Data Processing Agreement

Last updated: February 2026

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the Terms of Service between POFlow ("Processor") and the Customer ("Controller"). It governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the POFlow service. The Processor processes personal data only as necessary to provide the service and in accordance with the Controller's documented instructions.

2. Types of Data Processed

The following categories of data may be processed:

  • User account information (email addresses, names, roles)
  • Purchase order documents (PDFs uploaded by the Controller)
  • Extracted data from purchase orders (part numbers, quantities, prices, vendor information)
  • Usage data (processing logs, API call metadata, extraction confidence scores)
  • Billing information (processed by Stripe as a sub-processor)

3. Data Processing Obligations

The Processor agrees to:

  • Process personal data only on documented instructions from the Controller.
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure data security.
  • Not engage sub-processors without prior written authorization from the Controller.
  • Assist the Controller in responding to data subject access requests.
  • Delete or return all personal data upon termination of the service, at the Controller's choice.

4. Sub-Processors

The Processor currently uses the following sub-processors:

  • Supabase Inc. - Database hosting, authentication, and file storage (US region)
  • Vercel Inc. - Application hosting and content delivery
  • Anthropic PBC - AI-powered document extraction (data sent for processing only, not stored)
  • Stripe Inc. - Payment processing and billing management

The Controller will be notified at least 30 days before any new sub-processor is engaged, and may object to the addition of a new sub-processor.

5. Data Security Measures

The Processor implements the following security measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-tenant data isolation using PostgreSQL Row-Level Security
  • Role-based access control with principle of least privilege
  • Regular security audits and vulnerability assessments
  • Automated backup with point-in-time recovery capability
  • Input validation and sanitization on all API endpoints

6. Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification will include the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to address the breach.

7. Data Retention and Deletion

Upon termination of the service agreement, the Processor will, at the Controller's choice, delete or return all personal data within 30 days. The Controller may export their data at any time through the service's export functionality. Backup copies will be deleted within 90 days of the termination date in accordance with the Processor's backup retention schedule.

8. Contact

For questions about this DPA or to request a signed copy, contact us at privacy@poprocessing.com.