01Introduction
This Data Processing Addendum ("DPA") forms part of the agreement between NextFlow CRM Ltd. ("Processor") and you ("Controller") for use of the NextFlow Service. It applies whenever we process personal data on your behalf in connection with our products.
This DPA is incorporated by reference into our Terms of Service. It is designed to comply with UK GDPR and EU GDPR.
02Roles of the parties
For the personal data you upload to NextFlow about your leads, customers, and contacts: you are the Controller and we are the Processor. You determine the purposes and means of processing; we process it only on your documented instructions.
03Processing instructions
We process personal data only to the extent necessary to:
- Provide the Service to you in line with our Terms
- Comply with your reasonable written instructions
- Comply with applicable law (in which case we notify you unless prohibited)
04Security measures
We maintain appropriate technical and organisational measures to protect personal data, including:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Access controls with role-based permissions and MFA
- Daily backups, 35-day retention
- Annual penetration testing by an independent third party
- Employee security training and background checks
Further detail is available on request - email info@nextflowcrm.com.
05Sub-processors
You authorise us to engage sub-processors to help deliver the Service. The current sub-processor list is available on request at info@nextflowcrm.com. We give you at least 14 days' notice of new sub-processors and you may object on reasonable grounds.
06Assistance with data subject rights
NextFlow provides self-service tools to help you respond to data subject requests - data export, data deletion, and rectification - from inside the app. Where a request requires our involvement we assist promptly and at no extra cost.
07Personal data breach notification
If we become aware of a personal data breach affecting your data, we notify you without undue delay and in any event within 48 hours. The notification includes the nature of the breach, categories of data affected, likely consequences, and measures taken.
08International transfers
Personal data is stored in the UK (eu-west-2). Where transfers outside the UK/EEA are necessary - for example, AI inference via Anthropic - we rely on the UK International Data Transfer Addendum or EU Standard Contractual Clauses with appropriate safeguards.
09Return & deletion
On termination you can export your data for 30 days. After 30 days we permanently delete personal data from production systems, and within 35 days from backups, except where law requires longer retention.
10Audits
You may audit our compliance with this DPA once per year, at your cost and with reasonable notice. In place of an on-site audit you may rely on our annual SOC 2 Type II report (available under NDA from info@nextflowcrm.com).