← Go back
What describes you best?
I do dropshipping
Stores not operating as a brand, focused on low-friction, fast conversions.
I have a brand
Stores that use storytelling, branding and customer loyalty and focus on long-term retention. Including branded dropshipping.
Enterprise

Data Processing Agreement

Version 1.0 Last updated: March 23, 2026

PARTIES

Data Processor: Flows Marketing Solutions LLC, a Wyoming, United States limited liability company, operating as Ecomflows (“Processor”) Email: legal@ecomflows.io Website: https://ecomflows.io

Data Controller: The entity identified in the Ecomflows Terms of Service as the client and/or the entity that has connected its Klaviyo account to the Ecomflows Platform (“Controller”)

Together referred to as the “Parties” and individually as a “Party”.

RECITALS

WHEREAS:

A. The Controller uses the Ecomflows SaaS Platform (the “Platform”) and/or agency services (the “Services”) provided by the Processor pursuant to the Terms of Service available at ecomflows.io/terms (the “Service Agreement”).

B. In the course of providing the Services, the Processor processes personal data on behalf of the Controller.

C. The Parties wish to ensure that the processing of personal data complies with Regulation (EU) 2016/679 (the “GDPR”) and other applicable data protection laws.

D. This Data Processing Agreement (“DPA”) sets out the terms and conditions under which the Processor processes personal data on behalf of the Controller.

NOW THEREFORE, the Parties agree as follows:

1. Definitions

1.1. “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.

1.2. “Processing” means any operation or set of operations performed on Personal Data, as defined in Article 4(2) of the GDPR.

1.3. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

1.4. “Sub-Processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

1.5. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.6. “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914.

1.7. “Platform” means the Ecomflows SaaS platform that connects to the Controller’s Klaviyo account via OAuth 2.0.

2. Scope and Purpose

2.1. This DPA applies to all Processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the provision of the Services.

2.2. The Processor shall process Personal Data solely for the purpose of providing the Services as described in the Service Agreement, including:

  1. Synchronizing and storing Klaviyo account data, including personal data of end-consumers, to power Platform analytics, dashboards, and optimization features;
  2. Generating performance reports, custom triggers, and flow optimization recommendations;
  3. Producing aggregated, anonymized benchmarks and insights;
  4. Supporting agency service delivery where applicable.

2.3. This DPA forms an integral part of, and is incorporated by reference into, the Service Agreement. In the event of a conflict between this DPA and the Service Agreement, this DPA shall prevail with respect to data protection matters.

3. Categories of Personal Data

3.1. The Processor may process the following categories of Personal Data on behalf of the Controller:

  1. Contact information: Email addresses, names, phone numbers
  2. Purchase data: Order history, transaction amounts, product information, payment methods
  3. Behavioral events: Website visits, email opens, email clicks, product views, cart activity, custom events
  4. Device and location data: IP addresses, device type, browser information, approximate geolocation as present in Klaviyo profiles
  5. Marketing engagement data: Campaign interactions, flow engagement, segment membership, form submissions
  6. Profile metadata: Customer tags, custom properties, consent statuses, subscription preferences

4. Data Subjects

4.1. The Data Subjects whose Personal Data is processed under this DPA are:

  1. End-consumers of the Controller — i.e., the Controller’s customers, subscribers, and website visitors whose data is stored in the Controller’s Klaviyo account.

5. Duration of Processing

5.1. The Processor shall process Personal Data for the duration of the Service Agreement, or until the Controller disconnects their Klaviyo account from the Platform, whichever occurs first.

5.2. Upon termination of the Service Agreement, the Processor shall handle Personal Data in accordance with Section 14 (Termination and Data Deletion) of this DPA.

6. Controller Obligations

6.1. The Controller warrants that:

  1. It has a valid legal basis for the collection and processing of Personal Data, including any necessary consents from Data Subjects;
  2. It has provided appropriate privacy notices to Data Subjects informing them of the Processing by the Processor;
  3. Its instructions to the Processor comply with applicable data protection laws;
  4. It is authorized to grant the Processor access to its Klaviyo account via OAuth for the purposes described in this DPA;
  5. It shall notify the Processor promptly of any changes to applicable data protection laws that may affect the Processing under this DPA.

7. Processor Obligations

7.1. The Processor shall:

  1. Process Personal Data only on documented instructions from the Controller, unless required by applicable law, in which case the Processor shall inform the Controller of that legal requirement before Processing (unless prohibited by law);
  2. Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 8;
  4. Comply with the conditions for engaging Sub-Processors as set out in Section 9;
  5. Assist the Controller, taking into account the nature of the Processing, in responding to requests from Data Subjects exercising their rights under the GDPR, as described in Section 11;
  6. Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor;
  7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data;
  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor.

7.2. The Processor shall immediately inform the Controller if, in the Processor’s opinion, an instruction from the Controller infringes the GDPR or other applicable data protection law.

8. Security Measures

8.1. The Processor shall implement and maintain the following technical and organizational measures to protect Personal Data:

a) Encryption

  • At rest: OAuth tokens encrypted using AES-256-GCM with unique initialization vectors; database encryption provided by Google Cloud SQL managed encryption
  • In transit: All data transmitted via TLS 1.2 or higher

b) Access Controls

  • Identity and Access Management (IAM) policies restricting access to Personal Data to authorized personnel only
  • Role-based access control within the Platform
  • Multi-factor authentication for administrative access

c) Infrastructure Security

  • All Personal Data stored on Google Cloud Platform infrastructure located in the European Union
  • GCP infrastructure is SOC 2 Type II and ISO 27001 certified
  • Network isolation and firewall rules limiting access to database and application servers

d) Monitoring and Logging

  • Application error monitoring via Sentry (configured to exclude PII)
  • Access logging and audit trails
  • API access restrictions limiting access to authorized applications only

e) Organizational Measures

  • Confidentiality agreements with all personnel who may access Personal Data
  • Access to Personal Data limited to personnel who require it for the performance of Services

9. Sub-Processors

9.1. The Controller provides general written authorization for the Processor to engage Sub-Processors for the purpose of providing the Services.

9.2. As of the date of this DPA, the Processor engages the following Sub-Processors:

Google Cloud Platform (Google LLC)

Purpose: Infrastructure hosting, database (Cloud SQL), background processing (Cloud Tasks, Cloud Run)

Location: EU (Europe)

Firebase Authentication (Google LLC)

Purpose: User authentication token issuance and verification — authentication credentials (email, hashed password) processed transiently during login only

Location: US (global service)

Stripe Inc.

Purpose: Payment processing

Location: US (PCI-DSS compliant)

Sentry (Functional Software Inc.)

Purpose: Error tracking and monitoring — configured to exclude PII

Location: US

9.3. The Processor shall:

  1. Notify the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller the opportunity to object to such changes within thirty (30) days of notification;
  2. Ensure that each Sub-Processor is bound by data protection obligations no less protective than those set out in this DPA;
  3. Remain fully liable to the Controller for the performance of Sub-Processor obligations.

9.4. If the Controller objects to a new Sub-Processor on reasonable grounds related to data protection, the Parties shall discuss the objection in good faith. If the Parties cannot resolve the objection within thirty (30) days, the Controller may terminate the affected Services without penalty.

10. Personal Data Breach Notification

10.1. The Processor shall notify the Controller of any Personal Data Breach without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach.

10.2. The notification shall include, to the extent available:

  1. A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
  2. The name and contact details of the Processor’s contact point;
  3. A description of the likely consequences of the breach;
  4. A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

10.3. Where it is not possible to provide all information at the same time, the Processor shall provide the information in phases without undue delay.

10.4. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach.

11. Data Subject Rights

11.1. The Processor shall promptly assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR, including:

  1. Right of access (Article 15)
  2. Right to rectification (Article 16)
  3. Right to erasure (Article 17)
  4. Right to restriction of processing (Article 18)
  5. Right to data portability (Article 20)
  6. Right to object (Article 21)

11.2. If the Processor receives a request directly from a Data Subject, the Processor shall promptly forward the request to the Controller and shall not respond to the Data Subject directly unless instructed by the Controller or required by law.

11.3. The Processor shall implement technical and organizational measures to enable the Controller to fulfill Data Subject requests, including the ability to export and delete Personal Data associated with a specific Controller account.

12. Data Protection Impact Assessments

12.1. The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required under Articles 35 and 36 of the GDPR, taking into account the nature of the Processing and the information available to the Processor.

13. International Data Transfers

13.1. All Personal Data processed under this DPA is stored on servers located in the European Union (Google Cloud Platform, EU region).

13.2. To the extent that Personal Data is transferred from the European Economic Area (EEA) to the Processor in the United States, or is accessible by Processor personnel located outside the EEA, such transfers are governed by the Standard Contractual Clauses (Module 2: Controller to Processor) adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914 of 4 June 2021.

13.3. The SCCs are hereby incorporated into and form an integral part of this DPA. The following provisions apply:

  1. Module 2 (Controller to Processor) shall apply;
  2. Clause 7 (Docking clause): The optional docking clause is included, allowing additional parties to accede to the SCCs;
  3. Clause 9(a) (Use of Sub-Processors): Option 2 (general written authorization) shall apply, with the notice period set out in Section 9.3(a) of this DPA;
  4. Clause 11 (Redress): The optional clause on independent dispute resolution is not included;
  5. Clause 13(a) (Supervision): The supervisory authority of the EEA member state in which the Controller is established, or where the Controller is not established in the EEA, the supervisory authority of the member state in which the Controller’s EU representative is established, shall act as the competent supervisory authority. The Processor’s lead supervisory authority for GDPR purposes is the Irish Data Protection Commission (DPC), reachable at www.dataprotectioncommission.ie;
  6. Clause 17 (Governing law): Option 1 shall apply; the SCCs shall be governed by the laws of Ireland;
  7. Clause 18(b) (Choice of forum and jurisdiction): Disputes arising from the SCCs shall be resolved by the courts of Ireland.

13.4. Supplementary measures: In addition to the SCCs, the Processor implements the following supplementary technical measures:

  1. AES-256-GCM encryption of sensitive data at rest;
  2. TLS 1.2+ encryption of all data in transit;
  3. Strict IAM access controls limiting data access;
  4. Data stored in EU data centers with access logging.

14. Termination and Data Deletion

14.1. Upon termination or expiration of the Service Agreement, or upon disconnection of the Controller’s Klaviyo account from the Platform:

  1. The Processor shall permanently delete all Personal Data processed on behalf of the Controller within thirty (30) days, including but not limited to: synchronized Klaviyo metadata, OAuth tokens, orders, campaigns, flows, segments, forms, metrics, and associated records;
  2. OAuth tokens shall be deleted immediately upon disconnection;
  3. The Processor may retain aggregated, anonymized statistical data that cannot be traced back to the Controller or any individual Data Subject. Such data does not constitute Personal Data;
  4. The Processor shall provide written confirmation of deletion upon request by the Controller.

14.2. If applicable law requires the Processor to retain certain Personal Data beyond the deletion period, the Processor shall:

  1. Inform the Controller of any such legal requirement;
  2. Limit the Processing of such data to the purpose required by law;
  3. Continue to protect the data in accordance with this DPA.

15. Audits

15.1. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

15.2. The Controller may conduct audits, including inspections, of the Processor’s data processing activities, subject to the following conditions:

  1. The Controller shall provide at least thirty (30) days’ written notice of any audit;
  2. Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor’s operations;
  3. The Controller shall bear its own costs of the audit;
  4. Audit findings shall be treated as confidential information of the Processor;
  5. Where multiple Controllers request audits, the Processor may arrange a single combined audit to avoid excessive disruption.

15.3. As an alternative to an on-site audit, the Processor may provide the Controller with a summary of relevant third-party audit or certification reports from its infrastructure providers, including Google Cloud Platform’s SOC 2 Type II and ISO 27001 certifications.

16. Liability

16.1. Each Party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Service Agreement, except where such limitations are not permitted by the GDPR.

16.2. Nothing in this DPA limits either Party’s liability for:

  1. Fraud or fraudulent misrepresentation;
  2. Any liability that cannot be excluded or limited under applicable data protection law.

17. Governing Law

17.1. This DPA, excluding the SCCs, shall be governed by and construed in accordance with the laws of the State of Wyoming, United States.

17.2. The SCCs incorporated into this DPA shall be governed by the laws of Ireland, as specified in Section 13.3(f).

17.3. Any dispute arising from or in connection with this DPA (excluding disputes arising from the SCCs) shall be resolved by the courts of the State of Wyoming.

17.4. Any dispute arising from the SCCs shall be resolved by the courts of Ireland, as specified in Section 13.3(g).

18. Miscellaneous

18.1. Entire agreement: This DPA, together with the Service Agreement and the SCCs, constitutes the entire agreement between the Parties with respect to the Processing of Personal Data.

18.2. Amendments: This DPA may only be amended in writing by both Parties. The Processor may update the list of Sub-Processors in accordance with Section 9.

18.3. Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

18.4. Precedence: In the event of a conflict between this DPA and the Service Agreement, the provisions of this DPA shall prevail with respect to data protection matters. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.

19. Acceptance

This DPA is entered into and becomes binding upon the Controller’s acceptance of the Ecomflows Terms of Service and connection of the Controller’s Klaviyo account to the Ecomflows Platform. This DPA does not require physical signature and is effective from the date of such acceptance.

ANNEX I — Standard Contractual Clauses Details

Required by Implementing Decision (EU) 2021/914

A. List of Parties

Data exporter (Controller): - Name: As identified in the Service Agreement - Address: As provided during account registration - Contact person: The Controller’s designated contact - Activities relevant to the data transferred: Operation of an e-commerce business using email marketing and retention services via the Ecomflows Platform - Role: Controller

Data importer (Processor): - Name: Flows Marketing Solutions LLC, operating as Ecomflows - Address: Wyoming, United States - Contact person: legal@ecomflows.io - Activities relevant to the data transferred: Provision of the Ecomflows SaaS Platform, including synchronization and analysis of Klaviyo account data for analytics, optimization, and reporting - Role: Processor

B. Description of Transfer

  • Categories of data subjects: End-consumers of the Controller (customers, subscribers, website visitors) whose data is stored in the Controller’s Klaviyo account
  • Categories of personal data transferred: As described in Section 3 of this DPA (contact information, purchase data, behavioral events, device and location data, marketing engagement data, profile metadata)
  • Sensitive data transferred: None intentionally. If sensitive data is present in Klaviyo profiles, the Controller is responsible for ensuring an appropriate legal basis.
  • Frequency of the transfer: Continuous (automated synchronization via Klaviyo OAuth API)
  • Nature of the processing: Collection, storage, organization, structuring, retrieval, analysis, aggregation, anonymization, erasure
  • Purpose of the transfer: Provision of the Platform services as described in Section 2.2 of this DPA
  • Retention period: As described in Section 14 of this DPA (deleted within 30 days of termination; aggregated anonymized data retained indefinitely)

C. Competent Supervisory Authority

The competent supervisory authority is determined in accordance with Section 13.3(e) of this DPA. The Processor’s lead supervisory authority is the Irish Data Protection Commission (DPC).

ANNEX II — Technical and Organizational Measures

Required by Implementing Decision (EU) 2021/914

The Processor implements the following technical and organizational measures, as further described in Section 8 of this DPA:

1. Encryption of Personal Data

  • OAuth tokens encrypted at rest using AES-256-GCM with unique initialization vectors
  • Database encryption provided by Google Cloud SQL managed encryption
  • All data in transit encrypted via TLS 1.2 or higher

2. Ensuring Ongoing Confidentiality, Integrity, Availability, and Resilience

  • Google Cloud Platform infrastructure (SOC 2 Type II, ISO 27001 certified)
  • Network isolation and firewall rules
  • Multi-factor authentication for administrative access
  • Confidentiality agreements with all personnel

3. Ability to Restore Availability and Access to Personal Data in a Timely Manner

  • Google Cloud SQL automated backups
  • Infrastructure hosted across multiple availability zones within the EU region

4. Regular Testing, Assessing, and Evaluating Effectiveness

  • Application error monitoring via Sentry (configured to exclude PII)
  • Access logging and audit trails
  • API access restrictions limiting access to authorized applications only
  • Periodic review of access controls and IAM policies

5. User Identification and Authorization

  • Identity and Access Management (IAM) policies restricting access to authorized personnel only
  • Role-based access control within the Platform
  • Firebase Authentication for user identity verification

6. Protection of Data During Transmission

  • TLS 1.2+ for all API communications
  • OAuth 2.0 with PKCE for Klaviyo API authentication
  • Encrypted token storage (AES-256-GCM)

7. Protection of Data During Storage

  • All Personal Data stored on Google Cloud Platform servers in the European Union
  • Database-level encryption via Google Cloud SQL
  • Application-level encryption of OAuth tokens
  • Automated deletion on account disconnection

8. Physical Security of Locations at Which Personal Data Are Processed

  • Google Cloud Platform data centers comply with SOC 2 Type II, ISO 27001, and ISO 27017 standards
  • Physical access controls managed by Google as infrastructure provider

9. Events Logging

  • Access logging for database and application servers
  • Audit trails for administrative actions
  • Error monitoring configured to exclude PII

10. System Configuration

  • CORS / origin restrictions on API endpoints
  • Principle of least privilege for service accounts
  • Automated infrastructure deployment via Cloud Build

11. Internal IT and IT Security Governance

  • Defined roles and access levels (admin, user, staff)
  • Access to Personal Data limited to personnel who require it for the performance of Services

12. Certification/Assurance of Processes and Products

  • Infrastructure provider (Google Cloud Platform): SOC 2 Type II, ISO 27001, ISO 27017
  • Payment processor (Stripe): PCI-DSS Level 1

Version History

Version

Date

Description

v1.0

March 23, 2026

Initial version

End of Data Processing Agreement v1.0

Get in touch
hello@ecomflows.io
+31612400797
Stay on top of our latest updates!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Solutions for
DropshippingBrandsEnterprise
Product & services
Email AutomationsEmail CampaignsSMS Automations
Pricing
Dropshipping packagesBrands packages
Company
About usPartnershipsAffiliate program
Job posts
We're hiring
Contact
Resources
Case studiesResultsDesigns
Academy
Coming soon
Updates
Legal
Terms & ConditionsPrivacy PolicyRefund PolicyData Processing Agreement
Trusted by 2,000+ stores, $150M+ generated
©2026 Ecomflows - Flows Marketing Solutions - All rights reserved.