Data Processing Addendum

Last updated: July 17, 2026

This addendum forms part of the Terms of Servicebetween FlowPay ("Processor") and the customer ("Controller") whenever FlowPay processes personal data on the customer's behalf.

1. Scope and roles

For payer data the customer enters (party names, email addresses, invoice shares and status), the customer is the controller and FlowPay is the processor. For the customer's own account data, FlowPay is an independent controller as described in the Privacy Policy. Stripe processes payment data under its own agreements with the customer.

2. Processing instructions

FlowPay processes payer data only to provide the Service (issuing payment links, sending invoice-related emails and receipts, tracking per-payer status) and on the customer's documented instructions given through the Service, unless law requires otherwise, in which case FlowPay will inform the customer unless prohibited.

3. Confidentiality and security

Persons authorized to process the data are bound by confidentiality. FlowPay implements appropriate technical and organizational measures: encryption in transit and at rest, access controls, Stripe-hosted card processing (no card data on FlowPay systems), and US-region hosting on AWS (us-east-2 primary).

4. Subprocessors

Current subprocessors, which the customer authorizes:

FlowPay will give at least 14 days' notice before adding a subprocessor that processes payer data; the customer may object on reasonable data-protection grounds, and if unresolved may terminate the affected service.

5. Assistance, incidents, and audits

FlowPay will assist the customer, taking into account the nature of processing, with data-subject requests and with obligations regarding security and breach notification. FlowPay will notify the customer without undue delay after becoming aware of a personal-data breach affecting payer data. FlowPay will make available information reasonably necessary to demonstrate compliance with this addendum.

6. Return and deletion

On termination, FlowPay will delete payer data within 90 days except where retention is required by law. Payment records in the customer's own Stripe account are unaffected and remain with the customer.

7. Transfers

Data is processed in the United States. Where data protection law requires a transfer mechanism for data originating elsewhere, the parties incorporate the applicable standard contractual clauses by reference. Signed copies of this addendum are available on request at hello@takeflowpay.com.