Skip to main content
Flow-X logoFlow-X

Data Processing Agreement

Last updated: 26 June 2026 · Compliant with UK GDPR Article 28

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

  • Data Controller: The Client organisation engaging 2-IC DATA SYSTEMS for data migration services, as identified in the project Statement of Work.
  • Data Processor: 2-IC DATA SYSTEMS, registered in England and Wales, operating the Flow-X platform at flow-x.madethis.app.

This DPA is incorporated into and forms part of the Terms of Service for all engagements involving the processing of personal data.

2. Nature and Purpose of Processing

2-IC DATA SYSTEMS processes personal data solely for the purpose of performing CRM and ERP data migration services as described in the agreed Statement of Work. Processing activities may include: extraction, transformation, validation, migration, and deletion of personal data records held within the Client's source and target systems.

2-IC DATA SYSTEMS acts as a data processor only. It does not use Client personal data for any other purpose, including its own marketing, analytics, or product development.

3. Types of Personal Data & Data Subjects

The categories of personal data and data subjects depend on the content of the Client's CRM or ERP system. Typical categories include:

  • Data subjects: the Client's customers, prospects, partners, and employees whose records are held in the source system.
  • Data categories: names, email addresses, phone numbers, job titles, company affiliations, transaction history, CRM notes, and any other fields present in the source dataset.

The Client warrants that it has a lawful basis for holding and transferring such data to 2-IC DATA SYSTEMS for migration purposes.

4. Processor Obligations

In accordance with UK GDPR Article 28, 2-IC DATA SYSTEMS shall:

  1. Process personal data only on documented instructions from the Controller (i.e. the agreed SOW and these Terms), unless required by UK law.
  2. Ensure that persons authorised to process the personal data are subject to a duty of confidentiality.
  3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 8).
  4. Not engage sub-processors without prior written consent of the Controller (general authorisation is provided by acceptance of these Terms for the sub-processors listed in Section 6).
  5. Assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to data subject rights requests.
  6. Assist the Controller in ensuring compliance with Articles 32–36 (security, breach notification, DPIA) of UK GDPR.
  7. At the choice of the Controller, delete or return all personal data after the provision of services, and delete existing copies (unless retention is required by law). Standard deletion occurs within 30 days of project close.
  8. Make available all information necessary to demonstrate compliance and allow for and contribute to audits and inspections by the Controller or its appointed auditor.

5. Controller Instructions

The Controller's processing instructions are documented in the Statement of Work for each project. The Controller shall not instruct the Processor to process personal data in a manner that would violate UK GDPR or any other applicable data protection law. Where the Processor believes an instruction would lead to such a violation, it will notify the Controller promptly.

6. Sub-Processors

The Controller provides general written authorisation for 2-IC DATA SYSTEMS to engage the following sub-processors, subject to the conditions in this DPA:

Sub-ProcessorPurposeLocation
Vercel Inc.Platform hosting and edge deliveryUSA (SCCs)
Convex Inc.Database and serverless backendUSA (SCCs)
Stripe Inc. (via MadeThis platform)Payment processingUSA (SCCs)
PostHog Inc.Product analytics (non-migration data only)EU

2-IC DATA SYSTEMS shall notify the Controller of any intended changes to sub-processors at least 14 days in advance, giving the Controller the opportunity to object. Each sub-processor is engaged under a written contract containing data protection obligations equivalent to those in this DPA.

7. Data Transfers Outside the UK

Where personal data is transferred to processors in countries outside the UK that do not benefit from a UK adequacy regulation, 2-IC DATA SYSTEMS relies on the UK's International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses to ensure an adequate level of protection.

8. Technical & Organisational Security Measures

2-IC DATA SYSTEMS implements the following measures (UK GDPR Article 32):

  • Encryption of personal data at rest and in transit (TLS 1.2+ / AES-256)
  • Role-based access controls — only project team members access Client data
  • Isolated project workspaces per engagement — no data co-mingling between clients
  • Regular access reviews and credential rotation
  • Audit logs for all data access events
  • Secure deletion of migration data within 30 days of project completion
  • Staff confidentiality obligations
  • Incident response plan aligned with 72-hour breach notification requirement

9. Breach Notification

In the event of a personal data breach affecting Client data, 2-IC DATA SYSTEMS will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification will include, to the extent available: nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

10. Data Deletion Post-Migration

Upon completion or termination of a migration project, 2-IC DATA SYSTEMS will, within 30 calendar days:

  • Securely delete all copies of Client personal data from project workspaces
  • Instruct sub-processors to delete their copies where applicable
  • Provide a written confirmation of deletion upon request

Anonymised or aggregated data (containing no personal data) used solely for internal quality assurance may be retained. Backups subject to retention by law will be overwritten in the normal course of system operation.

11. Audit Rights

The Controller may, upon reasonable written notice (minimum 14 days), request information to verify compliance with this DPA, or commission an independent audit. Audits must be conducted at the Controller's expense, during business hours, and must not unreasonably disrupt our operations. We may satisfy audit requests by providing current third-party certifications or summary reports where these demonstrate compliance.

12. Contact

For DPA queries, data subject rights assistance, or to request a countersigned copy of this DPA for enterprise procurement, contact our Data Protection Officer at team@flow-x.madethis.app.

Need a signed copy?

Use the “Save / Print PDF” button above to generate a PDF for your records or procurement process. To request a countersigned PDF from 2-IC DATA SYSTEMS, email team@flow-x.madethis.app.

Related policies

Terms of ServicePrivacy PolicyRefund & Cancellation Policy