Data Processing Addendum

Last updated: 8 April 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer") and EventSkool Private Limited ("FlowSkool") and governs the processing of personal data within Customer Data.

1. Roles of the parties

With respect to personal data contained in Customer Data, the Customer is the data fiduciary / controller and FlowSkool is the data processor, processing such data only on the Customer's documented instructions, including as set out in the Terms and this DPA.

2. Processing details

• Subject matter: provision of the FlowSkool Service.
• Duration: for the term of the Customer's subscription, plus any legally required retention.
• Nature & purpose: hosting, storage, transmission and processing of contacts and communications to operate CRM, email, WhatsApp, Instagram and automation features.
• Data subjects: the Customer's contacts, leads, subscribers and recipients.
• Categories of data: identifiers (name, email, phone), engagement data, and any other data the Customer chooses to upload.

3. Processor obligations

• Process personal data only on the Customer's instructions and as permitted by law.
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (Annex B).
• Assist the Customer, taking into account the nature of processing, with data-subject requests and with security, breach and impact-assessment obligations.

4. Sub-processors

The Customer authorises FlowSkool to engage the sub-processors listed in Annex C. We will impose data-protection obligations on sub-processors no less protective than this DPA, and will give notice of intended changes so the Customer may object on reasonable grounds.

5. Security & breach notification

FlowSkool maintains the measures in Annex B. On becoming aware of a personal-data breach affecting Customer Data, FlowSkool will notify the Customer without undue delay and provide information reasonably available to assist the Customer's own obligations.

6. Audits

FlowSkool will make available information necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality, allow for audits in a manner that does not disrupt the Service.

7. International transfers

Where personal data is transferred outside its country of origin, the parties will rely on a lawful transfer mechanism (such as GDPR standard contractual clauses) where applicable.

8. Return & deletion

On termination, FlowSkool will, at the Customer's choice, delete or return Customer Data within a reasonable period, save where retention is required by law. Customers may export data before termination.

Annex A — Details of processing

As described in Section 2 above.

Annex B — Technical & organisational measures

• Multi-tenant data isolation enforced by row-level security keyed to organisation ID.
• Role-based access control (Owner / Admin / Member / Viewer; restricted super-admin).
• Encryption of secrets and credentials; secrets stored outside application code.
• Signed webhooks and input sanitisation against injection and XSS.
• Access logging and audit trails on sensitive tables.
• Regular backups and a documented data-export capability.

Annex C — Approved sub-processors