Data Processing Addendum
This Data Processing Addendum ("DPA") supplements your agreement with Auth Flow and governs our processing of personal data on your behalf in compliance with GDPR Article 28 and other applicable data protection laws.
Overview
This DPA applies when Auth Flow processes Customer Data containing personal data of individuals in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, or when otherwise required by applicable data protection laws. It forms part of the Agreement between you ("Customer," "Controller") and Auth Flow ("Processor").
Definitions
Terms used in this DPA have the meanings given in GDPR or the UK GDPR, as applicable:
- "Customer Data" means personal data processed by Auth Flow on your behalf through the Service
- "Data Subject" means an identified or identifiable natural person
- "Processing" means any operation performed on personal data
- "Sub-processor" means a third party engaged by Auth Flow to process Customer Data
- "SCCs" means the EU Commission's Standard Contractual Clauses (Module Two: Controller to Processor)
Scope of Processing
Auth Flow processes Customer Data only:
- On your documented instructions (including those in the Agreement and this DPA)
- To provide and maintain the Service
- As required by applicable law (with prior notice unless prohibited)
Categories of Data
Customer Data may include:
- Identifiers: Email addresses, usernames, user IDs
- Credentials: Password hashes, authentication tokens (never plaintext passwords)
- Session data: Session tokens, IP addresses, device information
- Custom attributes: Any fields you define in your identity schema
Data Subjects
Data Subjects are your end users whose identity data you choose to process through Auth Flow.
Auth Flow's Obligations
As your data processor, Auth Flow will:
- Process Customer Data only per your documented instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in responding to data subject requests
- Assist with data protection impact assessments where required
- Delete or return Customer Data upon termination
- Make available information necessary for compliance audits
- Notify you without undue delay of any data breach affecting Customer Data
Sub-processors
You authorize Auth Flow to engage the following sub-processors. We will notify you of changes and provide an opportunity to object.
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Amazon Web Services | Cloud infrastructure hosting | United States (us-west-2, us-east-1) | SCCs + supplementary measures |
| Google Cloud Platform | Database hosting, backup storage | United States / EU (configurable) | SCCs + supplementary measures |
| Cloudflare | CDN, DDoS protection, edge computing | Global (nearest edge) | SCCs |
| Stripe | Payment processing | United States | SCCs |
| Postmark | Transactional email delivery | United States | SCCs |
| Datadog | Infrastructure monitoring, logging | United States | SCCs |
Sub-processor Updates: Subscribe to updates at dpa-updates@auth-flow.com. You will receive 30 days' notice before new sub-processors begin processing Customer Data.
International Data Transfers
When Customer Data is transferred outside the EEA, UK, or Switzerland, we rely on:
Standard Contractual Clauses
We execute the EU Commission's Standard Contractual Clauses (Decision 2021/914, Module Two: Controller to Processor) for transfers to the United States and other non-adequate countries. The SCCs are incorporated by reference into this DPA.
UK International Data Transfer Addendum
For UK transfers, we include the UK ICO's International Data Transfer Addendum to the EU SCCs.
Supplementary Measures
In addition to SCCs, we implement:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Pseudonymization where technically feasible
- Strict access controls and audit logging
- Contractual commitments from sub-processors
- Legal review of government access requests
Data Subject Rights
Auth Flow will assist you in fulfilling data subject requests under GDPR Chapter III:
- Access (Art. 15): Export tools to retrieve end-user data
- Rectification (Art. 16): APIs to update identity attributes
- Erasure (Art. 17): Deletion endpoints and automated purging
- Restriction (Art. 18): Session invalidation and access controls
- Portability (Art. 20): JSON export of identity data
If we receive a request directly from a data subject, we will promptly notify you unless prohibited by law.
Security Measures
Auth Flow implements technical and organizational measures per GDPR Article 32, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Password hashing with Argon2id
- Role-based access control for all systems
- Multi-factor authentication for administrative access
- Regular penetration testing and vulnerability scanning
- 24/7 security monitoring and incident response
- Employee security training and background checks
See our Security page for comprehensive details.
Breach Notification
In the event of a personal data breach affecting Customer Data, Auth Flow will:
- Notify you without undue delay (within 72 hours of becoming aware)
- Provide details of the breach, affected data, and likely consequences
- Describe measures taken or proposed to address the breach
- Assist you in meeting your notification obligations to supervisory authorities and data subjects
Audits and Compliance
Auth Flow will:
- Maintain SOC 2 Type II certification with annual audits
- Provide audit reports upon request under NDA
- Allow on-site audits with reasonable notice (costs borne by Customer)
- Respond to written compliance questionnaires
To request audit reports or schedule an audit, contact compliance@auth-flow.com.