other written agreement between eMarinersApp ("Flowgento", "we", "us") and the customer ("Customer", "you"), and applies whenever Flowgento processes personal data on behalf of the Customer.
1. Definitions
- Applicable Law means the Digital Personal Data Protection Act, 2023 (DPDP, India), GDPR (EU 2016/679) where applicable, and any other data-protection laws applicable to the Customer's use of the Services.
- Personal Data means any information processed by Flowgento on the Customer's behalf that identifies or could identify a natural person.
- Controller, Processor, Data Subject, Processing, and Sub-processor have the meanings given in Applicable Law.
- Services means the Flowgento WhatsApp CRM platform and related services.
2. Roles and Scope
The Customer is the Controller. Flowgento is the Processor and processes Personal Data only on documented instructions from the Customer, as described in this DPA and the underlying agreement.
This DPA covers all Personal Data processed by Flowgento on the Customer's behalf for the duration of the Customer's use of the Services.
3. Categories of Data Subjects
- End customers of the Customer who message the Customer on WhatsApp
- The Customer's team members who use the Services (agents, admins, owner)
- Contacts the Customer imports or syncs into Flowgento
4. Types of Personal Data
- Identifiers: name, phone number, WhatsApp display name, profile picture (if shared)
- Contact details: email address (where provided)
- Message content: text, images, audio, video, documents, locations, and contacts exchanged through WhatsApp
- Account / usage data: agent IDs, tag assignments, audit log entries, login timestamps, IP addresses
Customers must not knowingly send Flowgento any "sensitive personal data" categories (e.g. financial account numbers, biometric data, health records) unless processing such data through a WhatsApp channel is lawful in the Customer's jurisdiction and an additional agreement is in place.
5. Purposes of Processing
- Delivering the Services as described in the Customer agreement
- Routing inbound WhatsApp messages to the correct workspace and agents
- Persisting message history and contact records for the Customer's access
- Operating broadcasts, templates, and tags configured by the Customer
- Generating usage analytics and audit logs for the Customer's own use
- Operating, maintaining, and securing the platform (logging, monitoring, backups)
6. Sub-processors
The Customer authorises Flowgento to engage the following sub-processors:
| Sub-processor | Purpose | Region |
|---|---|---|
| Meta Platforms, Inc. (WhatsApp Business Cloud API) | Message ingress / egress with WhatsApp | Global (per Meta) |
| Cloudflare R2 | Object storage for uploaded media | Region-pinned per tenant |
| iDrive e2 | Object storage (multi-cloud failover / overflow) | Region-pinned per tenant |
| Razorpay | Payment processing (subscriptions) | India |
| Hosting / cloud infrastructure providers | Compute and database hosting | India / EU (see hosting addendum) |
Flowgento will give the Customer at least 30 days' notice before adding or replacing a sub-processor that materially affects how Personal Data is processed. The Customer may object on reasonable data-protection grounds; if the parties cannot agree on a mitigation, the Customer may terminate the affected portion of the Services without penalty.
7. Security Measures
- Encryption in transit using TLS 1.2+ on all customer-facing endpoints.
- Encryption at rest using provider-managed disk encryption; sensitive secrets (e.g. WhatsApp access tokens) are additionally encrypted at the application layer using AES-256-GCM.
- Access control: role-based access (OWNER / ADMIN / AGENT) inside each Customer workspace; strict separation between tenants enforced at the database query layer.
- Audit logging: administrative and high-impact actions recorded with actor, target, and timestamp; logs retained for at least 12 months.
- Backups performed daily, encrypted before storage, and retained according to the published retention schedule.
- Personnel: personnel with production access are background-checked and bound by written confidentiality agreements.
8. Data Subject Rights
Flowgento will, to the extent reasonably practicable, provide the Customer with tools and assistance to respond to data subject requests, including:
- Access and export of Personal Data through in-product export tooling
- Correction or deletion of Personal Data through the Customer's workspace
- Restriction of processing on documented request
If a data subject contacts Flowgento directly, we will redirect them to the relevant Customer.
9. Personal Data Breach Notification
Flowgento will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Customer's Personal Data. Notification will include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed.
10. International Data Transfers
Where Personal Data is transferred outside its country of origin, Flowgento relies on the Customer's lawful basis for that transfer. EU/UK transfers use the Standard Contractual Clauses or other valid transfer mechanism as updated by the European Commission. We will sign supplementary transfer documents on reasonable request from the Customer.
11. Audit Rights
The Customer may, no more than once per twelve-month period and at the Customer's cost, request a reasonable audit of Flowgento's compliance with this DPA. Audits must be conducted during business hours, subject to a confidentiality agreement, and must not unreasonably interfere with Flowgento's operations. Flowgento may satisfy this obligation by providing recent third-party attestations where applicable.
12. Return or Deletion on Termination
On termination, Flowgento will, at the Customer's choice, return or delete all Personal Data within 30 days, except where retention is required by applicable law (e.g. invoicing and tax records).
13. Liability and Conflicts
The liability provisions of the underlying agreement apply to this DPA. In case of conflict between this DPA and the underlying agreement on data protection matters, this DPA prevails.
14. Changes to this DPA
We will give at least 30 days' written notice (typically by email) of material changes to this DPA. Continued use of the Services after the notice period constitutes acceptance.
15. Contact
For DPA-specific questions, written instructions, or signed-DPA requests: privacy@flowgento.com.