This Data Processing Agreement ("DPA") forms part of the Terms of Service between Gravity Epoch, S.A. de C.V. (RFC GEP180321P73), operator of the Booflow platform (referred to here as "Booflow" or "Processor"), and the Customer ("Controller") using the Booflow platform. It governs the processing of Personal Data by Booflow on behalf of the Customer.

1. Definitions

Capitalized terms have the meanings set out in the EU General Data Protection Regulation (GDPR). In particular:

• "Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings assigned in GDPR Article 4.
• "Sub-processor" means any third party engaged by Booflow to process Personal Data.

2. Scope and duration

Booflow will process Personal Data on behalf of the Customer for the duration of the Customer's subscription, and will delete or return all Personal Data within 90 days of subscription termination, except as required by law.

3. Processing details

• Subject matter: providing the Booflow Service.
• Nature and purpose: hosting, displaying and processing workflow data entered by the Customer and its external collaborators.
• Types of Personal Data: names, emails, company names, authentication data, file content (user-provided), comments, IP addresses, usage logs.
• Categories of Data Subjects: Customer's team members, external collaborators invited to flows, end users visiting the Customer's portal.

4. Booflow's obligations

Booflow shall:

• Process Personal Data only on documented instructions from the Customer;
• Ensure personnel authorized to process Personal Data are bound by confidentiality;
• Implement appropriate technical and organizational security measures (see Annex A);
• Assist the Customer in responding to Data Subject requests (Art. 28(3)(e) GDPR);
• Notify the Customer without undue delay (within 72 hours) upon becoming aware of a Personal Data breach;
• Assist the Customer with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities under Articles 35 and 36 GDPR, taking into account the nature of the Processing and the information available to Booflow (Art. 28(3)(f) GDPR);
• Make available the information needed to demonstrate compliance with Article 28 GDPR, including contributing to audits on reasonable notice.

5. Sub-processors

The Customer authorizes Booflow to engage the following Sub-processors as of the effective date:

• Amazon Web Services (AWS) — hosting and S3 file storage. Region: us-east-1 (United States).
• Vercel Inc. — application deployment and edge CDN. Functions: us-east-1.
• Supabase (managed PostgreSQL) — primary database. Region: us-east-1.
• Stripe, Inc. — payment processing. Region: United States and EU (PCI scope).
• Twilio SendGrid — transactional email delivery. Region: United States.
• Pusher Ltd. — real-time notifications. Region: customer-selectable; we use us2 (US East).
• Upstash, Inc. — Redis (rate limiting + cache). Region: us-east-1.

The canonical and authoritative list is maintained at /legal/subprocessors; if this section conflicts with that page, the Sub-processors page controls.

Flow-down obligations (Art. 28(4) GDPR): Booflow has entered into written agreements with each Sub-processor that impose data-protection obligations no less protective than those in this DPA. Booflow remains fully liable to the Customer for the performance of each Sub-processor's data-protection obligations.

Booflow will notify the Customer at least 30 days before adding or replacing a Sub-processor. The Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected Service with a pro-rata refund.

6. International transfers

Booflow is established in Mexico (Gravity Epoch, S.A. de C.V., Puebla). The primary infrastructure (AWS, Vercel, Supabase) is located in the United States. Personal Data flows therefore involve up to two cross-border transfers from EEA/UK/Switzerland Customers: (a) EEA → Mexico (Booflow), and (b) Mexico → United States (Sub-processors).

For both transfer legs, the parties incorporate by reference the Standard Contractual Clauses (Module Two — Controller to Processor) adopted by the European Commission on June 4, 2021 (Commission Implementing Decision (EU) 2021/914) and, for UK transfers, the UK International Data Transfer Addendum issued by the ICO.

• Annex I.A (Parties): Data Exporter = Customer (Controller). Data Importer = Booflow (Processor, Gravity Epoch, S.A. de C.V., Puebla, México).
• Annex I.B (Description of transfer): as set out in Section 3 of this DPA.
• Annex I.C (Competent supervisory authority): the supervisory authority of the EEA member state in which the Data Exporter is established, or as otherwise designated by applicable law.
• Annex II (Technical and organisational measures): as set out in Annex A of this DPA.
• Annex III (Sub-processors): as listed in Section 5 of this DPA and at /legal/subprocessors.

Where any Sub-processor in the United States is certified under the EU-US Data Privacy Framework, Booflow may rely on that certification as an additional safeguard alongside the SCCs.

7. Data Subject rights

Booflow provides in-product tools to help the Customer fulfill Data Subject requests. When a Data Subject contacts Booflow directly, we will forward the request to the Customer without undue delay and will not respond unless instructed or legally required.

8. Audit rights

Upon written request with at least 30 days notice, and no more than once per 12-month period (unless required by a regulator or after a breach), the Customer may request reasonable information demonstrating Booflow's compliance. Booflow may satisfy this via third-party audit reports (e.g. SOC 2, ISO 27001 when available).

9. Return and deletion

Upon termination, and at the Customer's written choice, Booflow will return or delete all Personal Data processed on behalf of the Customer within 90 days, unless longer retention is required by law.

10. Liability

The liability of each party under this DPA is subject to the limitations set out in the main Terms of Service.

Annex A — Security measures

• All data in transit encrypted with TLS 1.2+.
• All data at rest encrypted (AES-256) at the infrastructure layer.
• Passwords hashed with bcrypt; secrets stored in a dedicated secret manager.
• Role-based access control within production infrastructure; 2FA required for admin access.
• Logging and monitoring of production systems with automated anomaly alerts.
• Regular backups with tested restore procedures.
• Incident response plan with 72-hour breach-notification commitment.
• Security reviews of all code changes; periodic third-party penetration testing.

To execute this DPA, email legal@booflow.com with your company details and we'll counter-sign.