1. Parties and roles
This Data Processing Agreement forms part of the Datopia Flow Terms of Service where Datopia processes customer-controlled personal data on behalf of a Flow customer.
The Flow customer is the controller for customer-controlled Flow data. Datopia is the processor for that data. Datopia may act as controller for its own account, billing, security, legal, support, complaint, audit, and business administration records.
2. Subject matter
The subject matter is hosting, operating, maintaining, securing, supporting, transmitting, displaying, backing up, and administering Datopia Flow.
3. Duration
This DPA applies for the duration of the customer's use of Flow and any post-termination deletion, export, retention, or backup period.
4. Nature and purpose of processing
Datopia processes customer-controlled personal data to provide Flow functionality, account access, job/customer/repair tracking, uploads, status updates, partner sharing, support, security, backups, auditability, and related services.
5. Types of personal data
- end-customer names and contact details where entered;
- business/trade contact details;
- job references;
- repair/item descriptions;
- notes, statuses, due dates, estimates, pricing, tracking references, and parcel information;
- images/documents uploaded by customers;
- user names, emails, roles, permissions, and activity logs;
- partner-sharing metadata and acceptance records.
6. Categories of data subjects
- Flow customer staff, users, and admins;
- end customers of Flow business customers;
- trade partners;
- couriers or contacts where entered;
- other individuals whose data is entered into Flow by the customer.
7. Customer instructions
Datopia will process customer-controlled personal data only on documented instructions from the customer, including use of the platform, configuration, support requests, and these terms, unless required by law. Datopia will inform the customer if an instruction appears to infringe data protection law, where legally permitted.
8. Confidentiality
Datopia will ensure anyone authorised to access customer-controlled personal data is subject to confidentiality obligations. Datopia is currently operated by a sole trader; this obligation also applies to future staff, contractors, advisers, and service providers where they are authorised to access the data.
9. Security measures
Datopia will use reasonable technical and organisational measures appropriate to the nature of Flow. These may include access controls, authentication, least-privilege access, role-based permissions where applicable, database row-level security where applicable, encryption in transit, backups where applicable, secure development practices, logging/monitoring, incident response, and supplier/sub-processor controls.
10. Sub-processors
The customer gives general authorisation for Datopia to use sub-processors needed to provide Flow. Datopia will maintain a Service Provider and Sub-processor List and ensure sub-processors are subject to written terms providing appropriate protection. Datopia remains responsible for sub-processor processing where required by law.
Datopia will provide reasonable notice of material sub-processor changes where practical. Customers may object on reasonable data protection grounds.
11. International transfers
Datopia will ensure international transfers use appropriate safeguards where required, such as UK adequacy regulations or approved contractual safeguards.
12. Data subject rights assistance
Datopia will provide reasonable assistance to help the customer respond to rights requests, taking into account the nature of processing and information available to Datopia. The customer remains responsible for responding where it is controller.
13. Data protection complaints assistance
Datopia will provide reasonable assistance where a complaint relates to customer-controlled Flow data. The customer remains responsible for complaints where it is controller. Datopia may handle complaints directly where Datopia is controller.
14. Personal data breach
Datopia will notify the affected customer without undue delay after becoming aware of a personal data breach affecting customer-controlled personal data. Notice should include available information reasonably required by data protection law.
The customer remains responsible for any required notification to individuals or the ICO where it is controller, unless the breach was caused by Datopia and law requires otherwise.
15. DPIA and regulatory assistance
Datopia will provide reasonable assistance with DPIAs, prior consultation, regulator enquiries, and security information where required and proportionate. Datopia may charge reasonable costs where assistance is caused by customer acts or omissions or is excessive, unless prohibited by law.
16. Return and deletion
On termination or request, Datopia will provide reasonable export/deletion options where technically available. Datopia may retain data where required for legal, tax, accounting, security, backup, audit, dispute, or compliance purposes. Backup deletion may follow normal backup cycles.
Datopia may charge reasonable costs for non-routine export, recovery, deletion, or migration assistance unless prohibited by law or agreed otherwise in writing.
17. Audit and compliance information
Datopia will make reasonable information available to demonstrate compliance with this DPA. Any audit must be reasonable, proportionate, avoid disruption, protect other customers and platform security, and be subject to confidentiality. Datopia may satisfy audit requests through documentation, security summaries, written responses, or third-party reports where available.
Datopia may charge reasonable costs for non-routine audit assistance, detailed compliance responses, or customer-specific evidence requests unless prohibited by law or agreed otherwise in writing.
18. Customer responsibilities
The customer must ensure lawful basis, transparency, minimisation, accuracy, retention, user permissions, account security, and partner sharing compliance. The customer must not upload prohibited or unusually sensitive data unless lawful, necessary, transparent, and agreed where required. The customer is responsible for its own users and account permissions.
19. Order of precedence
This DPA prevails over the Terms for processor obligations relating to customer-controlled personal data. The Terms prevail for commercial matters unless expressly overridden by this DPA.