Legal

Data Processing Agreement

Template Version: 1.0 Last Updated: April 21, 2026 GDPR / CCPA Aligned

When this DPA applies: This Data Processing Agreement ("DPA") supplements our Terms of Service and applies when Prime Flow Ventures LLC processes Personal Data on behalf of a Client in connection with the provision of Services. It is required for clients subject to GDPR, UK GDPR, CCPA, or HIPAA where applicable.

Table of Contents

Definitions
Roles of the Parties
Scope of Processing
Processor Obligations
Controller Obligations
Sub-processors
Data Subject Rights
Security Measures
Breach Notification
International Transfers
Return and Deletion of Data
Audit Rights
Term and Termination
Annex I — Processing Details
Annex II — Security Measures
Annex III — Sub-processor List

1. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.

"Controller"

The Client, as the entity that determines the purposes and means of the processing of Personal Data.

"Processor"

Prime Flow Ventures LLC, which processes Personal Data on behalf of the Controller.

"Data Protection Laws"

All applicable laws relating to data protection and privacy, including GDPR, UK GDPR, CCPA/CPRA, and any applicable US state privacy laws.

"Processing"

Any operation performed on Personal Data, including collection, recording, storage, use, disclosure, or deletion.

"Sub-processor"

Any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Data Breach"

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Roles of the Parties

The Client acts as the Controller of Personal Data processed in connection with the Services. Prime Flow Ventures LLC acts as the Processor, processing Personal Data solely on documented instructions from the Controller.

Where Prime Flow Ventures processes Personal Data for its own operational purposes (e.g., billing, account management), it acts as an independent Controller, governed by its Privacy Policy.

3. Scope of Processing

The subject matter, nature, purpose, duration of processing, categories of Personal Data, and categories of Data Subjects are described in Annex I and, where applicable, in the executed Statement of Work ("SOW").

Prime Flow Ventures processes Personal Data only:

On documented instructions from the Controller, including as set out in this DPA and any applicable SOW;
As necessary to provide the Services;
As required by applicable law (in which case, Prime Flow Ventures will inform the Controller unless prohibited by law).

4. Processor Obligations

Prime Flow Ventures shall:

Process Personal Data only on documented instructions from the Controller;
Ensure that personnel authorized to process Personal Data have committed to confidentiality;
Implement appropriate technical and organizational security measures as set out in Annex II;
Not engage Sub-processors without prior written authorization from the Controller (general authorization is granted for the Sub-processors listed in Annex III);
Assist the Controller in responding to Data Subject rights requests;
Assist the Controller in meeting its security, breach notification, and Data Protection Impact Assessment obligations;
Delete or return all Personal Data to the Controller upon termination of Services, at the Controller's election;
Provide all information necessary to demonstrate compliance with this DPA and cooperate with audits conducted by the Controller or its designated auditor.

5. Controller Obligations

The Controller represents and warrants that:

It has a lawful basis for transferring Personal Data to Prime Flow Ventures for processing;
It has provided all required notices and obtained all required consents from Data Subjects;
Its instructions to Prime Flow Ventures comply with applicable Data Protection Laws;
It will promptly notify Prime Flow Ventures of any changes to applicable Data Protection Laws that affect Prime Flow Ventures' processing obligations.

6. Sub-processors

The Controller grants general written authorization for Prime Flow Ventures to engage the Sub-processors listed in Annex III. Prime Flow Ventures will:

Notify the Controller at least 30 days in advance of adding or replacing any Sub-processor;
Impose data protection obligations on all Sub-processors that are at least as protective as this DPA;
Remain liable to the Controller for the acts and omissions of Sub-processors.

If the Controller reasonably objects to a new Sub-processor within 14 days of notice, the parties will work in good faith to resolve the objection. If unresolved, the Controller may terminate the affected Services on 30 days' written notice.

7. Data Subject Rights

Prime Flow Ventures will promptly forward any Data Subject rights request received directly from a Data Subject to the Controller and will reasonably assist the Controller in responding to such requests, including by providing technical capabilities to fulfill access, correction, deletion, portability, and objection requests within the systems used to deliver the Services.

Prime Flow Ventures shall not independently respond to Data Subject rights requests without the Controller's prior written instruction, except where required by applicable law.

8. Security Measures

Prime Flow Ventures implements and maintains the technical and organizational security measures described in Annex II. These measures take into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the risks to Data Subjects.

Prime Flow Ventures may update security measures over time, provided that such updates do not materially diminish the overall level of protection provided.

9. Data Breach Notification

Prime Flow Ventures will notify the Controller without undue delay — and in any event within 72 hours of becoming aware — of any Data Breach affecting Personal Data processed under this DPA.

Such notification will include, to the extent known at the time:

Nature of the breach, including categories and approximate numbers of Data Subjects and records affected;
Name and contact details of the Data Protection contact;
Likely consequences of the breach;
Measures taken or proposed to address the breach and mitigate its effects.

Prime Flow Ventures will cooperate with and assist the Controller in meeting the Controller's own notification obligations under applicable Data Protection Laws.

10. International Data Transfers

To the extent that the Services involve the transfer of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States or other third countries not recognized as providing an adequate level of data protection, such transfers are made pursuant to Standard Contractual Clauses (SCCs) as adopted by the European Commission, which are hereby incorporated by reference into this DPA.

For UK transfers, the International Data Transfer Addendum issued by the UK ICO applies. The parties agree to execute such instruments as may be required to give effect to these transfer mechanisms.

11. Return and Deletion of Data

Upon expiry or termination of the Services, Prime Flow Ventures will, at the Controller's election and within 30 days of written request:

Return all Personal Data to the Controller in a structured, commonly used, machine-readable format; or
Securely delete all Personal Data (including copies held by Sub-processors), and provide written certification of deletion.

Prime Flow Ventures may retain Personal Data to the extent required by applicable law, subject to continued compliance with this DPA.

12. Audit Rights

Upon written request with at least 30 days' notice, Prime Flow Ventures will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will permit — and contribute to — audits conducted by the Controller or a qualified third-party auditor appointed by the Controller, subject to:

Reasonable confidentiality protections;
Conduct during normal business hours with minimal disruption;
No more than one audit per 12-month period unless required by a supervisory authority.

Prime Flow Ventures may satisfy this obligation by providing current third-party audit reports (e.g., SOC 2 Type II) in lieu of on-site audits where the Controller agrees.

13. Term and Termination

This DPA remains in effect for the duration of any SOW under which Personal Data is processed and terminates upon completion of the deletion or return obligations in Section 11, subject to applicable data retention requirements.

Annex I — Processing Details

To be completed per engagement

Subject matter: Performance of AI automation and consulting services as defined in the applicable SOW.

Duration: For the term of the applicable SOW.

Nature and purpose: Processing necessary to develop, test, deploy, and maintain AI systems, automation workflows, and knowledge bases on behalf of the Controller.

Categories of Personal Data: [To be specified per engagement — may include: employee names and contact details, customer data, operational records, communication logs, document metadata]

Special categories: [None, unless expressly agreed in writing and subject to additional safeguards]

Categories of Data Subjects: [To be specified — may include: Controller's employees, contractors, customers, or end users]

Annex II — Technical & Organizational Security Measures

Security Controls

Access Controls

Role-based access control (RBAC) with principle of least privilege
Multi-factor authentication required for all systems containing Personal Data
Privileged access management with audit logging
Access reviews conducted quarterly

Encryption

Data in transit: TLS 1.2 or higher enforced on all connections
Data at rest: AES-256 encryption for all stored Personal Data
Encryption key management with regular rotation

Infrastructure Security

Systems hosted on SOC 2 Type II certified cloud infrastructure (AWS, GCP, or Azure)
Network segmentation and firewall controls
Vulnerability scanning and patch management program
Intrusion detection monitoring

Personnel & Process

Annual security and privacy training for all personnel handling Personal Data
Background screening for personnel with access to sensitive Client data
Documented incident response plan with regular testing
Clean desk and screen-lock policies

Business Continuity

Regular data backups with tested restoration procedures
Documented business continuity and disaster recovery plans

Annex III — Approved Sub-processors

Current as of April 21, 2026

Sub-processor	Location	Purpose	Transfer Mechanism
Amazon Web Services	USA	Cloud infrastructure, storage	SCCs / DPA
OpenAI LLC	USA	LLM inference (where applicable)	SCCs / DPA
Google Cloud	USA	Analytics, workspace tools	SCCs / DPA
Stripe Inc.	USA	Payment processing (billing data only)	SCCs / DPA

Updated Sub-processor list available on request at privacy@primeflowventures.com.

Execution

This DPA is entered into as of the date the Client executes a Statement of Work with Prime Flow Ventures LLC, and is incorporated by reference into the applicable Terms of Service.

Prime Flow Ventures LLC
Data Processor

Authorized Signature

Name / Title

Date

Client
Data Controller

Authorized Signature

Name / Title / Company

Date

To request an executable DPA for your organization, contact legal@primeflowventures-ai.com.