Data Processing Agreement

PragFlow Data Processing Agreement (DPA)

GDPR Article 28

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Customer" or "Controller") and PragFlow OÜ (the "Processor").

1. Subject Matter and Duration

This DPA governs how PragFlow processes personal data on your behalf when you use the PragFlow platform. Processing continues for the duration of your subscription plus a commercially reasonable period after termination to allow for data export.

2. Nature and Purpose of Processing

PragFlow processes personal data to provide the platform services, including hosting, storage, analysis, notifications, and support across all modules (inspections, CAPA, assets, registers, lab, personnel, QR, AI, and dashboard).

3. Categories of Data and Data Subjects

The data we process on your behalf may include:

- Identity data (names, emails, employee IDs)
- Authentication data (hashed passwords, session information)
- Operational data (inspection results, CAPA records, asset information)
- Biometric data (facial recognition templates – Enterprise feature only)
- Health and safety data
- Communication data (chat messages, notifications)
- Behavioral data (QR scans, usage logs)

Data subjects include your employees, contractors, inspectors, and other individuals whose data you choose to manage in the platform.

4. Our Obligations as Processor

We agree to:

- Process personal data only on your documented instructions
- Implement appropriate technical and organizational security measures (including AES-256 encryption, tenant isolation, access controls, and logging)
- Ensure that our staff who process your data are bound by confidentiality obligations
- Notify you within 48 hours of becoming aware of any personal data breach
- Assist you with data subject requests and Data Protection Impact Assessments
- Delete or return all customer data after the export period following termination, unless retention is required by law

5. Sub-processors

You authorize us to use the following sub-processors:

- Hetzner (Germany/Finland) – Hosting, storage, and backups
- Google Cloud (EU regions) – AI processing (no biometric data is sent)
- Stripe (United States) – Billing and payments only

We will notify you at least 30 days before adding or replacing any sub-processor. You may object within 14 days. If we cannot resolve your objection, you may terminate the affected services.

6. International Transfers

All customer data is stored and processed within the European Union. Biometric data never leaves the EU under any circumstances.

The only transfer outside the EU is billing data to Stripe, which is protected by Standard Contractual Clauses and the EU-US Data Privacy Framework.

7. Security Measures

We maintain comprehensive security measures in line with GDPR Article 32, including encryption, access controls, network security, logging and monitoring, regular backups, and incident response procedures. Full details are available in our Security Annex upon request.

8. Liability

Liability under this DPA is subject to the limitations set out in our Terms of Service, except that GDPR administrative fines cannot be capped.

9. Governing Law

This DPA is governed by the laws of Estonia.

This document contains the essential requirements of Article 28 GDPR. A more detailed version with full annexes is available upon request.

Contact: legal@pragflow.com

PragFlow OÜ
Kungla tn 13-4
Tallinn Harjumaa 10411
Estonia