Skip to main content
Back to legal
AgreementEffective March 15, 2026Updated March 15, 2026Reviewed March 15, 2026

Data Processing Agreement

Processor terms covering CustomerFlows handling of customer end-user data, security obligations, subprocessors, and privacy-law responsibilities.

In this page

  1. 11. Introduction and Scope
  2. 22. Definitions
  3. 33. Roles and Responsibilities
  4. 43.1 Customer as Controller
  5. 53.2 CustomerFlows as Processor
  6. 64. Categories of Data Processed
  7. 75. Instructions for Processing
  8. 86. Security Measures
  9. 96.1 Technical Measures
  10. 106.2 Organizational Measures
  11. 116.3 Infrastructure
  12. 127. Sub-processors
  13. 137.1 Authorized Sub-processors
  14. 147.2 Changes to Sub-processors
  15. 157.3 Sub-processor Obligations
  16. 168. Data Subject Rights
  17. 178.1 Assistance with Requests
  18. 188.2 Customer's Obligations
  19. 199. Data Breach Notification
  20. 209.1 Notification
  21. 219.2 Content of Notification
  22. 229.3 Cooperation
  23. 239.4 Limitation
  24. 2410. Data Retention and Deletion
  25. 2510.1 During the Subscription
  26. 2610.2 After Termination
  27. 2710.3 Deletion Certification
  28. 2811. CCPA/CPRA-Specific Provisions
  29. 2912. Audits
  30. 3013. International Data Transfers
  31. 3114. Limitation of Liability
  32. 3215. Term and Termination
  33. 3316. Conflicts
  34. 3417. Contact
  35. 35Related Legal Documents

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Keilani Media Group LLC, doing business as CustomerFlows ("Processor"), and the entity or individual who has agreed to the Terms of Service ("Customer," "Controller," "you," or "your").

This DPA applies when CustomerFlows processes Personal Data on your behalf in the course of providing the Service. It establishes the responsibilities, obligations, and rights of both parties with respect to the processing of Personal Data, and supplements any obligations under applicable data protection laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), and other applicable U.S. state privacy laws (collectively, "Applicable Privacy Laws").

This DPA does not apply to Personal Data that CustomerFlows processes as an independent controller (e.g., your account registration information, billing data, and usage analytics). Processing of that data is governed by our Privacy Policy.

2. Definitions

"Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable individual. In the context of this DPA, Personal Data refers to the data of your end customers that is processed through the CustomerFlows platform.

"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Service" means the CustomerFlows platform and all associated features as described in the Terms of Service.

"Sub-processor" means a third party engaged by CustomerFlows to process Personal Data on behalf of the Customer.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by CustomerFlows on behalf of the Customer.

3. Roles and Responsibilities

3.1 Customer as Controller

You are the data controller for all end-customer Personal Data processed through CustomerFlows. You determine the purposes and means of processing. You are responsible for:

  • Ensuring a lawful basis exists for collecting and processing your end customers' Personal Data
  • Providing any required notices or disclosures to your end customers regarding data collection
  • Obtaining any necessary consents from end customers, including consent for WhatsApp communications
  • Responding to data subject requests (access, deletion, correction) from your end customers
  • Ensuring that your use of CustomerFlows complies with all Applicable Privacy Laws in your jurisdiction

3.2 CustomerFlows as Processor

We process Personal Data only on your behalf and in accordance with your documented instructions. We will:

  • Process Personal Data solely for the purpose of providing the Service to you
  • Not process Personal Data for any purpose other than those specified in this DPA and the Terms of Service
  • Not sell, share (as defined under CCPA/CPRA), or use Personal Data for cross-context behavioral advertising
  • Not retain, use, or disclose Personal Data for any commercial purpose other than providing the Service
  • Not combine Personal Data received from you with Personal Data received from other customers or collected from our own interactions with your end customers, except as necessary to provide the Service

4. Categories of Data Processed

CustomerFlows processes the following categories of Personal Data on your behalf:

Data CategoryExamplesPurpose
Contact informationName, phone number, email address, property addressLead capture, pipeline management, communication
Conversation contentWhatsApp messages, chatbot transcriptsLead qualification, conversation history
Behavioral dataWebsite page views, click paths, referral sourceMarketing attribution, visitor tracking
Advertising identifiersGCLID, FBCLID, UTM parametersCampaign attribution
Deal and transaction dataDeal value, pipeline stage, service type, job notesCRM pipeline management
Scheduling dataAppointment dates, preferred contact timesService delivery coordination

The data subjects are your prospective and existing customers ("end customers") — individuals who interact with your business through your website, WhatsApp, or other channels connected to CustomerFlows.

5. Instructions for Processing

Your instructions for processing are defined by:

  • The Terms of Service and this DPA
  • Your configuration of the Service (pipeline stages, chatbot questions, automation workflows, team access settings)
  • Any additional written instructions provided by you and acknowledged by us

If we believe an instruction from you violates Applicable Privacy Laws, we will notify you promptly and will not be required to comply with such instruction until the issue is resolved.

6. Security Measures

CustomerFlows implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

6.1 Technical Measures

  • Encryption in transit: All data transmitted between your devices and our servers is encrypted using TLS 1.2 or higher
  • Encryption at rest: Stored data is encrypted using AES-256 encryption
  • Access controls: Role-based access control (RBAC) limiting data access to authorized personnel based on job function
  • Authentication: Multi-factor authentication available for all user accounts; enforced for internal administrative access
  • Network security: Firewalls, intrusion detection systems, and network segmentation isolating production systems
  • Logging and monitoring: Comprehensive audit logging of data access and modifications with automated alerting for anomalous activity

6.2 Organizational Measures

  • Employee access: Access to production systems and customer data is restricted to employees whose job function requires it, on a need-to-know basis
  • Confidentiality: All employees and contractors with access to Personal Data are bound by confidentiality obligations
  • Training: Personnel with access to Personal Data receive regular data protection training
  • Vendor management: Sub-processors are evaluated for security practices before engagement and are bound by contractual data protection obligations

6.3 Infrastructure

  • Hosting: The Service is hosted on cloud infrastructure located within the United States
  • Backups: Automated encrypted backups performed daily with geographically separated storage within the United States
  • Disaster recovery: Recovery point objective (RPO) of 24 hours and recovery time objective (RTO) of 4 hours

7. Sub-processors

7.1 Authorized Sub-processors

CustomerFlows uses the following sub-processors to provide the Service:

Sub-processorPurposeLocationData Processed
Supabase Inc.Database hosting, authenticationUnited StatesAll customer data stored in the platform
Meta Platforms Inc.WhatsApp Business API messagingUnited States / GlobalWhatsApp messages, phone numbers
Stripe Inc.Payment processingUnited StatesBilling data (Customer's payment info only, not end-customer data)
Vercel Inc.Application hosting and CDNUnited StatesApplication traffic, session data
Resend Inc.Transactional email deliveryUnited StatesEmail addresses, email content

7.2 Changes to Sub-processors

We will notify you at least 30 days before adding or replacing a sub-processor by updating the list on our website at https://customerflows.com/legal/sub-processors and sending an email notification to the account owner.

If you object to a new sub-processor on reasonable data protection grounds, you may notify us within 15 days of receiving the notification. We will make reasonable efforts to address your concerns. If we are unable to resolve the objection, you may terminate the affected Service by providing written notice, and we will refund any prepaid fees for the unused portion of the subscription term.

7.3 Sub-processor Obligations

We ensure that all sub-processors are bound by written data processing agreements that impose obligations no less protective than those in this DPA.

8. Data Subject Rights

8.1 Assistance with Requests

When we receive a request directly from one of your end customers regarding their Personal Data (e.g., access, deletion, correction), we will promptly redirect the individual to you, as the data controller, unless you have instructed us otherwise.

We will provide you with reasonable assistance, through the functionality of the Service or otherwise, to fulfill your obligations to respond to data subject requests under Applicable Privacy Laws.

8.2 Customer's Obligations

You are responsible for responding to data subject requests within the timeframes required by Applicable Privacy Laws. You may use the following Service features to fulfill these obligations:

  • Access requests: Export a contact's full data profile (including conversation history, deal data, and activity log) from the contact detail page
  • Deletion requests: Delete a contact and all associated data from the contact detail page. Deletion is permanent and cannot be undone
  • Correction requests: Edit any contact field from the contact detail page

9. Data Breach Notification

9.1 Notification

In the event of a Data Breach affecting your end customers' Personal Data, we will:

  • Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Provide the notification in writing to the account owner's email address

9.2 Content of Notification

The notification will include, to the extent known at the time:

  • A description of the nature of the breach, including the categories and approximate number of data subjects affected
  • The name and contact details of our data protection contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its effects

9.3 Cooperation

We will cooperate with you and provide reasonable assistance in investigating and remediating the breach, and in complying with any notification obligations you may have under Applicable Privacy Laws.

9.4 Limitation

Our obligation to report a Data Breach is not an acknowledgment of fault or liability.

10. Data Retention and Deletion

10.1 During the Subscription

Personal Data is retained for the duration of your subscription. You may delete individual contacts and their associated data at any time through the Service.

10.2 After Termination

Upon termination or expiration of your subscription:

  • Your account enters a 30-day read-only period during which you may export your data
  • After 30 days, all Personal Data in your account is permanently deleted from our production systems
  • Encrypted backups containing your data are purged within 90 days of account termination
  • We may retain aggregated, anonymized data that does not identify individual data subjects for internal analytics purposes

10.3 Deletion Certification

Upon your written request after account termination and data deletion, we will confirm in writing that all Personal Data has been deleted in accordance with this DPA, subject to the backup retention schedule described above.

11. CCPA/CPRA-Specific Provisions

To the extent that CustomerFlows processes Personal Data subject to the CCPA/CPRA on your behalf:

  • CustomerFlows acts as a "Service Provider" as defined under CCPA/CPRA
  • We will not sell or share Personal Data, as those terms are defined under CCPA/CPRA
  • We will not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in this DPA and the Terms of Service, or as otherwise permitted by the CCPA/CPRA
  • We will not combine Personal Data we receive from you with Personal Data we receive from other sources or collect in our own capacity, except as expressly permitted by the CCPA/CPRA
  • We grant you the right to take reasonable and appropriate steps to ensure that we use Personal Data in a manner consistent with your obligations under the CCPA/CPRA
  • We will notify you if we determine that we can no longer meet our obligations under the CCPA/CPRA
  • We certify that we understand and will comply with the restrictions and obligations set forth in this section

12. Audits

Upon your written request, not more than once per calendar year, and subject to reasonable confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA. This may include:

  • Responses to a written data protection questionnaire
  • Summaries of third-party security audit reports or certifications
  • Documentation of our technical and organizational measures

On-site audits are not available due to the nature of our cloud-hosted infrastructure. If a third-party audit is required by Applicable Privacy Laws, we will cooperate with a mutually agreed-upon independent auditor at your expense.

13. International Data Transfers

CustomerFlows processes and stores all data within the United States. We do not transfer Personal Data outside of the United States except as follows:

  • WhatsApp messages are transmitted through Meta's WhatsApp Business API, which operates globally. Message content may transit through Meta's infrastructure outside the United States. Meta's data processing is governed by the WhatsApp Business Terms and Meta's Data Processing Terms
  • We do not otherwise transfer Personal Data to countries outside the United States

14. Limitation of Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. This DPA does not create any independent basis for liability beyond what is established in the Terms of Service.

15. Term and Termination

This DPA takes effect on the date you agree to the Terms of Service and remains in effect for the duration of your subscription. The obligations in Sections 9 (Data Breach Notification), 10 (Data Retention and Deletion), and 11 (CCPA/CPRA-Specific Provisions) survive termination.

16. Conflicts

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data. In the event of a conflict between this DPA and Applicable Privacy Laws, the Applicable Privacy Laws prevail.

17. Contact

For questions about this DPA or to exercise any rights under it:

  • Data protection inquiries: [email protected]
  • Legal inquiries: [email protected]
  • Company: Keilani Media Group LLC
  • Address: 30 N Gould St, Ste R, Sheridan, WY 82801, United States

Keep reading

Ready to put this into practice?

Use the same system on your own lead flow.

CustomerFlows gives you the AI chatbot, trade-ready pipelines, and attribution layer to run the workflow you just read about.