Last updated: May 2026
Data Processing Addendum
AiFlo offers a standard Data Processing Addendum (DPA) aligned with Article 28 of the EU General Data Protection Regulation. Customers on Growth and higher tiers can request a counter-signed DPA at any time as part of their procurement or vendor-onboarding process.
What's covered
- Subject matter - the processing of personal data carried out by AiFlo on behalf of the Customer to deliver the Service.
- Duration - for the term of the Subscription, plus the orderly handover and deletion period.
- Nature and purpose - automation of CRM, messaging, email, HR, and finance workflows using AI agents.
- Types of personal data - names, contact details, employment data, communications metadata, and any data the Customer routes through the Service.
- Categories of data subjects - Customer's employees, customers, prospects, candidates, and other contacts.
- Sub-processors - the current sub-processor list, with contractual flow-down of GDPR Article 28 obligations.
- Technical and organisational measures - encryption, access control, monitoring, vulnerability management, and incident response.
- Sub-processor change notification - at least 30 days' advance notice with a right to object for material changes.
How to get a signed DPA
Procurement or legal teams can request the AiFlo DPA pack in two ways:
Or email us directly at europe@aiflo.app with your company name, billing entity, and the AiFlo plan you are on.
Sub-processor list
AiFlo uses the following sub-processors to deliver the Service. All are bound by data processing terms aligned with GDPR Article 28 and use Standard Contractual Clauses where applicable.
- Microsoft Azure - hosting, storage, compute. Regions: EU (primary) and US.
- Vercel - marketing site and serverless deployment. Region: US (migration to Cloudflare in progress).
- HubSpot - CRM and lifecycle email. Region: US. Used only with Customer opt-in.
- Cal.com - meeting and demo scheduling. Region: US. Used only with Customer opt-in.
