Data Processing Agreement

Last Updated: October 28, 2025

Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Data Controller") and GatesFlow ("Processor") and applies to the processing of Personal Data by GatesFlow on behalf of Customer in connection with the Services.

This DPA has been prepared to meet the requirements of the General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by GatesFlow under this DPA.

"Processing" has the meaning given in the GDPR and includes any operation performed on Personal Data.

"Data Controller" means Customer, who determines the purposes and means of the processing of Personal Data.

"Data Processor" means GatesFlow, who processes Personal Data on behalf of the Data Controller.

"Data Subject" means the individual to whom Personal Data relates.

"Sub-processor" means any third party appointed by GatesFlow to process Personal Data.

2. Scope and Roles

2.1 Roles

Customer acts as the Data Controller and determines the purposes and means of processing Personal Data. GatesFlow acts as the Data Processor and processes Personal Data only on behalf of and in accordance with Customer's documented instructions.

2.2 Scope of Processing

  • Subject Matter: Provision of the GatesFlow Services
  • Duration: Term of the Services agreement
  • Nature and Purpose: Processing necessary to provide the Services as described in the Terms of Service
  • Types of Personal Data: As specified in Annex A below
  • Categories of Data Subjects: As specified in Annex A below

3. Customer Instructions

GatesFlow shall process Personal Data only in accordance with Customer's documented instructions, which include:

  • Processing necessary to provide the Services as set forth in the Terms of Service
  • Processing initiated by Users in their use of the Services
  • Processing to comply with other documented reasonable instructions provided by Customer that are consistent with the Terms of Service

GatesFlow will inform Customer if, in GatesFlow's opinion, an instruction violates applicable Data Protection Laws.

4. Data Protection Obligations of GatesFlow

4.1 Confidentiality

GatesFlow shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Security Measures

GatesFlow shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Regular testing and evaluation of the effectiveness of security measures
  • Measures to restore availability and access to Personal Data in a timely manner in the event of incident

Detailed security measures are described on our Security page.

4.3 Sub-processors

Customer provides general authorization for GatesFlow to engage Sub-processors. GatesFlow shall:

  • Maintain a current list of Sub-processors (available on our Compliance page)
  • Provide at least 30 days' notice of any intended changes concerning addition or replacement of Sub-processors
  • Ensure Sub-processors are bound by data protection obligations equivalent to those in this DPA
  • Remain fully liable for the acts and omissions of Sub-processors

4.4 Assistance with Data Subject Rights

GatesFlow shall, taking into account the nature of processing, assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligation to respond to requests for exercising Data Subject rights, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

4.5 Assistance with Compliance

GatesFlow shall assist Customer in ensuring compliance with obligations regarding:

  • Security of processing
  • Data breach notifications
  • Data protection impact assessments
  • Prior consultation with supervisory authorities

5. Personal Data Breach Notification

GatesFlow shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer's Personal Data.

The notification shall include, to the extent possible:

  • Description of the nature of the Personal Data Breach
  • Categories and approximate number of Data Subjects concerned
  • Categories and approximate number of Personal Data records concerned
  • Likely consequences of the Personal Data Breach
  • Measures taken or proposed to address the breach and mitigate its effects

6. Deletion or Return of Personal Data

Upon termination of the Services, GatesFlow shall:

  • Provide Customer with 30 days to export Personal Data
  • Delete or return all Personal Data to Customer at Customer's choice
  • Delete existing copies unless storage is required by applicable law

Backup copies will be securely deleted within 90 days of termination.

7. Audit Rights

GatesFlow shall make available to Customer information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

Customer may conduct audits by:

  • Reviewing GatesFlow's SOC 2 reports (when available)
  • Reviewing security documentation and certifications
  • Submitting written questions regarding compliance
  • Conducting on-site audits (with reasonable notice and at Customer's expense) for Enterprise customers

8. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), UK, and Switzerland. GatesFlow ensures appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission where applicable
  • Supplementary measures to ensure adequate protection

The Standard Contractual Clauses are incorporated by reference and available upon request.

9. Liability and Indemnification

Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Terms of Service.

GatesFlow's total liability for all claims under this DPA shall not exceed the amount paid by Customer in the 12 months prior to the event giving rise to liability.

10. Term and Termination

This DPA shall commence on the effective date of the Terms of Service and continue until termination of the Services agreement.

Upon termination, the provisions regarding deletion or return of Personal Data and confidentiality shall survive.

Annex A: Details of Processing

Categories of Data Subjects

  • Customer's employees, contractors, and authorized users
  • Customer's customers and business contacts (if stored by Customer in the Services)
  • Other individuals about whom Personal Data is submitted to the Services by Customer

Types of Personal Data

  • Contact information (name, email address, phone number)
  • Account credentials (username, password hashes)
  • Organization information (company name, role, department)
  • Usage data (IP addresses, device information, session data)
  • Content data (files, documents, and other content uploaded to the Services)
  • Communication data (support inquiries, feedback)
  • Payment information (processed by Stripe, not stored by GatesFlow)

Special Categories of Personal Data

GatesFlow does not require or request special categories of Personal Data (sensitive personal data). Customer should not upload special categories of Personal Data to the Services unless explicitly agreed in writing.

Processing Operations

  • Storage and hosting of Customer Data
  • Processing to provide the Services' functionality
  • Retrieval and display of Customer Data upon Customer's request
  • Processing to provide customer support
  • Processing for security and fraud prevention
  • Processing to improve and develop the Services (aggregated, de-identified data only)

11. Acceptance

By using the Services, Customer acknowledges that it has read, understood, and agrees to be bound by this Data Processing Agreement.

For Enterprise customers requiring an executed version of this DPA with signatures, please contact: legal@gatesflow.com

Need a PDF or Executed Copy?

Enterprise customers can request a PDF version or fully executed copy of this DPA.

Email: legal@gatesflow.com
Subject: "DPA Request"