Flow MynaFLOW MYNA

Data Processing Addendum

Our commitment to protecting your data. Effective: February 2026, Version 1.0.

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Flow Myna Ltd ("Flow Myna," "we," "us") and you ("Customer," "you") for the processing of personal data in connection with the Flow Myna service.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that Customer uploads to or processes through the Flow Myna service.

"Data Protection Laws" means UK GDPR, EU GDPR (where applicable), and any other applicable data protection legislation.

"Process" (and its derivatives) means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

2. Roles and Responsibilities

Customer is the Data Controller. Customer determines the purposes and means of processing Personal Data uploaded to Flow Myna.

Flow Myna is the Data Processor. Flow Myna processes Personal Data only on Customer's documented instructions and solely to provide the service.

Customer warrants that it has all necessary rights and consents to upload Personal Data and authorise Flow Myna to process it as described in the Terms of Service. Where Customer uploads data containing employee identifiers or activity information, Customer is solely responsible for providing any required notices to employees, obtaining works council or union consent where applicable, and conducting any required Data Protection Impact Assessments for employee monitoring.

3. Processing Details

Subject matter

Provision of AI-powered process mining and analysis services.

Duration

For the term of the agreement, plus any retention period required for backup and legal compliance.

Nature and purpose

Processing event logs and business process data to provide process analysis, visualisation, and insights.

Types of Personal Data

May include employee identifiers, user IDs, timestamps, and other data contained in Customer's uploaded event logs.

Categories of data subjects

Customer's employees, contractors, customers, or other individuals whose activities are reflected in the uploaded process data.

4. Flow Myna's Obligations

Flow Myna shall:

  • a)Process Personal Data only on Customer's documented instructions, unless required by law (in which case we will notify Customer unless prohibited);
  • b)Ensure persons authorised to process Personal Data are bound by confidentiality obligations;
  • c)Implement appropriate technical and organisational security measures including encryption at rest and in transit, access controls, and regular security testing, as described in our Security Policy;
  • d)Assist Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within reasonable timeframes;
  • e)Notify Customer within 48 hours of becoming aware of a Personal Data breach, including the nature of the breach, categories of data affected, approximate number of data subjects, and measures taken or proposed;
  • f)Assist Customer with Data Protection Impact Assessments and prior consultations with supervisory authorities where required;
  • g)Upon termination, delete or return Personal Data within 30 days at Customer's choice. Upon request, provide written certification of deletion. Data remaining in backup systems will be isolated, not actively processed, and used only for disaster recovery purposes until deleted within 90 days, unless retention is required by law.

5. Sub-processors

Customer authorises Flow Myna to engage sub-processors to assist in providing the service. Current sub-processors are listed on our Security page. This includes third-party AI providers (currently OpenAI and Anthropic) who process Customer data solely under Flow Myna's documented instructions to provide AI-powered features of the service. These providers are contractually prohibited from using Customer data for model training or any purpose other than providing the service.

Flow Myna will provide at least 30 days' advance written notice of any intended changes to sub-processors, giving Customer the opportunity to object on reasonable grounds. If Customer objects and the parties cannot resolve the objection within 15 days, Customer may terminate this DPA and the affected services. Flow Myna ensures all sub-processors are bound by data protection obligations at least as protective as those in this DPA.

Flow Myna remains liable for the acts and omissions of its sub-processors.

6. International Transfers

Personal Data is primarily stored within the UK and EEA (Amsterdam, Netherlands). Data is transferred to the United States for processing by our AI sub-processors (OpenAI, Anthropic) and authentication provider (WorkOS). For all transfers outside the UK/EEA, appropriate safeguards are in place as described in Section 9.

7. Audit Rights

Flow Myna shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer.

Such audits are subject to: (a) at least 30 days' advance written notice; (b) reasonable scope and duration; (c) confidentiality obligations binding the auditor; and (d) conducting audits during normal business hours with minimal disruption. Customer bears the costs of any audit unless it reveals material non-compliance.

8. US State Privacy Laws (CCPA/CPRA)

To the extent Flow Myna processes Personal Data subject to the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA), Flow Myna acts as a "Service Provider" and agrees to:

  • a)Process Personal Data only for the specific business purposes set out in this DPA and the Terms of Service;
  • b)Not sell or share Personal Data as those terms are defined under CCPA/CPRA;
  • c)Not retain, use, or disclose Personal Data outside the direct business relationship with Customer;
  • d)Not combine Personal Data with data from other sources except as permitted for Service Providers;
  • e)Assist Customer in responding to consumer rights requests;
  • f)Notify Customer if Flow Myna determines it can no longer meet its CCPA/CPRA obligations.

Flow Myna certifies that it understands these restrictions and will comply with them.

9. General

This DPA is governed by the laws of England and Wales. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.

For international transfers outside the UK/EEA, the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses shall apply. For EU data subjects, the EU Standard Contractual Clauses (2021 version, Module 2: Controller to Processor) shall apply. By accepting this DPA, Customer and Flow Myna are deemed to have executed the applicable Standard Contractual Clauses and/or UK IDTA. No separate signature is required. Copies are available on request.

By using the Flow Myna service and uploading data, Customer agrees to this DPA.

Contact Us

If you have any questions about this Data Processing Addendum, please contact us at:

Flow Myna Ltd

Email: legal@flowmyna.com