Data Processing Addendum

Last updated Jul 2, 2026

This Data Processing Addendum (“DPA”) applies whenever ParFlow processes personal data on behalf of a business customer as part of the service. It is incorporated into our Terms of Service (/terms-of-use) and takes effect automatically when you use the service — no signature is required.

Roles and scope

For personal data the Customer collects and manages through the service — leads, conversations, contacts, appointments, and CRM records of the Customer's own end customers (“Customer Personal Data”) — the Customer is the controller (or a processor for another controller), and ParFlow is the Customer's processor / service provider. This DPA does not apply to data for which ParFlow is itself the controller (such as the Customer's own account and billing data), which is governed by our Privacy Policy (/privacy-policy).

Details of processing

ItemDescription
Subject matterOperating AI agents, CRM, scheduling, messaging, and automation for the Customer
DurationThe term of the Customer's subscription, plus the deletion period below
Nature and purposeHosting, storage, transmission, AI-assisted analysis and reply generation, notification delivery, and related support
Categories of dataContact details, conversation content (chat, messaging, and — where enabled — voice recordings and transcripts), notes, appointment details, consent records, technical identifiers
Data subjectsThe Customer's website visitors, leads, end customers, and contacts

Our commitments as processor

  • Process Customer Personal Data only on the Customer's documented instructions — given through the service's settings and features, the Terms of Service, and this DPA — unless the law requires otherwise (in which case we will inform the Customer unless prohibited).
  • Ensure persons authorised to process the data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures, including encryption in transit, encrypted storage of integration credentials, workspace isolation, role-based access, and abuse rate limiting.
  • Assist the Customer, insofar as reasonably possible, in responding to data subject requests (access, correction, deletion, objection) concerning Customer Personal Data.
  • Notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, with the information reasonably available to us.
  • Assist the Customer, with information reasonably available to us, in meeting its own security, breach-notification, and impact-assessment obligations.

Subprocessors

The Customer gives general authorisation to use the subprocessors listed at /subprocessors, which shows each provider's purpose, data categories, and location. We update that page before adding or replacing a subprocessor that processes Customer Personal Data. If the Customer has a reasonable data-protection objection to a new subprocessor, it should contact us within 14 days of the update; if we cannot offer a reasonable alternative, the Customer may cancel the affected subscription. We remain responsible for our subprocessors' performance and bind them to data-protection obligations no less protective than this DPA.

International transfers

ParFlow is operated from Israel — which benefits from a European Commission adequacy decision — and Customer Personal Data is processed by our infrastructure subprocessors in other countries, including the United States. Where data is transferred to a country without an adequacy decision, we rely on appropriate safeguards, such as the subprocessor's data processing agreement incorporating standard contractual clauses or participation in a recognised transfer framework, as reflected on the subprocessors page.

AI processing

Generating agent replies, summaries, and semantic search requires sending conversation content and relevant configured knowledge to our AI model provider, and — where the Customer has enabled voice features — streaming end-user audio to that provider in real time. Under the provider's business terms, such API data is not used to train its generally available models by default. Enabling an agent constitutes the Customer's instruction for this processing.

Deletion and return

During the subscription, the Customer manages Customer Personal Data through the service (including deleting records). Upon termination, we delete or anonymise Customer Personal Data in accordance with the retention approach described in our Privacy Policy, unless the law requires longer retention. The Customer may request a copy of its Customer Personal Data, or earlier deletion, by written request to us before or within 30 days after termination.

Information and audit

On reasonable written request, we will make available information reasonably necessary to demonstrate compliance with this DPA — such as descriptions of our security measures and our subprocessor list. As an early-stage service we do not operate an on-site audit programme or hold third-party certifications; where an audit is legally required, it will be satisfied through written documentation to the extent the law allows.

Precedence, law, and changes

In case of conflict between this DPA and the Terms of Service regarding the processing of Customer Personal Data, this DPA prevails. Governing law and jurisdiction follow the Terms of Service. We may update this DPA to reflect legal or service changes; material changes will be notified in advance, and the “last updated” date above always reflects the current version.

Questions about this DPA? Email us at Lior@parflow.cc.