Data Processing Addendum
Last updated: May 3, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between SegmentFlow.ai ("Processor") and the customer ("Controller") governing the Controller's use of the SegmentFlow.ai Service. It applies whenever the Processor processes Personal Data on behalf of the Controller and is incorporated by reference into the Terms of Service.
1. Definitions
Capitalized terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, or the California Consumer Privacy Act ("CCPA") as applicable. "Personal Data", "Data Subject", "Processing", and "Sub-processor" carry their GDPR meanings.
2. Roles and Scope
The Controller determines the purposes and means of Processing. The Processor processes Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.
3. Subject Matter, Duration, Nature, and Purpose
- Subject matter: Provision of AI-powered email marketing, segmentation, and analytics services.
- Duration: For the term of the Controller's subscription, plus any retention period required by law or described in our Privacy Policy.
- Nature and purpose: Storing, organizing, analyzing, and transmitting Personal Data to deliver segmentation, campaign generation, sending, and reporting features.
- Categories of Data Subjects: Controller's customers, prospects, and email recipients.
- Categories of Personal Data: Contact details (name, email), order and engagement history, IP and device metadata, and any additional data the Controller chooses to upload.
4. Processor Obligations
The Processor will:
- Process Personal Data only on the Controller's documented instructions, including those given through configuration of the Service.
- Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organizational measures to protect Personal Data, including encryption in transit and at rest, access controls, and audit logging.
- Assist the Controller, taking into account the nature of the Processing, in responding to Data Subject requests under Articles 12–22 GDPR.
- Assist the Controller in ensuring compliance with the obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, and prior consultation).
- Notify the Controller without undue delay, and within 72 hours where feasible, after becoming aware of a Personal Data Breach affecting the Controller's data.
5. Sub-processors
The Controller provides general authorization for the Processor to engage Sub-processors to deliver the Service. A current list of Sub-processors is maintained at /sub-processors. The Processor will provide at least 30 days' prior notice of any new Sub-processor by updating that page; Controllers who wish to receive change notifications by email may contact support@segmentflow.ai to be added to the Sub-processor notice list. The Controller may object to a new Sub-processor on reasonable grounds within 30 days of notice.
The Processor remains liable for its Sub-processors' acts and omissions and imposes data protection terms on each Sub-processor that are no less protective than this DPA.
6. International Data Transfers
Where Personal Data subject to the GDPR is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, the parties agree to rely on the Standard Contractual Clauses approved by the European Commission (Decision 2021/914), incorporated by reference as Annex A, with the UK International Data Transfer Addendum where applicable. For CCPA purposes, the Processor acts as a "service provider" and will not sell or share Personal Data.
7. Audits
The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA. On reasonable written notice, and no more than once per twelve-month period unless required by a supervisory authority or following a Personal Data Breach, the Controller may audit the Processor's compliance through review of third-party certifications, completed security questionnaires, or — where strictly necessary — an on-site audit conducted under mutually agreed scope and confidentiality terms.
8. Return or Deletion of Data
On termination of the Service, and at the Controller's choice, the Processor will delete or return all Personal Data processed on the Controller's behalf, and delete existing copies, unless retention is required by applicable law. Standard deletion completes within 30 days of termination.
9. Liability and Order of Precedence
The liability provisions of the Terms of Service apply to claims under this DPA. In the event of any conflict between this DPA and the Terms of Service in respect of Processing of Personal Data, this DPA prevails.
10. Acceptance and Counterparts
This DPA is pre-signed by SegmentFlow.ai and is deemed accepted by the Controller upon use of the Service. Customers requiring a countersigned copy for procurement records may request one from support@segmentflow.ai.
Annex A — Standard Contractual Clauses
The EU Standard Contractual Clauses (Module Two: Controller to Processor), with the UK International Data Transfer Addendum, are incorporated by reference where required. A copy of the executed clauses is available on request from support@segmentflow.ai.