ClientsFlow.io — Data Processing Addendum (DPA)

Effective Date: September 9, 2025
Last Updated: September 9, 2025

This Data Processing Addendum (the “DPA”) forms part of and is incorporated into the agreement between Yuriy Rybak, d/b/a “ClientsFlow.io” ("Processor", "we", "us") and the customer that has agreed to the ClientsFlow.io Terms of Service (the "Customer" or "Controller") (together, the “Agreement”). Capitalized terms not defined in this DPA have the meanings in the Agreement.

Processor details:
Yuriy Rybak, d/b/a “ClientsFlow.io”
129-314 Viscount Drive, Red Deer, AB, Canada, T4R0S4
[email protected]

Controller details: the entity identified in Customer’s ClientsFlow.io account and order documents.

If and to the extent Processor Processes Personal Data on behalf of Customer under the Agreement, the parties agree as follows:

1. Definitions

  • “Applicable Data Protection Law” means laws and regulations relating to data protection, privacy, and the Processing of Personal Data, including where applicable: EU GDPR, UK GDPR, Swiss FADP, Canada’s PIPEDA and substantially similar provincial laws, U.S. state privacy laws (e.g., CCPA/CPRA), CASL, CAN‑SPAM, TCPA, and sectoral telephony/messaging rules (including A2P 10DLC requirements).

  • “Customer Content” has the meaning in the Agreement and includes Personal Data Customer submits to the Service.

  • “EU GDPR” means Regulation (EU) 2016/679.

  • “Personal Data,” “Data Subject,” “Controller,” “Processor,” “Processing,” and “Supervisory Authority” have the meanings set out in Applicable Data Protection Law.

  • “Sub‑processor” means any Processor‑engaged subprocessors that Process Personal Data on behalf of Customer.

  • “UK GDPR” has the meaning given in section 3(10) of the UK Data Protection Act 2018.

2. Roles; Scope; Instructions

2.1 Roles. For Customer Content, Customer is the Controller (or Processor acting on behalf of a controller), and ClientsFlow.io is the Processor (or Sub‑processor, as applicable).
2.2 Scope. Processor will Process Personal Data solely to provide, maintain, secure, and support the Service and as otherwise documented in Customer’s lawful instructions under the Agreement and this DPA.
2.3 Instructions. Customer instructs Processor to Process Personal Data for the purposes described in Annex I (Details of Processing), to operate and administer the Service, to comply with law, and to transfer Personal Data to Sub‑processors as set out in Annex III. Customer’s configuration and use of the Service and any documented instructions submitted via the Service or support channels constitute additional instructions.

3. Compliance; Confidentiality

3.1 Compliance. Each party will comply with Applicable Data Protection Law. Customer is responsible for the lawfulness of Personal Data provided to Processor, providing required notices, obtaining and recording consents, and for the accuracy and quality of Personal Data.
3.2 Confidentiality. Processor ensures that persons authorized to Process Personal Data are subject to an appropriate duty of confidentiality and receive privacy/security training.

4. Security

4.1 Measures. Processor implements and maintains appropriate technical and organizational measures designed to protect Personal Data as described in Annex II (TOMs), taking into account the nature, scope, context, and purposes of Processing and the risks to Data Subjects.
4.2 Customer Responsibilities. Customer is responsible for securing its account(s), credentials, endpoints, and for proper configuration and use of the Service (including role‑based access controls, recording features, consent capture, opt‑out management, and IP/domain settings).
4.3 Personal Data Breach. Upon becoming aware of a Personal Data Breach involving Customer Personal Data, Processor will notify Customer without undue delay (and, where feasible, within 72 hours) and provide information reasonably available to assist Customer in meeting its incident obligations. Notification is not an admission of fault and may be provided via email, in‑app, and/or support portal.

5. Sub‑Processors

5.1 Authorization. Customer authorizes Processor to engage Sub‑processors listed at https://clientsflow.io/subprocessors, and any others reasonably necessary to provide the Service.
5.2 Obligations. Processor will enter into written agreements with Sub‑processors imposing data protection obligations no less protective than those in this DPA, including with respect to security and cross‑border transfers.
5.3 Changes. Processor will provide notice of changes to Sub‑processors by updating the list at the URL above and/or email notice. Customer may object on reasonable grounds within 14 days of notice. If the parties cannot resolve the objection in good faith, Customer may terminate the affected Service (or the Agreement if no partial termination is feasible) and receive a pro‑rated refund for prepaid, unused fees for the terminated portion.

6. Assistance; DPIAs; Audits

6.1 Data Subject Requests. Taking into account the nature of Processing, Processor will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to Data Subject requests under Applicable Data Protection Law.
6.2 DPIAs & Consultations. Processor will provide information reasonably necessary for Customer to conduct data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required by law and related to Processor’s Processing of Personal Data.
6.3 Audits. Upon written request no more than once per 12 months (or more frequently following a Personal Data Breach), Processor will provide a summary of relevant audit reports or other information to demonstrate compliance with this DPA. If such materials are insufficient, Customer may conduct an on‑site audit of Processor’s applicable facilities under reasonable confidentiality, timing, and scope restrictions, upon 30 days’ prior written notice and at Customer’s expense. Audits must not unreasonably interfere with operations or compromise the security/privacy of other customers.

7. International Transfers

7.1 General. Processor may transfer and Process Personal Data in Canada, the United States, and other countries where Processor or its Sub‑processors operate. Processor will ensure that such transfers comply with Applicable Data Protection Law.
7.2 EU/EEA/UK/CH Transfers. For transfers from the EEA, Switzerland, and the UK to countries not deemed to provide an adequate level of protection, the parties agree that the EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914) are incorporated by reference as follows:

  • Module 2 (Controller→Processor) applies where Customer is a Controller and Processor is a Processor; Module 3 (Processor→Processor) applies for onward transfers to Sub‑processors.

  • Clause 7 (Docking): applies.

  • Clause 9(a) (General Authorization): 30 days’ advance notice of new/changed Sub‑processors via the online list.

  • Clause 11 (Redress): does not apply.

  • Clause 17 (Governing Law): Ireland.

  • Clause 18 (Forum): Ireland.

  • Annex I/II/III: completed by Annex I–III to this DPA.
    In the UK, the parties adopt the UK IDTA Addendum to the EU SCCs (ICO version B.1.0) with the selections in Schedule UK‑A below. For Switzerland, the SCCs are modified to reference the Swiss FADP with the selections in Schedule CH‑A below.

8. Data Return and Deletion

Upon termination or expiry of the Agreement, Processor will (a) provide Customer with export tools to retrieve Customer Content for 30 days, and (b) delete Customer Personal Data from active systems after that period, unless law requires retention. Backups may be retained for limited periods and will be securely deleted in the ordinary course.

9. CCPA/CPRA (U.S.) Service Provider Terms

Where the CCPA/CPRA applies, Processor acts as a Service Provider/Contractor and will: (a) Process Personal Information solely to provide the Service and as permitted by law; (b) not sell or share Personal Information; (c) not combine Personal Information with other data for cross‑context behavioral advertising; (d) comply with applicable obligations regarding subcontracting; (e) notify Customer of any legally binding requests for disclosure; and (f) enable Customer to meet consumer requests as described in Section 6.

10. Liability; Order of Precedence

The parties’ liability under this DPA is subject to the limitations and exclusions set out in the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data.

11. Telephony, Messaging, and Email Compliance

Customer is responsible for obtaining any required consents and for sending legally compliant communications under CASL, CAN‑SPAM, TCPA, and A2P 10DLC rules. Processor and its telephony/email Sub‑processors may Process metadata, campaign content, deliverability, and compliance signals to prevent fraud, spam, and abuse and to comply with carrier and regulatory obligations.

12. Changes to this DPA

Processor may update this DPA from time to time to reflect changes in the Service, Applicable Data Protection Law, or Sub‑processors. Material changes will be notified via email or in‑app prior to the effective date. Continued use of the Service after the effective date constitutes acceptance of the updated DPA.

Annex I — Details of Processing

A. Parties
Data Exporter (Customer/Controller): The entity identified in the Customer’s ClientsFlow.io account and order documents.
Data Importer (Processor): Yuriy Rybak, d/b/a “ClientsFlow.io”, 129-314 Viscount Drive, Red Deer, AB, Canada, T4R0S4.

B. Description of Transfer / Processing
Subject matter: Provision of the ClientsFlow.io SaaS platform and related services.
Duration: For the term of the Agreement and the 30‑day export period thereafter.
Nature and purpose: Hosting, storage, transmission, routing of communications (voice/SMS/email), CRM functionality, analytics, customer support, security, and product improvement.
Frequency: Continuous and as initiated by Customer.
Categories of Data Subjects: Customer’s end users; Customer’s leads/contacts; Customer’s prospects and clients; representatives of Customer’s vendors/partners.
Categories of Personal Data: identification data (name, email, phone), contact lists, lead records, message and call metadata, message/call content and recordings if enabled, account credentials (hashed), billing details (tokenized by Stripe), device and usage data (IP, user agent, event logs), preferences and consent records.
Special Categories: Not intended, but may be incidentally Processed if submitted by Customer. Customer is responsible for establishing a lawful basis and any required safeguards before submitting special category data.
Onward transfers: To Sub‑processors listed at https://clientsflow.io/subprocessors for the same purposes.
Subject access: As described in the DPA and Agreement.

C. Competent Supervisory Authority
For EU transfers, the competent authority is determined in accordance with Clause 13 of the SCCs (generally the Irish DPC where Clause 17 selects Irish law).

Annex II — Technical and Organizational Measures (TOMs)

Processor maintains a security program that includes the following controls:

  1. Organization of Information Security — documented security policies, roles and responsibilities, background checks where permitted by law, and employee confidentiality agreements.

  2. Access Control — role‑based access; least privilege; SSO/MFA for administrative access; password hashing; session management; automatic timeouts; regular access reviews.

  3. Physical & Environmental Security — use of reputable data centers with access controls, CCTV, and environmental protections (through hosting providers).

  4. Encryption — encryption in transit (TLS 1.2+) and encryption at rest where supported by hosting providers and applicable components.

  5. Network Security — firewalls, segmentation, DDoS protection (via providers), secure configuration baselines, and change management.

  6. Logging & Monitoring — centralized logging, audit trails for administrative actions, anomaly detection, and alerting.

  7. Vulnerability & Patch Management — regular vulnerability scanning, remediation processes, third‑party dependency management, and patching cadence.

  8. Secure Development — code reviews, static/dynamic analysis where appropriate, secret management, and least‑privilege service accounts.

  9. Incident Response — documented IR plan, defined severity levels, notification procedures (including Customer notification per Section 4.3), and post‑incident reviews.

  10. Backup & Recovery — routine backups, integrity checks, and restoration testing at reasonable intervals.

  11. Data Minimization & Retention — retention schedules aligned to business need and legal obligations; deletion of Customer data from active systems after the 30‑day export period.

  12. Vendor & Sub‑processor Management — security and privacy due diligence, contractual safeguards, and ongoing monitoring.

  13. Training & Awareness — security and privacy training for relevant personnel at onboarding and periodically thereafter.

  14. Privacy by Design & Default — features to facilitate consent capture, suppression lists, and per‑user permissions; defaults that avoid unnecessary data exposure.

  15. Testing — periodic penetration testing and remediation of identified high/critical issues.

Annex III — Sub‑Processors

Processor’s current Sub‑processors are listed at https://clientsflow.io/subprocessors, which includes at minimum:

  • Stripe, Inc. — payment processing

  • LeadConnector / LC Phone (via Twilio) — telephony/SMS/MMS routing and compliance

  • Mailgun Technologies, Inc. — email delivery and verification

  • HighLevel, LLC (GoHighLevel) and its cloud providers — hosting/application operations

Schedule UK‑A — UK Addendum (ICO) Selections

  • Addendum: International Data Transfer Addendum to the EU SCCs, version B.1.0.

  • Table 1 (Parties): Exporter: Customer; Importer: Yuriy Rybak, d/b/a “ClientsFlow.io”. Details per Annex I.

  • Table 2 (Selected SCCs): EU SCCs, Modules 2 and/or 3 as applicable.

  • Table 3 (Appendix Information): As set out in Annex I–III of this DPA.

  • Table 4 (Ending the UK Addendum): Neither party may end the Addendum unilaterally except as permitted by the Addendum.

  • Governing law/Jurisdiction: England and Wales solely for the UK Addendum.

Schedule CH‑A — Swiss Addendum Selections

For data transfers subject to Swiss FADP: references to “EU GDPR” shall be read as “Swiss FADP”, “Member State” includes Switzerland, “Supervisory Authority” includes the Swiss FDPIC, and references to “personal data” and “special categories of personal data” have the meanings under Swiss law. Clause 17 and 18 are interpreted to refer to Switzerland.

Signatures

This DPA is deemed agreed and effective upon Customer’s acceptance of the Agreement or continued use of the Service on/after the Effective Date. If a wet or electronic signature is required, the parties agree that electronic acceptance or click‑through constitutes execution.

ClientsFlow.io © All Rights Reserved.