This Data Processing Agreement ("DPA") is an integral part of the Terms of Use and governs the processing of personal data carried out by ClikFlow ("Processor") on behalf of the customer ("Controller"), pursuant to LGPD art. 7, V and art. 39.
By accepting the Terms of Use and using the platform to process third-party data, the customer automatically accepts this DPA.
When this DPA applies: whenever the customer uploads event logs that contain personal data belonging to their own clients, employees, or partners (e.g. names, employee IDs, transaction data attributable to individuals). The customer remains the Controller; ClikFlow processes as the Processor.
| Role | Description |
|---|---|
| Controller | The customer contracting the ClikFlow platform, who determines the purposes and means of processing the personal data contained in uploaded event logs. |
| Processor | ClikFlow — processes personal data according to the Controller's instructions and solely to deliver the contracted service. |
| Aspect | Description |
|---|---|
| Subject matter | Processing of personal data in event logs for process mining purposes (process discovery, conformance checking, bottleneck detection) |
| Nature | Collection, temporary storage, analytical processing, result generation |
| Purpose | Solely to deliver the process analysis service requested by the Controller |
| Duration | For the term of the contract; log files deleted within 2 hours after analysis; saved investigations retained until manually deleted by the Controller |
| Data types | Case identifiers, activities, timestamps; potentially names, user IDs, or other attributes present in the log |
| Data subjects | Employees, customers, or partners of the Controller whose data appears in the logs |
ClikFlow commits to:
The Controller represents and warrants that:
ClikFlow may engage sub-processors to deliver the service. All sub-processors are bound to data protection obligations equivalent to this DPA. The Controller grants general authorisation to the following sub-processors:
| Sub-processor | Service | Location | Compliance |
|---|---|---|---|
| Cloud hosting provider | Infrastructure, storage, compute | Brazil / USA | ISO 27001, SOC 2 |
| Database provider | Account data persistence | Brazil | ISO 27001 |
| Transactional email service | Email notifications | USA | SOC 2 Type II |
ClikFlow will notify the Controller 30 days in advance of any addition or replacement of sub-processors. The Controller may object within that period; if no agreement is reached, either party may terminate the contract without penalty.
ClikFlow implements the technical and organisational measures described in the Information Security Policy, including without limitation:
Where personal data is transferred outside Brazil (e.g. sub-processors in other countries), ClikFlow will ensure the transfer takes place on the basis of:
When a data subject exercises their rights (LGPD art. 18) directly with ClikFlow:
The Controller may, upon 30 days' written notice and at most once per year, request:
Upon termination of the contract, for any reason:
Each party is responsible for complying with its obligations under this DPA and the LGPD. In the event of a breach: