Data Processing Agreement

Last updated: February 18, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between We6 Oy, operating as Flowdock AI ("Processor," "we," "us"), and the customer ("Controller," "you") for the provision of our AI back-office automation services.

This DPA reflects the parties' agreement regarding the processing of personal data in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by Flowdock AI on behalf of the Controller.
  • "Processing" means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by Flowdock AI to process Personal Data on behalf of the Controller.
  • "Services" means the Flowdock AI platform and related services provided to the Controller.

3. Scope and Roles

3.1 Controller and Processor

For the purposes of this DPA, you are the Controller of the Personal Data you upload to or process through Flowdock AI. We act as your Processor, processing Personal Data only on your behalf and according to your instructions.

3.2 Subject Matter of Processing

The subject matter of processing is the provision of the Flowdock AI platform, which enables you to manage business documents, track expenses, manage subscriptions, and automate back-office operations.

3.3 Duration

Processing will continue for the duration of your use of the Services, unless terminated earlier in accordance with the Terms and Conditions.

4. Types of Personal Data

The categories of Personal Data processed may include, depending on what you upload or connect:

  • Contact information (names, email addresses, phone numbers)
  • Employment information (in employment contracts)
  • Financial information (bank transactions, invoice details)
  • Business correspondence (emails related to business transactions)
  • Any other personal data contained in documents you upload

5. Categories of Data Subjects

Data Subjects may include:

  • Your employees and contractors
  • Your customers and clients
  • Your vendors and suppliers
  • Other individuals whose data appears in your business documents

6. Processor Obligations

As your Processor, we shall:

  • Process Personal Data only on your documented instructions, unless required by applicable law
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to Data Subject requests
  • Assist you in ensuring compliance with security, breach notification, and data protection impact assessment obligations
  • Delete or return all Personal Data upon termination, at your choice
  • Make available information necessary to demonstrate compliance with this DPA
  • Notify you without undue delay upon becoming aware of a Personal Data breach

7. Controller Obligations

As Controller, you shall:

  • Ensure you have a valid legal basis for processing Personal Data through the Services
  • Provide clear instructions regarding the processing of Personal Data
  • Ensure Data Subjects are informed about the processing of their data
  • Be responsible for the accuracy and lawfulness of Personal Data uploaded to the Services

8. Sub-processors

8.1 Authorization

You provide general authorization for us to engage Sub-processors to process Personal Data on your behalf. We will inform you of any intended changes concerning the addition or replacement of Sub-processors, giving you the opportunity to object.

8.2 Current Sub-processors

We currently use the following Sub-processors:

  • Cloud Infrastructure: For hosting and data storage (EU region)
  • Auth0: For secure user authentication
  • Enable Banking: For bank account integrations (if you connect your bank)
  • Stripe: For payment processing (if you subscribe to a paid plan) and revenue analytics (if you connect your Stripe account)
  • Email service providers: For transactional emails

8.3 Sub-processor Obligations

We ensure that Sub-processors are bound by data protection obligations no less protective than those in this DPA.

9. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest
  • Measures to ensure ongoing confidentiality, integrity, and availability of systems
  • Regular testing and evaluation of security measures
  • Access controls limiting personnel access to Personal Data
  • Incident response and breach notification procedures

10. Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.

If we receive a request directly from a Data Subject, we will promptly notify you unless prohibited by law.

11. Data Breach Notification

We will notify you without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach affecting your data. The notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

12. International Transfers

We primarily process Personal Data within the European Economic Area (EEA). If Personal Data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Transfers to countries with an adequacy decision
  • Other legally recognized transfer mechanisms

13. Audit Rights

Upon reasonable notice and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA and allow for audits conducted by you or an independent auditor.

You may request evidence of our compliance with security measures and data protection obligations, such as security certifications or audit reports.

14. Data Deletion

Upon termination of the Services or upon your request, we will delete all Personal Data within 30 days, unless:

  • You request return of the data instead of deletion
  • Applicable law requires retention of the data

You can delete your organization and all associated data at any time through the application settings.

15. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms and Conditions, except where GDPR prohibits such limitations.

16. Governing Law

This DPA is governed by the laws of Finland. Any disputes shall be resolved in accordance with the dispute resolution provisions in our Terms and Conditions.

17. Contact

For questions about this DPA or to exercise your rights, please contact us at:

We6 Oy
Business ID: 3372389-7
Finland

Contact: flowdock.ai/contact

Sign up for Flowdock AI

Get started with your 7-day free trial

* You will receive a verification email