Data processing agreement

Flovaly DPA.

Our standard processor agreement for business customers under UK GDPR and EU GDPR. Linkable, signable, and applied to every paid Flovaly account by default.

1. Parties and roles

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer") and Flovaly ("Processor") under which Flovaly provides its AI content generation platform (the "Service"). For all personal data processed by Flovaly in the course of providing the Service to the Customer, the Customer is the Controller and Flovaly is the Processor, in each case as defined under the UK GDPR and the EU GDPR. Where Customer is itself a processor acting on behalf of a third party controller, Flovaly is a sub-processor.

2. Subject matter and duration

The subject matter of the processing is the provision of the Service. The duration of the processing is the term of the Customer’s subscription plus any retention period required to comply with legal obligations or as set out in section 9 below.

3. Nature and purpose of processing

Flovaly processes personal data to authenticate users, deliver requested AI generations (image, video, voice, lip-sync), bill the Customer, store generated content for retrieval, and operate, secure, and improve the Service. We do not use Customer personal data or generated content to train AI models.

4. Categories of data subjects

End users of the Customer’s Flovaly workspace (employees, contractors, or other individuals the Customer authorises), and any data subjects whose likeness, voice, or other personal data appears in content uploaded by the Customer (for example, in character reference images or face-swap source material).

5. Categories of personal data

Account data (email address, display name, authentication identifiers), billing metadata (Stripe customer ID, subscription tier, plan history — full card data is held only by Stripe), usage data (job logs, credit transactions, IP addresses, request timestamps), generated content (images, videos, audio), and Customer-supplied input content (reference images, prompts, scripts, voice samples). Customer is responsible for ensuring it has lawful basis to upload any personal data of third parties.

6. Sub-processors

Flovaly engages the following sub-processors to deliver the Service. Customer authorises this list as of the "last updated" date below. Material additions will be notified by email or in-app announcement at least 14 days before they take effect, giving Customer an opportunity to object.

Infrastructure
· Vercel Inc. — application hosting, edge network, analytics (USA / EU)
· Supabase Inc. — authentication, primary database (EU West, AWS Frankfurt / Ireland)
· Cloudflare Inc. — R2 object storage for generated media (EU jurisdiction, distributed edge)
· Upstash Inc. — Redis queue infrastructure for background workers
· Railway Corp. — worker container hosting

AI model providers
· fal.ai (Features and Labels Inc.) — image generation and face swap inference
· Kling AI (Kuaishou Technology) — video generation, voice synthesis, and lip sync
· Replicate Inc. — fallback model inference
· ElevenLabs Inc. — voice synthesis (where Customer selects an ElevenLabs voice)

Payments and ops
· Stripe Payments Europe Ltd. — subscription billing and payment processing (controller for cardholder data)
· Sentry (Functional Software Inc.) — application error monitoring

Each sub-processor is bound by contractual obligations no less protective than this DPA, including obligations of confidentiality and to assist with data subject rights.

7. International transfers

Where Flovaly or a sub-processor transfers personal data outside the UK or EEA, the transfer is made on the basis of the UK International Data Transfer Addendum or the EU Standard Contractual Clauses (Module 2 or Module 3 as applicable), or to a jurisdiction with a valid adequacy decision. Flovaly will, on request, provide Customer with the relevant transfer documentation for the sub-processors listed above.

8. Security

Flovaly maintains technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption of data in transit (TLS 1.2+) and at rest (provider-managed), role-based access control, audited administrative actions, environment separation between production and non-production systems, payment data handled exclusively by Stripe (PCI DSS Level 1), and application error monitoring via Sentry. A current summary is published at /security.

9. Data subject rights and assistance

Flovaly will, taking into account the nature of the processing, assist Customer in fulfilling its obligations to respond to data subject requests under the UK GDPR and EU GDPR (access, rectification, erasure, restriction, portability, objection). Customer can carry out most rights requests directly through the Service — end users can export and delete their own data via Settings. For requests Customer cannot fulfil itself, email general@flovaly.com with the subject line "DSAR" and we will respond within five business days.

10. Personal data breach notification

Flovaly will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer personal data. The notification will describe the nature of the breach, likely consequences, and measures taken or proposed to address it. Notifications will be sent to the email address Customer has nominated as its security contact, or to the account admin email on file.

11. Audits

Flovaly will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Where Customer requires further audit, Flovaly will provide, on request and subject to confidentiality, summaries of any third-party security assessments and responses to a reasonable industry-standard security questionnaire. On-site audits are available for enterprise customers under a separate agreement.

12. Term and termination

This DPA takes effect when Customer accepts the Flovaly Terms of Service and continues for the duration of the subscription. On termination, Flovaly will delete or return all personal data within 30 days, unless retention is required by law. Backup copies are purged on the provider’s rolling backup schedule (typically within 35 days).

13. Return and deletion of data

Customer can export generated content directly from the Service. To delete an account and all associated personal data, an end user can use the delete-account function in Settings, which triggers an immediate cascade deletion of database records and Supabase auth identity. To request bulk deletion at the workspace level, email general@flovaly.com.

14. Liability and governing law

This DPA is governed by the same law and jurisdiction as the underlying Flovaly Terms of Service. The liability provisions of the Terms of Service apply to this DPA. In the event of a conflict between this DPA and the Terms of Service in respect of data protection, this DPA prevails.

15. Contact

For DPA queries, signed counterparts, or to nominate a security contact for breach notifications, email general@flovaly.com.

Last updated: 2026-06-09