Contact Our Team ->

DPA

Data Processing Agreement

1. Introduction

This Data Processing Agreement (“Agreement”) forms part of the Terms of Service (“Principal Agreement”) between SAI.Flow AS, registered in Norway, organization number [insert], (“Processor”) and the customer (“Controller”).
The Agreement ensures that all processing of personal data is performed in full compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation — GDPR) and relevant Norwegian data protection legislation.

2. Purpose and Scope

This Agreement governs the Processor’s handling of personal data on behalf of the Controller for the purpose of providing automation, analytics, and AI workflow services through the SAI.Flow platform.
The Processor shall only process data as necessary to deliver these services and never for its own purposes.

3. Definitions

  • Controller: The entity that determines the purpose and means of processing personal data.
  • Processor: SAI.Flow AS, which processes personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, such as collection, storage, access, or deletion.
  • Sub-processor: A third party engaged by the Processor to process data on behalf of the Controller.

4. Security and Data Protection Commitments

SAI.Flow maintains a comprehensive security framework designed to ensure confidentiality, integrity, and availability of personal data. This includes:

Technical Measures

End-to-end encryption:

  • AES-256 encryption for data at rest.
  • TLS 1.3 for all data in transit.
  • Role-based access control (RBAC) and multi-factor authentication (MFA) for all staff and systems.
  • Secure logging and audit trails for all access and modifications.
  • Automatic data masking for sensitive fields during debugging or support.
  • Real-time intrusion detection and anomaly monitoring.

Organizational Measures

  • Mandatory annual security and privacy training for all employees.
  • Strict least-privilege principle enforced across systems and databases.
  • All employees bound by confidentiality and non-disclosure agreements (NDAs).
  • 24/7 monitoring and alerting of all production systems.
  • Independent penetration testing and vulnerability assessments conducted annually by third parties.

5. Sub-processors

SAI.Flow uses a minimal, vetted list of sub-processors essential to operate the platform (e.g., Amazon Web Services (AWS), Google Cloud, Datadog, Postmark).
Each sub-processor:

  • Signs a written DPA with SAI.Flow ensuring GDPR-level compliance.
  • Is continuously monitored for security posture and compliance adherence.
  • Is listed in the Sub-processor Registry, available on request or via the Trust Center.

6. International Data Transfers

If data is transferred outside the EEA, SAI.Flow ensures adequate safeguards through:

  • EU Standard Contractual Clauses (SCCs)
  • Data transfer impact assessments
  • Hosting in ISO 27001-certified environments with redundant storage within the EEA region whenever possible.

No data is transferred to third countries without lawful basis and documented safeguards.

7. Data Subject Rights

The Processor assists the Controller in fulfilling requests under GDPR, including:

  • Right of access, rectification, and erasure.
  • Right to restriction or objection to processing.
  • Data portability. All such requests are handled without undue delay and logged for audit purposes.

8. Breach Notification

In the event of a personal data breach, SAI.Flow shall:

  1. Notify the Controller within 24 hours of becoming aware of the breach.
  2. Provide detailed information on scope, cause, and mitigation.
  3. Cooperate fully with the Controller to fulfill notification obligations to supervisory authorities and affected individuals.

9. Confidentiality

All personal data processed under this Agreement is treated as strictly confidential.
Only authorized employees with a business-critical need shall have access, and all such access is logged and reviewed.

10. Data Retention and Deletion

Upon termination of the Principal Agreement or at the Controller’s written request:

  • All personal data will be securely deleted within 30 days, unless legal obligations require retention.
  • Backups containing personal data will be encrypted and purged within 90 days.
  • Verification of deletion will be documented and provided to the Controller upon request.

11. Audits and Inspections

The Controller may request evidence of compliance through:

  • Documentation of technical and organizational measures.
  • Recent penetration test summaries.
  • Third-party security certifications and audit reports.

Physical or remote audits may be conducted once per year with reasonable notice, provided they do not compromise platform security or the privacy of other customers.

12. Liability and Indemnification

Each Party’s liability under this Agreement shall be governed by and limited to the terms in the Principal Agreement, except where otherwise required by applicable law.

13. Governing Law and Jurisdiction

This Agreement shall be governed by the laws of Norway.
Any dispute shall be resolved in the Oslo District Court, unless otherwise agreed.

14. Duration and Termination

This Agreement remains valid for as long as SAI.Flow processes personal data on behalf of the Controller.
Termination of the Principal Agreement automatically terminates this DPA.

The SAI.Flow team is committed to maintaining industry-leading standards of data security, transparency, and compliance — ensuring that your automations remain safe, compliant, and future-proof.