Data Processing Agreement

For the purposes of this Data Processing Agreement ("DPA"):

• Data Controller / Data Fiduciary: You, the customer, who determines the purpose and means of processing personal data through our services.
• Data Processor: FlowForge Labs, which processes personal data on your behalf to provide the services.
• Data Subject / Data Principal: The individuals whose personal data is processed through our services (e.g., your clients, patients, or employees).
• Personal Data: Any data about an identifiable individual, as defined under the DPDP Act, 2023.
• Sub-Processor: Any third party engaged by FlowForge Labs to process personal data on your behalf.

This DPA applies to the processing of personal data that you provide to FlowForge Labs through the use of our SaaS products. We process personal data solely for the purpose of providing and maintaining the services as described in our Terms of Service.

The categories of personal data processed and the categories of data subjects depend on the specific FlowForge Labs product you use (e.g., patient data for DentaFlow, supplier data for SupplyFlow).

As a Data Processor, FlowForge Labs shall:

• Process personal data only on your documented instructions and solely for the purpose of providing the services
• Ensure that all personnel authorised to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
• Assist you in fulfilling your obligations to respond to Data Subject / Data Principal requests
• Make available all information necessary to demonstrate compliance with data processing obligations
• Not process personal data for any purpose other than providing the services, including not using it for marketing, profiling, or selling to third parties

FlowForge Labs implements the following security measures to protect personal data:

• Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256.
• Access Controls: Role-based access controls (RBAC) with the principle of least privilege. Multi-factor authentication for administrative access.
• Infrastructure: Cloud hosting on tier-1 providers with SOC 2 and ISO 27001 certifications.
• Monitoring: Continuous monitoring of system access and anomaly detection.
• Backup: Regular automated backups with encryption. Point-in-time recovery capability.
• Incident Response: Documented incident response procedures with defined escalation paths.

FlowForge Labs may engage sub-processors to assist in providing the services. Current sub-processors include:

• Vercel Inc. — Application hosting and deployment (USA)
• Supabase Inc. — Database hosting and authentication (AWS Mumbai region)
• Resend Inc. — Transactional email delivery (USA)
• Cloudflare Inc. — CDN and security services (Global)

We will provide you with notice of any new sub-processor additions at least 15 days before they begin processing personal data. You may object to a new sub-processor on reasonable grounds, in which case we will work with you to find an alternative solution.

FlowForge Labs will assist you in responding to requests from Data Principals exercising their rights under the DPDP Act, including:

• Right to access personal data
• Right to correction of inaccurate data
• Right to erasure of personal data
• Right to grievance redressal

We will notify you promptly if we receive a request directly from a Data Principal, and will not respond to such requests directly unless authorised by you or required by law.

In the event of a personal data breach, FlowForge Labs shall:

• Notify you without undue delay and in any event within 72 hours of becoming aware of the breach
• Provide details of the nature of the breach, categories of data affected, approximate number of records affected, and likely consequences
• Describe the measures taken or proposed to address the breach and mitigate its effects
• Cooperate with you in notifying affected Data Principals and the Data Protection Board of India, as required under the DPDP Act

Upon termination or expiry of the service agreement:

• We will provide you with the ability to export your data in a standard, machine-readable format within 30 days
• After the 30-day export period, all personal data will be permanently deleted from our active systems
• Data in backups will be deleted within 90 days of the export period ending, or overwritten through normal backup rotation
• We will provide written confirmation of data deletion upon request

FlowForge Labs will make available to you, upon reasonable request and at reasonable intervals, the following:

• Summary reports of our security practices and compliance measures
• Results of third-party security audits or certifications (where available)
• Responses to reasonable written questionnaires about our data processing practices

On-site audits may be arranged by mutual agreement, with reasonable advance notice and during normal business hours, provided they do not disrupt our operations or compromise the security or confidentiality of other customers' data.

Personal data is primarily stored in the AWS Mumbai (ap-south-1) region. Where data may be transferred outside India through our sub-processors, such transfers comply with the DPDP Act and any restrictions notified by the Central Government regarding permissible jurisdictions.

We will not transfer personal data to any jurisdiction that the Central Government has restricted or blacklisted for data transfers.

This DPA remains in effect for the duration of your service agreement with FlowForge Labs. The data processing obligations under this DPA survive termination until all personal data has been deleted or returned as described in Section 8.

This DPA shall be governed by the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and applicable rules. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts in New Delhi, India.

For questions about this Data Processing Agreement or to request a signed copy, contact us at:

• Email: hello@flowforgelabs.in
• Address: ALT.F Coworking, Sector 58, Noida, Uttar Pradesh, India