Data Processing Agreement - DynoFlows | GDPR Compliance & Data Protection

1. Definitions

"Controller" means the natural or legal person who determines the purposes and means of processing personal data.

"Processor" means DynoFlows, acting on behalf of the Controller to process personal data.

"Personal Data" has the meaning set out in applicable Data Protection Laws.

"Data Protection Laws" means all applicable data protection and privacy laws, including GDPR, CCPA, and other relevant regulations.

"Data Subject" means an identified or identifiable natural person.

2. Scope and Application

This DPA applies when DynoFlows processes personal data on behalf of the Customer in the provision of cybersecurity services, including:

• Email authentication and security monitoring
• DNS security configuration and monitoring
• Threat intelligence analysis and reporting
• Security incident response and investigation
• Performance monitoring and optimization services

3. Roles and Responsibilities

3.1 Customer as Data Controller

The Customer acts as Data Controller and:

• Determines the purposes and means of processing
• Ensures lawful basis for processing exists
• Provides necessary privacy notices to data subjects
• Responds to data subject rights requests
• Conducts Data Protection Impact Assessments where required

3.2 DynoFlows as Data Processor

DynoFlows acts as Data Processor and:

• Processes personal data only on documented instructions
• Implements appropriate technical and organizational measures
• Assists with data subject rights requests
• Notifies Customer of personal data breaches
• Deletes or returns personal data upon termination

4. Processing Instructions

Processing Details

Subject Matter:

Cybersecurity services and threat monitoring

Duration:

For the term of the service agreement

Nature and Purpose:

Email security, DNS protection, threat analysis

Categories of Data:

Email metadata, DNS records, IP addresses, log data

Data Subjects:

Employees, customers, email recipients

Processing Activities:

Collection, analysis, storage, deletion

5. Technical and Organizational Measures

5.1 Security Measures

• Encryption: AES-256 encryption for data at rest and in transit
• Access Controls: Multi-factor authentication and role-based access
• Network Security: Firewalls, intrusion detection, and monitoring
• Data Centers: SOC 2 Type II certified facilities
• Backup and Recovery: Encrypted backups with tested recovery procedures

5.2 Organizational Measures

• Staff training on data protection and security
• Confidentiality agreements for all personnel
• Regular security audits and penetration testing
• Incident response and breach notification procedures
• Data retention and deletion policies

6. Sub-processors

DynoFlows may engage sub-processors to assist in providing services. Current sub-processors include:

Sub-processor	Service	Location
Cloudflare	CDN, security, and performance services	United States, EU
Railway	Backend hosting and infrastructure	United States
Google Cloud Platform	Analytics and monitoring services	United States, EU

We will notify customers of any changes to sub-processors with at least 30 days' notice.

7. International Transfers

When personal data is transferred outside the EEA, we ensure adequate protection through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions for transfers to countries with equivalent protection
• Additional safeguards including encryption and access controls
• Regular assessment of transfer mechanisms and legal developments

8. Data Subject Rights

DynoFlows will assist the Customer in fulfilling data subject rights requests, including:

• Access: Providing copies of personal data being processed
• Rectification: Correcting inaccurate or incomplete data
• Erasure: Deleting personal data when legally required
• Portability: Providing data in a structured, machine-readable format
• Restriction: Limiting processing in certain circumstances
• Objection: Stopping processing based on legitimate interests

Response time: Within 30 days of receiving a valid request from the Customer.

9. Personal Data Breach

In the event of a personal data breach, DynoFlows will:

• Notify the Customer without undue delay and within 72 hours
• Provide all available information about the breach
• Assist in breach assessment and regulatory notification
• Implement measures to address the breach and prevent recurrence
• Cooperate with investigations and remediation efforts

10. Audits and Compliance

DynoFlows will:

• Maintain records of processing activities
• Provide evidence of compliance upon reasonable request
• Allow for audits by the Customer or appointed third parties
• Undergo regular third-party security certifications
• Provide audit reports and compliance documentation

11. Data Retention and Deletion

Personal data will be processed only for the duration necessary to fulfill the purposes outlined in this DPA:

• Service Data: Retained for the duration of the service agreement
• Log Data: Retained for up to 90 days for security purposes
• Backup Data: Automatically deleted within 30 days of primary deletion
• Legal Holds: Data may be retained longer if required by law

Upon termination, all personal data will be deleted or returned within 90 days unless legal retention requirements apply.

12. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitation of liability provisions in the main service agreement. DynoFlows will indemnify the Customer against fines imposed by supervisory authorities due to DynoFlows' non-compliance with this DPA, subject to the Customer's cooperation in defense of such claims.

13. Contact Information

Data Protection Officer: dpo@dynoflows.com

Legal Department: legal@dynoflows.com

Security Team: security@dynoflows.com

Business Address:
DynoFlows Data Protection Team
[Business Address - To be updated]