CF
ClikFlow
Sign In Get Started
Data Processing Agreement · LGPD art. 39

DPA — Data Processing Agreement

Last updated: May 21, 2026 Version 1.0

This Data Processing Agreement ("DPA") is an integral part of the Terms of Use and governs the processing of personal data carried out by ClikFlow ("Processor") on behalf of the customer ("Controller"), pursuant to LGPD art. 7, V and art. 39.

By accepting the Terms of Use and using the platform to process third-party data, the customer automatically accepts this DPA.

When this DPA applies: whenever the customer uploads event logs that contain personal data belonging to their own clients, employees, or partners (e.g. names, employee IDs, transaction data attributable to individuals). The customer remains the Controller; ClikFlow processes as the Processor.

1 Parties
RoleDescription
Controller The customer contracting the ClikFlow platform, who determines the purposes and means of processing the personal data contained in uploaded event logs.
Processor ClikFlow — processes personal data according to the Controller's instructions and solely to deliver the contracted service.
2 Subject matter and nature of processing
AspectDescription
Subject matterProcessing of personal data in event logs for process mining purposes (process discovery, conformance checking, bottleneck detection)
NatureCollection, temporary storage, analytical processing, result generation
PurposeSolely to deliver the process analysis service requested by the Controller
DurationFor the term of the contract; log files deleted within 2 hours after analysis; saved investigations retained until manually deleted by the Controller
Data typesCase identifiers, activities, timestamps; potentially names, user IDs, or other attributes present in the log
Data subjectsEmployees, customers, or partners of the Controller whose data appears in the logs
3 ClikFlow's obligations (Processor)

ClikFlow commits to:

  • Processing personal data only in accordance with documented instructions from the Controller and within the scope of this DPA;
  • Ensuring that persons authorised to process the data are subject to confidentiality obligations;
  • Implementing appropriate technical and organisational measures to protect the data (see Security Policy);
  • Assisting the Controller in fulfilling its obligations to data subjects (access, correction, deletion, portability);
  • Deleting or returning all personal data at the end of the contract, as chosen by the Controller;
  • Making all information necessary to demonstrate compliance available and supporting audits;
  • Notifying the Controller within 72 hours of becoming aware of any data breach affecting data under this DPA.
4 Controller's obligations

The Controller represents and warrants that:

  • It holds an adequate legal basis (LGPD art. 7) for processing the personal data in the uploaded logs;
  • Data subjects have been duly informed about the processing, as required by LGPD art. 9;
  • It will not upload sensitive personal data (LGPD art. 11) without first notifying ClikFlow and obtaining approval;
  • It will inform ClikFlow of any data subject request that requires Processor support;
  • It will maintain a record of processing activities pursuant to LGPD art. 37.
5 Approved sub-processors

ClikFlow may engage sub-processors to deliver the service. All sub-processors are bound to data protection obligations equivalent to this DPA. The Controller grants general authorisation to the following sub-processors:

Sub-processorServiceLocationCompliance
Cloud hosting providerInfrastructure, storage, computeBrazil / USAISO 27001, SOC 2
Database providerAccount data persistenceBrazilISO 27001
Transactional email serviceEmail notificationsUSASOC 2 Type II

ClikFlow will notify the Controller 30 days in advance of any addition or replacement of sub-processors. The Controller may object within that period; if no agreement is reached, either party may terminate the contract without penalty.

6 Security measures

ClikFlow implements the technical and organisational measures described in the Information Security Policy, including without limitation:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256);
  • Access control with MFA and least-privilege principle;
  • Continuous monitoring and incident management;
  • Annual penetration tests by an independent specialist firm;
  • Geo-redundant backups with a 4-hour RTO.
7 International data transfers

Where personal data is transferred outside Brazil (e.g. sub-processors in other countries), ClikFlow will ensure the transfer takes place on the basis of:

  • A country with an adequate level of protection recognised by the ANPD; or
  • Standard contractual clauses; or
  • The data subject's specific consent, where applicable (LGPD art. 33, VIII).
8 Data subject rights

When a data subject exercises their rights (LGPD art. 18) directly with ClikFlow:

  • ClikFlow will forward the request to the Controller within 5 business days;
  • ClikFlow will support the Controller with the technical tools needed to fulfil the request (access, export, deletion);
  • The Controller remains responsible for the final response to the data subject.
9 Audit and compliance

The Controller may, upon 30 days' written notice and at most once per year, request:

  • Audit reports and compliance certifications (ISO 27001, SOC 2);
  • Security questionnaires (CAIQ, SIG, or equivalent);
  • On-site or remote audit at the Controller's expense, conducted by an independent auditor agreed by both parties.
10 Termination and data deletion

Upon termination of the contract, for any reason:

  • The Controller may export all data and saved investigations for up to 30 days after termination;
  • After 30 days, ClikFlow will permanently delete all Controller data;
  • ClikFlow will issue, upon request, a data deletion certificate.
11 Liability and indemnification

Each party is responsible for complying with its obligations under this DPA and the LGPD. In the event of a breach:

  • The breaching party shall be liable for damages directly caused by the breach;
  • ClikFlow's liability as Processor is limited to damages resulting from its failure to follow the Controller's instructions or this DPA;
  • The Controller shall indemnify ClikFlow against any third-party claims arising from the Controller's breach of its obligations as Controller.
12 DPO contact
DPO Data Protection Officer — ClikFlow
Email dpo@clikflow.com
Response Within 5 business days
Contents
  1. Parties
  2. Subject matter
  3. ClikFlow's obligations
  4. Controller's obligations
  5. Sub-processors
  6. Security measures
  7. International transfers
  8. Data subject rights
  9. Audit
  10. Termination and deletion
  11. Liability
  12. DPO contact
Security Policy → Privacy Policy →
CF
ClikFlow
© 2026 ClikFlow. All rights reserved.
Privacy Policy Cookie Policy Terms of Use Information Security DPA Data Subject Portal