DATA PROCESSING AGREEMENT (DPA)

Last Updated: May 2026

This Data Processing Agreement (“DPA”) is entered into by and between Irina Kariachkina, an individual operating as a sole proprietorship (Ditta Individuale) registered in Italy, with a registered office at Via Rimini, 70, San Mauro Pascoli (FC), Italy, and Partita IVA 04762290403 (hereinafter referred to as the “Processor“), and the business entity utilizing the workflow automation services of bdflowai.com (hereinafter referred to as the “Controller“). This DPA is incorporated into and forms an integral part of the bdflowai.com Terms of Service.

1. Definitions

• “Personal Data”: Any information relating to an identified or identifiable natural person (as defined under the GDPR), or any information defined as “Personal Information” or “Personal Data” under applicable US Data Protection Laws. 
• “AI Workflow System” (formerly “AI System”): The automated, email-driven artificial intelligence workflow pipeline and processing infrastructure provided by the Processor to handle inbound email optimization, capability matching, and status logging. 
• “GDPR”: EU General Data Protection Regulation (2016/679). 
• “AI Act”: EU Artificial Intelligence Act (Regulation 2024/1689).
• “US Data Protection Laws”: All applicable state and federal privacy laws in the United States relating to data protection, privacy, or security, including but not limited to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and any matching comprehensive state privacy enactments as they come into effect.

2. Roles, Scope, and Technical Workflow

Roles and Compliance

The Processor acts as a Data Processor, and the Client acts as a Data Controller under the GDPR. The Processor shall process Personal Data solely on behalf of, and in strict accordance with, the automated email-driven and file-sharing triggers initiated by the Controller. Both parties agree to fulfill their respective statutory obligations under applicable US Data Protection Laws and the GDPR.

Subject Matter

The Processor provides an automated, email-driven AI workflow system designed to assist the Controller (Client A) with rapid email response drafting, capabilities matching, and pipeline tracking.

The Three-Party Flow

The processing explicitly involves data relating to the Controller (Client A) and third-party data subjects (Client B, such as Client A’s prospective buyers, partners, or candidates).

Technical Operations

The workflow consists strictly of three core operational modules triggered by email interactions:

1. Inbound Analysis & Micro-Drafting: When the Controller forwards a Request for Proposal (RFP), inquiry, or email from Client B to the designated processing inbox (contact@bdflowai.com), the system parses the text, matches it against available reference materials, and returns an optimized draft confirmation/meeting-request response back to the Controller’s inbox for human review and final deployment.
2. Reference Library Staging (Knowledge Base): The Controller may transmit background collateral, CVs, and capability statements via email. The Processor programmatically routes and stores these files in a dedicated Google Drive folder assigned to the Controller to provide necessary context for Module 1.
3. Pipeline Logs & Status Reminders: Inbound metadata is logged sequentially. Once per week, an automated scenario compiles outstanding items and transmits a status-check compilation reminder email back to the Controller to update item statuses.

Controller’s Responsibilities and Data Minimization

The Controller warrants that they have the legal right and necessary consents to share any personal data contained in emails, CVs, proposals, or other collateral submitted to the Processor. The Controller assumes full responsibility for ensuring they do not submit “Special Categories of Personal Data” (as defined by GDPR Art. 9) or highly confidential trade secrets unless strictly necessary for the AI Workflow System’s output. The Processor relies entirely on the Controller’s assessment of confidentiality and legality for any files transmitted to the Processor’s Google Drive infrastructure.

Duration & Retention Cycles

 The processing will endure for the lifecycle of the active service subscription, governed by two distinct operational retention parameters:

• Transient Logs & Triggers (Make.com): Data passing through the automation pipeline is routed confidentially. Execution payloads are processed transiently in RAM and are not written to persistent execution history logs.
• Archived Records & Reference Material (Google Workspace / Drive): Incoming email communications and transaction records are archived securely within the Processor’s Google Workspace inbox for business continuity and defensive tracking. CVs, capability documentation, and custom files explicitly uploaded by the Controller to build their context profile will be permanently maintained in secure Google Drive directories for the entire duration of the active subscription, and will be securely expunged upon formal termination of services.

3. Processor’s Obligations (GDPR Art. 28)

The Processor shall:

• Scope of Instructions: Process Personal Data strictly on behalf of, and in accordance with, the automated email-forwarding triggers and file-depositing actions initiated by the Controller. The Controller acknowledges that these automated system configurations constitute fully documented processing instructions under GDPR Article 28(3)(a), and the Processor will not manually intervene outside these predefined pipeline parameters. 

• Confidentiality: Ensure that all personnel or contractors authorized to process Personal Data are under strict contractual or statutory confidentiality obligations.

• Security Measures: Implement appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk, including encryption of data in transit and the utilization of Google Workspace and cloud enterprise-grade security architecture features.

• Data Minimization in Logs: Ensure that “Data is Confidential” parameters are actively enforced within the workflow configuration, guaranteeing that no persistent payloads of end-user Personal Data are maintained within Make.com execution logs or temporary processing buffers beyond transient operational execution in RAM.

• Data Deletion and Return: Retain Personal Data strictly in accordance with the lifecycles defined in Section 2. Upon formal termination of the services, or upon the explicit written request of the Controller, the Processor shall securely delete or return all Personal Data (including stored CVs, capability statements, and workflow logs) in its possession, unless applicable EU, Member State, or US law requires the continued preservation of specific communication archives.

• Sub-processor Compliance: Impose data protection obligations no less restrictive than those set out in this DPA on any engaged sub-processors, ensuring that all entities listed in Section 5 provide sufficient technical and organizational guarantees of compliance with GDPR and applicable US Data Protection Laws.

4. AI Act Transparency and Compliance (Art. 50)

• Technical Constraints and Provenance: The Controller acknowledges that the AI Workflow System operates asynchronously via email text generation. The Processor does not inject visible watermarks or alter standard transport-layer email headers of the Controller’s external communications. The Processor ensures that the underlying AI models utilized via the API maintain baseline compliance standard parameters required of general-purpose AI models.

• Deployer Transparency Obligations: The Controller acknowledges that under the EU AI Act, they act as the “Deployer” of the AI-generated content. The Controller assumes sole editorial responsibility for reviewing, modifying, and approving any draft responses provided by the system before transmitting them to third-party data subjects. The Controller agrees to fulfill any applicable legal obligations to inform end-users that the content was AI-generated, or ensure that substantial human review has occurred prior to final deployment.

5. Sub-processors

Approved Infrastructure

The Controller specifically approves the use of the following sub-processors for the execution and fulfillment of the AI Workflow System:

• Google Cloud & Google Workspace (Google LLC / Google Ireland Limited): Engaged to provide enterprise email routing infrastructure, cloud spreadsheet logging (Google Sheets), secure long-term document storage (Google Drive hosting of CVs and capability statements), and enterprise AI inference processing (via the Google AI Studio / Gemini API).

  – Place of processing: Global (Any country in which Google or its agents maintain facilities).

• Make.com (Celonis, Inc.): Engaged as an infrastructure pipeline to handle automated workflow orchestration, message parsing, and endpoint routing. 

  – Processing Parameter: The Processor strictly implements “Data is Confidential” protocols within all Make.com scenario modules. Personal Data is processed transiently in volatile memory (RAM) during workflow execution and payloads are programmatically blocked from being written to persistent logs or history buffers.

  – Place of processing: Germany / Czech Republic / USA (depending on regional infrastructure routing). 

• Lemon Squeezy, LLC: Utilized as the Merchant of Record to handle secure B2B payment processing, corporate subscription lifecycle management, and global tax compliance for the Controller. It processes Controller business billing details and subscription status metadata necessary to authorize active workflow executions.

  – Place of processing: USA.

Sub-processor Obligations

The Processor shall ensure that any engaged sub-processor is bound by a formal written agreement that imposes data protection obligations no less restrictive than those set out in this DPA, ensuring compliance with both the GDPR and applicable US Data Protection Laws.

Notification of Changes

The Processor shall maintain an up-to-date list of all authorized sub-processors on bdflowai.com or within its documentation. The Processor shall provide notice of any intended additions or replacements of sub-processors by updating this public list or via email communication at least fourteen (14) days prior to authorizing the new sub-processor to handle Personal Data. This timeframe affords the Controller a reasonable opportunity to object to such infrastructure adjustments on legitimate data protection grounds.

6. International Data Transfers

Transfer Mechanisms

The Controller acknowledges and agrees that the fulfillment of the AI Workflow System requires the cross-border transfer and processing of Personal Data to sub-processors located outside the European Economic Area (EEA), specifically the United States. To guarantee an adequate level of data protection in compliance with Chapter V of the GDPR, the parties agree that such transfers shall be governed by the following mechanisms:

  – Data Privacy Framework (DPF): Where a US sub-processor (such as Google LLC) maintains an active certification under the EU-U.S. Data Privacy Framework, the parties shall rely on this adequacy decision for lawful transfers.

  – Standard Contractual Clauses (SCCs): To the extent that the data transfers are not covered by an adequacy decision, the European Commission’s Standard Contractual Clauses (Module 2: Controller-to-Processor), as initialized and executed between the Processor and its respective sub-processors, are hereby incorporated into this DPA by reference and shall apply in full force to protect the data flow.

• Onward Transfers: The Processor covenants that it has executed, and will continue to execute, legally compliant data transfer agreements or SCCs with all third-party sub-processors listed in Section 5 who handle data outside the EEA, ensuring that onward transfers do not dilute the security or privacy protections established under this DPA.

7. Security and Breach Notification

• Security Architecture: The Processor shall maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. The Controller acknowledges and agrees that utilizing enterprise-grade infrastructure endpoints (Google Workspace, Google Drive, and API infrastructure) fulfills the Processor’s initial structural security obligations under this DPA.

• Data Breach Notification: The Processor shall notify the Controller without undue delay, and where feasible, no later than seventy-two (72) hours after becoming aware of any confirmed Personal Data Breach affecting the Controller’s routed data payloads or reference materials. 

• Incident Information & Cooperation: To the extent technically available within the transient environment of the AI Workflow System, the notification shall provide the Controller with a description of the nature of the incident, the categories of data impacted, and any mitigation measures implemented. The Processor shall reasonably assist the Controller in meeting their statutory breach notification obligations under the GDPR and applicable US Data Protection Laws.