This DPA explains how Picflow processes personal data on behalf of customers when providing the service, and how subprocessors are involved. If you're an Enterprise Customer, please contact your account manager.
TLDR
This DPA applies to self-serve customers using Picflow.
Customers generally control the personal data they upload or collect.
Picflow processes some data through vetted Subprocessors.
1. Scope
1.1 Relationship to Terms and Scope
This Data Processing Addendum (“DPA”) forms part of the Picflow Terms of Service and applies to self-serve customers (the “Customer”) when Picflow processes personal data on Customer’s behalf as a processor.
1.2 Applicable Data Protection Law
This DPA is intended to satisfy the requirements of Article 28 GDPR and, where applicable, the corresponding processor obligations under the revised Swiss Federal Act on Data Protection (“Swiss Data Protection Law”) and the UK GDPR (together, “Applicable Data Protection Law”).
2. Roles
Customer is the controller for Customer Content and End-user personal data processed within Customer Projects.
Picflow is the processor for such data, processing it on Customer’s instructions as described in the Terms and this DPA.
Picflow may act as a controller for its own account administration, billing, and marketing website operations.
3. Processing Details
3.1 Subject Matter and Duration
Picflow processes personal data to provide the Service for the subscription term and any reasonable wind-down period. By default, personal data within Customer Projects is retained in the Service as long as Customer keeps it there and Customer’s account is active. Picflow may also retain limited residual data (for example, in backups and certain logs) as described in Section 8 (Deletion and Return) and as necessary for legal compliance and security.
3.2 Nature and Purpose
Processing may include hosting, storage, transmission, display, access control, logging, support, and operational security.
3.3 Categories of Data Subjects
Customer Users and End-users (e.g., guests, reviewers, external collaborators) whose data is submitted to or generated within Customer Projects.
3.4 Categories of Personal Data
May include names, email addresses, account identifiers, Project participation data, comments/annotations, and technical logs (e.g., IP address and user agent) as needed to operate and secure the Service.
4. Customer Instructions
Customer instructs Picflow to process personal data to provide the Service and related support, and as otherwise documented in the Terms, product documentation, and Customer’s use/configuration of the Service.
5. Picflow Obligations
Picflow will:
process personal data only on documented instructions from Customer, unless required by law;
ensure personnel are bound by confidentiality obligations;
take all measures required pursuant to Article 32 GDPR (Security of processing), including implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
provide reasonable assistance with data subject requests where applicable;
assist Customer in ensuring compliance with Customer’s obligations pursuant to Articles 32 to 36 GDPR (Security of processing, breach notification, communication of a breach to data subjects, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to Picflow;
notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data.
6. Subprocessors
Customer provides a general written authorization for Picflow to engage subprocessors to deliver the Service. A current list is maintained in Subprocessors.
6.1 Subprocessor Changes and Objections
Picflow will inform Customer of any intended additions or replacements of subprocessors by updating the Subprocessors page linked above, and such update will constitute notice for purposes of this DPA. Customer may object on reasonable data protection grounds by contacting Picflow as set out in the Contact section below within 14 days of the notice. If the parties cannot reasonably resolve the objection, Customer may terminate the Service before the subprocessor change takes effect.
6.2 Flow-Down of Obligations
Where Picflow engages a subprocessor for processing Customer personal data, Picflow will ensure the subprocessor is bound by equivalent data protection obligations as required by Article 28(4) GDPR by way of a written agreement (including electronic acceptance of applicable data processing terms), including appropriate confidentiality and security obligations and (where applicable) restrictions on further subcontracting.
7. International Transfers
Picflow’s primary hosting location is Ireland (EU). Customer Content (such as uploaded images and videos) is stored in Ireland (EU) and is not transferred outside the EU for hosting or storage.
Picflow is based in Switzerland, and Picflow and its subprocessors may access or process personal data in countries outside the country where Customer, Users, or End-users are located (including the United States).
Where personal data processed under this DPA is transferred to a country that is not recognized as providing an adequate level of protection under Applicable Data Protection Law (including Chapter V GDPR, Article 16 Swiss Data Protection Law, or the UK GDPR), Picflow will implement appropriate safeguards.
Depending on the Applicable Data Protection Law, such safeguards may include:
the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914) (“EU SCCs”);
where Swiss Data Protection Law applies, the EU SCCs supplemented by the Swiss adaptations required by the Swiss Federal Data Protection and Information Commissioner (FDPIC), including that:
references to the GDPR are interpreted to include Swiss Data Protection Law where relevant,
the FDPIC is the competent supervisory authority where required, and
Swiss data subjects are not excluded from rights and remedies under the EU SCCs; and
where the UK GDPR applies, the EU SCCs supplemented with the UK Addendum (or another valid UK transfer mechanism).
8. Deletion and Return
This Section 8 explains Picflow’s default retention, Customer-controlled deletion, and limited residual retention for Customer personal data processed under this DPA:
Default retention (platform-level). Customer personal data within Customer Projects (including End-user personal data tied to Customer Content) is retained in the Service as long as Customer’s account is active and Customer chooses to keep that content in the Service. Picflow may also retain certain technical logs and security records for a limited operational period as needed to provide, secure, and support the Service.
Customer-controlled deletion. Customer controls deletion through the Service (for example, by deleting Customer Content, removing End-users from Projects, or deleting the Customer account). Deletion requests initiated by Customer apply to the relevant Customer Content and End-user personal data tied to that content. Upon termination, Customer may download Customer Content to the extent the Service provides download functionality, for a reasonable period, after which Picflow will delete Customer personal data from active systems within a reasonable timeframe, unless retention is required by law or for backups.
Residual and legal retention. Even after deletion, some personal data may persist temporarily in (a) backups (which may be retained for up to one year) and (b) certain logs and security records for a limited period. This residual retention is limited, time-bound, and used only for legitimate purposes such as security, fraud prevention, legal compliance, dispute resolution, and enforcing applicable terms. Picflow will delete or anonymize such residual data in accordance with its retention practices once it is no longer needed.
9. Demonstrating Compliance
Picflow will make available to Customer the information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR. As a default, Picflow will satisfy such requests by providing standard compliance materials (such as security summaries, questionnaires, and relevant third-party reports) where appropriate.
Customer may audit Picflow’s compliance with this DPA only to the extent reasonably necessary and subject to reasonable confidentiality, security, and scheduling requirements. Unless required by a supervisory authority, audits will be conducted remotely with reasonable advance notice and without unreasonable interference with Picflow’s operations. Customer will bear its own audit costs.
Contact
If you have questions or concerns about this Data Processing Addendum, please get in touch with us by email at privacy@picflow.com.