1. Definitions
Terms not defined here have the meaning given in the GDPR or in the Eli Terms of Service.
- Customer Personal Data: personal data that FlowVolt processes on behalf of the Customer in connection with the Service.
- Data Subject: the individual to whom Customer Personal Data relates.
- Sub-processor: any third party engaged by FlowVolt to process Customer Personal Data.
- Supervisory Authority: the competent data protection authority, including the Dutch Autoriteit Persoonsgegevens.
- Tenant: the Customer's isolated environment within the Service, including its connected workspace, voice profile, and learning history.
2. Roles and scope
The Customer is the data controller and FlowVolt is the data processor in respect of Customer Personal Data. FlowVolt processes Customer Personal Data only on the Customer's documented instructions, as set out in this DPA, the Terms of Service, the public offer on the Eli website, and any applicable Order Form, unless required to do otherwise by EU or Member State law (in which case FlowVolt will inform the Customer of that requirement, unless prohibited by law).
3. Nature and purpose of processing
FlowVolt processes Customer Personal Data to operate the Eli team inside the Customer's Tenant. The processing activities include:
- Reading messages, calendar events, files, and source code from the Connected Tools that the Customer authorises, in order to draft work in context.
- Drafting and proposing outbound messages, replies, follow-ups, content, research notes, and code, with every externally visible action gated by the Customer's one-tap approval.
- Tuning the team's voice and routing using the Customer's approvals, edits, and outcomes (the "nightly learning loop"), strictly within the Customer's Tenant.
- Operating the dashboard, the approval queue, the audit log, and the reporting that the Customer uses to supervise the team.
- Maintaining the Service, including security monitoring, backups, and incident response.
4. Categories of data subject and personal data
4.1 Data subjects
- The Customer's employees, contractors, and other personnel who use or are referenced in the Service.
- Third parties the Customer interacts with through the Connected Tools, such as customers, prospects, candidates, suppliers, and other business contacts that appear in inbox, calendar, chat, or code review threads.
4.2 Categories of personal data
For the Customer's own personnel: name, work email address, role, company, account credentials, and the Customer's voice and writing samples used for tuning.
For third parties referenced in the workspace: name, work email address, role, company, message content, calendar event content, file content, and any other personal data that appears in the data the Customer has authorised the team to read.
FlowVolt does not knowingly process special categories of personal data (Art. 9 GDPR) or personal data relating to criminal convictions (Art. 10 GDPR) on the Customer's behalf, unless we have specifically agreed in writing.
5. Duration
This DPA remains in force for as long as FlowVolt processes Customer Personal Data on behalf of the Customer. Upon termination of the Service, FlowVolt will, at the Customer's choice, delete or return all Customer Personal Data within 30 days, unless EU or Member State law requires further storage. The Customer keeps every asset the team produced.
6. FlowVolt's obligations
FlowVolt will:
- Process Customer Personal Data only on the Customer's documented instructions.
- Ensure that personnel authorised to process Customer Personal Data are bound by confidentiality.
- Implement the technical and organisational measures set out in Annex A.
- Engage sub-processors only in accordance with section 8.
- Assist the Customer, by appropriate technical and organisational measures, in responding to requests from Data Subjects exercising their GDPR rights.
- Assist the Customer in complying with its obligations under Articles 32 to 36 GDPR (security, breach notification, impact assessment, prior consultation).
- Make available all information necessary to demonstrate compliance with Article 28 GDPR, and contribute to audits as described in section 12.
- Promptly inform the Customer if, in FlowVolt's opinion, an instruction infringes the GDPR or other EU or Member State data protection law.
7. Security
FlowVolt implements the technical and organisational measures described in Annex A, including tenant isolation, encryption in transit and at rest, role-based access controls, audit logging, vulnerability management, and incident response. FlowVolt reviews these measures regularly and may update them, provided the level of protection is not reduced.
8. Sub-processors
8.1 General authorisation
The Customer grants FlowVolt general authorisation to engage Sub-processors, subject to the conditions in this section. A current list of Sub-processors is set out in Annex B.
8.2 Changes to sub-processors
FlowVolt will notify the Customer of any intended change to the list of Sub-processors at least 14 days in advance, giving the Customer the opportunity to object on reasonable data-protection grounds. If the Customer objects, the parties will discuss in good faith. If no resolution is reached, the Customer may terminate the affected portion of the Service without penalty.
8.3 Conditions for sub-processors
FlowVolt will impose on each Sub-processor, by written contract, data protection obligations that are no less protective than those in this DPA. FlowVolt remains fully liable to the Customer for the performance of its Sub-processors.
9. International transfers
FlowVolt's primary infrastructure is located within the EU. Where Customer Personal Data is transferred outside the EU/EEA (for example, to certain AI inference providers), FlowVolt will rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, on supplementary safeguards as required by case law (including Schrems II) and EDPB guidance, to ensure an essentially equivalent level of protection.
10. Data subject rights
FlowVolt will, taking into account the nature of the processing, assist the Customer with appropriate technical and organisational measures, as far as possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR. If a Data Subject contacts FlowVolt directly with such a request, FlowVolt will forward the request to the Customer without undue delay and not respond to the Data Subject directly other than to acknowledge receipt and refer them to the Customer.
11. Personal data breach
FlowVolt will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will, to the extent then available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it and to mitigate its possible adverse effects.
12. Audit rights
FlowVolt will, on reasonable prior notice and no more than once per calendar year (or following a confirmed personal data breach), allow the Customer or a qualified, independent third-party auditor that is not a competitor of FlowVolt to audit FlowVolt's compliance with this DPA, subject to confidentiality obligations and reasonable scoping. FlowVolt may satisfy audit requests by providing third-party audit reports, certifications, or attestations (such as SOC 2 or ISO 27001) where they are available and reasonably cover the audit scope.
13. Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits a Data Subject's right to compensation under Article 82 GDPR.
14. Governing law and jurisdiction
This DPA is governed by Dutch law. Any dispute arising out of or in connection with this DPA will be brought before the competent courts of Utrecht, the Netherlands, unless mandatory law provides otherwise.
15. Order of precedence
In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data. In the event of a conflict between this DPA and the EU Standard Contractual Clauses (where they apply), the SCCs prevail.
Annex A · Technical and organisational measures
FlowVolt implements the following measures, as relevant to the nature of the processing and the state of the art. These measures are reviewed and updated regularly.
A.1 Access control
- Role-based access control with least-privilege principles.
- Multi-factor authentication for all personnel access to production systems.
- Centralised identity provider with logged authentication events.
- Periodic access reviews and immediate revocation on role change or termination.
A.2 Tenant isolation
- Each Customer's data, voice profile, and learning history are isolated to that Customer's Tenant.
- No Customer's data is used to train models for any other Customer.
- Connected Tool credentials are stored as scoped OAuth tokens, never as raw passwords, and can be revoked by the Customer at any time.
A.3 Encryption
- TLS 1.2 or higher for all data in transit.
- AES-256 or equivalent for data at rest in the primary database (Supabase EU, Frankfurt).
- Secrets and OAuth tokens stored in a dedicated secrets manager with envelope encryption.
A.4 Network and infrastructure security
- EU-only hosting for the primary application stack (Vercel EU, Supabase EU Frankfurt, Modal EU regions where available).
- Web application firewall and rate limiting on public endpoints.
- Segregation between production, staging, and development environments.
A.5 Operational security
- Automated dependency scanning and patching.
- Continuous logging of access, queries, agent actions, and administrative operations.
- Documented incident response plan with defined roles and escalation paths.
- Encrypted, versioned backups with documented restore procedures.
A.6 Approval queue and human oversight
- Every externally visible action drafted by the team is held in an approval queue until the Customer approves it.
- Every approval and rejection is logged with the identity of the approving user and the timestamp.
- The Customer can pause the team or revoke any Connected Tool at any time, immediately stopping the team's access.
A.7 Organisational measures
- Confidentiality obligations on all personnel and contractors.
- Data protection training for personnel who handle Customer Personal Data.
- Written data processing agreements with all Sub-processors that meet GDPR Article 28 requirements.
- Records of processing activities maintained per Article 30 GDPR.
Annex B · Sub-processors
The following Sub-processors are currently engaged to deliver Eli. The list is updated as the Service evolves; material changes are notified under section 8.2.
| Provider | Location | Purpose |
|---|---|---|
| Vercel Inc. | EU hosting | Static and edge hosting for the Eli website and dashboard |
| Supabase Inc. | Frankfurt, EU | Primary database, authentication, and storage for Tenant data |
| Modal Labs | EU regions where available | Serverless compute for agent execution |
| Provider | Location | Purpose |
|---|---|---|
| Anthropic | US, GDPR-aligned with SCCs | Large language model inference for drafting, classification, and voice generation |
| Provider | Location | Purpose |
|---|---|---|
| Postmark | US, with SCCs | Transactional email from the platform (approval notifications, billing) |
| Resend | US, with EU options | Transactional email for product notifications |
The following are connected by the Customer and act as Sub-processors only to the extent that the team reads from or writes to them on the Customer's behalf. The Customer's contract with each provider also governs the use of that service.
| Provider | Role | Purpose |
|---|---|---|
| Google Workspace | Customer-connected | Inbox, calendar, and files accessed under the Customer's OAuth grant |
| Microsoft 365 | Customer-connected | Inbox, calendar, and files accessed under the Customer's OAuth grant |
| Slack | Customer-connected | Channels, threads, and direct messages accessed under the Customer's OAuth grant |
| Source code hosts (e.g. GitHub) | Customer-connected | Repositories and issues accessed under the Customer's OAuth grant, where the Customer enables the developer agent |
FlowVolt has signed data processing agreements with all Sub-processors that act on its behalf and reviews them on an ongoing basis.
Contact
Questions about this DPA, or requests for a signed counterpart, can be sent to info@flowvolt.nl.