Data Processing Policy

Data Processing Policy

Last updated January 29, 2025

  1. Introduction

1.1. This Data Processing Agreement forms part of and is integrated into the Agreement between You and Us governing Our provision of any doFlo-branded Services to You. If and to the extent We Process Your Personal Data within the scope of the Agreement, this Data Processing Agreement including its Annexes (collectively, the "DPA") shall apply to such Processing activities. 

1.2. "Controller", "Processor", "Data Subject", “Commercial Purpose”, “Sell”, and "Process/Processing/Processed" shall have the meanings given in applicable Data Protection Laws. If and as may be defined under applicable Data Protection Laws: the term "Personal Data" shall be deemed to include concepts of "Personal Information" or "Personally Identifiable Information"; the Term “Data Subject” shall be deemed to include concepts of “Principal” or “Consumer”; and the Term “Controller” shall be deemed to include concepts of “Service Provider” or “Personal Information Handling Business Operator”. Any capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Agreement. 

1.3. By entering into the Agreement, You also enter into this DPA on behalf of Yourself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of Your Affiliates, employees and any third parties whose Personal Data You may provide Us in the context of the Services. You hereby authorize Us to Process such Personal Data in accordance with this DPA. 


1.4. In case of any conflict, individual terms of this DPA shall take precedence over individual terms of the Agreement. Where individual terms of this DPA are invalid or unenforceable, the validity and enforceability of the other terms of this DPA shall not be affected.



  1. Purpose and scope

2.1. With regard to the Processing of Personal Data, You are the Controller and determine the purposes and means of Processing of Personal Data. You appoint Us as a Processor. We shall Process Personal Data on Your behalf Celonis DPA for doFlo (Version January 2025) 1 CONFIDENTIAL only for the purposes detailed in Annex I, unless we receive further documented instructions from You. 

2.2. You shall be solely responsible for compliance with Your obligations as Controller under applicable Data Protection Laws, including, but not limited to, the lawful disclosure and transfer of Personal Data to Us. 


2.3. Processing by Us shall only take place for the duration of the Services as specified in the Agreement. 



  1. Obligations of Processor

3.1. We shall Process Your Personal Data only as set forth herein, unless otherwise required to do so under applicable Data Protection Laws. In such case, we shall inform You of the legal requirement before Processing, unless such law prohibits Us from doing so. Subsequent instructions may also be given by You throughout the duration of the Processing of Your Personal Data, provided that such instructions are in the scope of the Agreement and documented. 

3.2. We shall promptly inform You if, in Our opinion, instructions given by You infringe applicable Data Protection Laws. We shall be entitled to suspend performance against such instruction until You confirm or modify such instruction in accordance with all applicable Data Protection Laws. 

3.3. We shall correct or erase Your Personal Data if instructed by You and where included in the scope of the instructions. Within thirty (30) days of the expiry of Your Subscription Term or termination of the Agreement for any reason, and at Your request, We will either (i) securely destroy or render unreadable, undecipherable, or unrecoverable or (ii) deliver to You or Your designees all Personal Data in Our possession, custody, or control, and certify such deletion upon Your request. This obligation shall not apply to the extent applicable Data Protection Laws or competent authority requires retention for a specified period, in which event We shall isolate and protect the Personal Data from any further Processing except and to the extent required by such law. 


3.4. To the extent We receive data that cannot be associated with an identified or identifiable individual from or on Your behalf, We shall take reasonable measures to ensure that the data continues not to be associated with an identified or identifiable individual and shall not attempt to reidentify the data unless expressly directed otherwise by You. 

3.5. We shall notify you if We are not able to comply with our obligations as set forth herein or under applicable Data Protection Laws. 


3.6. When acting as Processor for the Personal Data, we shall not (i) Sell the Personal Data, (ii) retain, use or disclose the Personal Data for any Commercial Purpose, or (iii) combine the Personal Data with information received from another source. Celonis DPA for doFlo (Version January 2025) 2 CONFIDENTIAL 

3.7. Unless prohibited by applicable law, We shall promptly notify you on becoming aware of any notice, inquiry, investigation, audit, administrative sanction or fine by a supervisory authority, related to the Personal Data we Process on your behalf. 

3.8. Taking into account the nature of the Processing and the information available to Us, if You request, We shall reasonably assist You in carrying out a data protection impact assessment in cases where the Processing is likely to result in a high risk to the rights and freedoms of natural persons, and shall reasonably assist You in any required consultations with a supervisory authority. 



  1. Security of the Processing

4.1. We reserve the right to update the measures and safeguards implemented, provided, however, that the level of security shall not materially decrease during Your Subscription Term. 

4.2. In assessing the appropriate level of security, We shall take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the risks involved for the Data Subjects, as well as the likelihood and likely severity of any breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the Personal Data ("Personal Data Breach"). 

4.3. Access to the Personal Data by Our personnel shall be strictly limited to those individuals who need such access to implement, manage and monitor the Services. Any personnel authorized to access the Personal Data have committed themselves to confidentiality obligations similar to the confidentiality terms of the Agreement or are under an appropriate statutory obligation of confidentiality.



  1. Documentation and Audits

5.1. We shall document Our compliance with the obligations agreed in this DPA. 

5.2. Upon Your request, and subject to the confidentiality obligations set forth in the Agreement, We shall make available to You or Your independent third-party auditor information regarding Our compliance with the obligations set forth in this DPA in the form of the third-party certifications and audits. 

5.3. If and only to the extent that the information made available to You, as per Clause 4 (b) above, cannot reasonably demonstrate Our compliance with the provisions of this DPA, You may request an on-site audit of the procedures relevant to the Processing activities by contacting isms@celonis.com. Such audit will be conducted upon 30 days' prior written notice, at most once per calendar year, during regular business hours, Celonis DPA for doFlo (Version January 2025) 3 CONFIDENTIAL without interfering with Our operations, and subject to the execution of a confidentiality agreement. You may request more frequent audits only in the event We notify You of a Personal Data Breach that concerns your Personal Data or when a supervisory authority requires such an audit. Such an audit will be conducted by an independent third-party auditor reasonably acceptable to Us. Each party shall bear its own costs related to any audit. Before the commencement of an on-site audit, the parties shall mutually agree upon the scope, timing, and duration of the audit. You shall promptly provide Us with information regarding any noncompliance discovered during the course of an audit. 


  1. International Transfers


6.1. If You are domiciled in the European Economic Area (“EEA”) and are contracting with Celonis, Inc., We shall abide by the terms of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as set out in Module Two (Controller to Processor) Celonis DPA for doFlo (Version January 2025) 4 CONFIDENTIAL (“SCC”), which is deemed incorporated herein by this reference. The SCC shall apply to Celonis Inc. in its role as the “data importer.” The SCC shall apply to You and, to the extent legally required, all of Your Affiliates established within the European Union, the European Economic Area and/or its member states, and/or Switzerland, in their role as “data exporters.” The International Data Transfer Addendum attached to the SCC shall apply to You and, to the extent legally required, all of Your Affiliates established within the United Kingdom, in their role as “data exporters.” Annex I to this DPA shall fulfill the requirements of Annex I.B (Description of Transfer) of the SCCs. 

6.2. If You are domiciled in the EEA and contracting with a Celonis entity also domiciled in the EEA, We will only transfer Personal Data outside the EEA, Switzerland and the United Kingdom where We have complied with Our obligations under applicable Data Protection Laws, e.g. by implementing Standard Contractual Clauses in accordance with the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Transfer Requirement”). In the event of any conflict or inconsistency between this DPA and any potential Transfer Requirement, the Transfer Requirement shall prevail. 

6.3. In the event that applicable Data Protection Laws require additional terms between the parties related to a cross-border transfer of Personal Data, the parties will work together in good faith to execute such additional terms.



  1. Data Subject Requests


7.1. We shall promptly notify You of any request we receive from a Data Subject, provided We are able to correlate that Data Subject to You based on the information provided by the Data Subject. We shall not respond to the request, unless authorized to do so by You or required by Data Protection Laws. 

7.2. Taking into account the nature of the Processing, We will reasonably assist You to fulfill Your obligations as Controller to respond to Data Subject requests. 

7.3. We shall not be liable in cases where You fail to respond to a Data Subject's request completely, correctly, in a timely manner, or otherwise in accordance with Data Protection Laws.



  1. Personal Data Breach

8.1. You shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Your Personal Data. 

8.2. In the event of a Personal Data Breach, we shall cooperate with and reasonably assist You to comply with Your obligations under applicable Data Celonis DPA for doFlo (Version January 2025) 5 CONFIDENTIAL Protection Laws, taking into account the nature of Processing and the information available to Us. 

8.3. In the event of a Personal Data Breach by Us, We shall notify You without undue delay after becoming aware of the breach. Such notification shall contain, to the extent known: (a) a description of the nature of the breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned); (b) the details of a contact point where more information can be obtained; (c) its likely consequences and the measures taken to address the breach. 

8.4. You shall send the contact details of the person to notify in case of Personal Data Breaches to security-incident@celonis.com. 


8.5. Where, and insofar as, it is not possible to provide all of the information specified in (b) above at the same time, the initial notification shall contain the information then-available and further information shall, as it becomes available, subsequently be provided without undue delay.



  1. Final Provisions

9.1. Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of the Agreement. 


9.2. This DPA constitutes the entire agreement between the parties regarding Our Processing activities, and supersedes all prior and contemporaneous agreements, proposals and representations, whether written or oral, concerning the subject matter hereof. We may update this DPA from time-to-time. Any revised version shall become effective upon renewal of Your Subscription under the Agreement. 

9.3. If You are domiciled in the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom, this DPA is subject to the laws of the country in which You are domiciled. For all other cases, this DPA is subject to the laws applicable to the Agreement. For any disputes arising out of or in connection with this DPA, the parties submit to the exclusive jurisdiction of the courts established in the country whose laws govern this DPA.



Description of the Processing

Categories of Data Subjects whose Personal Data is Processed

  • Employees of the Controller. 

  • Further categories of Data Subjects, depending on the Controller's use of the Services. 

Categories of Personal Data Processed 

  • User Account related data such as name, username/lD, contact details, log and protocol data.

  • Further categories of Personal Data, depending on the Controller's use of the Services. 


Nature of the Processing 

  • Provision of the doFlo Service: The Cloud Service provides tools and features to integrate and automate various third-party applications, websites and services maintained by the Controller. Personal Data is primarily used to provide access to the Service by the Processor. If Personal Data is used for application-related usage analysis, the data will be anonymized. 

  • Support Services: Personal Data of Controller's employees issuing Support Services requests ("tickets") may be Processed by Processor for the purposes of administering the Support Services. Processor's personnel may access Controller's instance on a case-by-case basis if requested by the Controller. 


Purpose(s) for which the Personal Data is Processed on behalf of the Controller 

  • Rendering of the Services by the Processor to the Controller, as agreed in the Agreement between the parties 

  • Processing initiated by Users in the course of their use of or access to the Services 

  • Processing to comply with other reasonable and documented instructions provided by the Controller that are consistent with the terms of the Agreement.

Duration of the Processing 

  • The duration of the Processing equals the applicable Subscription Term. If you need a signed version of our Data Processing Agreement, you can generate it here.


doFlo

Blog

User Docs

Company

About Us

Terms of Service

Privacy Policy

Data Processing Policy

Follow us

Copyright 2025 © doFlo Inc.

doFlo

Blog

User Docs

Company

About Us

Terms of Service

Privacy Policy

Data Processing Policy

Follow us

Copyright 2025 © doFlo Inc.