FlowRunner Data Processing Agreement (DPA)

Updated: January 28, 2025

This Data Processing Agreement (“DPA”) forms part of Backendless Corp.’s Terms of Service (Agreement). It applies to Backendless Services, including the FlowRunner platform, when the processing of User Personal Data is subject to the GDPR. This DPA supplements the Agreement to address data processing and protection obligations under applicable law.

Definitions

Capitalized terms used but not defined in this DPA shall have the meaning given to them in the Agreement or applicable Data Protection Laws.

  • User Personal Data: Personal Data uploaded to or published, displayed, or processed using Backendless Services, including FlowRunner.
  • FlowRunner: A no-code and AI-driven automation platform provided by Backendless Corp. as part of the Backendless Services.
  • GDPR: The General Data Protection Regulation (EU) 2016/679, along with national implementing laws in any EU Member State, as updated from time to time.
  • Personal Data, Personal Data Breach, Data Subject, Controller, Processor, and other terms: Shall have the meanings assigned to them in Article 4 of the GDPR.

Processing of User Personal Data

  1. Roles and Responsibilities:
    • For the purposes of this DPA, the Customer is the Controller of User Personal Data, and Backendless is the Processor, except when the Customer acts as a Processor, in which case Backendless is a sub-Processor.
    • If the Customer is a Processor, the Customer warrants that its instructions to Backendless regarding User Personal Data have been authorized by the relevant Controller.
  2. Processing Instructions:
    • Backendless will only process User Personal Data according to the Customer’s written instructions and solely for the purpose of providing Backendless Services, including FlowRunner.
  3. Compliance with Laws:
    • Each party will comply with its respective obligations under the GDPR. The Customer will ensure it has obtained all necessary consents and rights to allow Backendless to process User Personal Data in compliance with this DPA.
  4. Data Transfers:
    • Customer acknowledges that Backendless may process User Personal Data in countries outside the EU. Backendless will ensure appropriate safeguards for such transfers to comply with applicable law.
  5. Customer Accountability:
    • Backendless relies on Customer-provided instructions for processing User Personal Data. Backendless is not liable for claims arising from Customer-provided instructions that breach applicable data protection laws.

Security Measures

Backendless implements and maintains technical and organizational measures to protect User Personal Data. This includes:

  • Data Encryption: All workflows processed by FlowRunner are encrypted during transmission using industry-standard protocols.
  • Access Controls: Secure authentication and role-based access are enforced for Backendless systems.
  • Confidentiality: Backendless employees and contractors with access to User Personal Data sign confidentiality agreements and receive appropriate training.

Security Breaches

  1. Notification:
    • If Backendless becomes aware of a Personal Data Breach, it will notify the Customer without undue delay and provide details of the breach.
  2. Mitigation:
    • Backendless will promptly take steps to mitigate the breach and prevent future occurrences.
  3. Customer Responsibilities:
    • Customers are responsible for their compliance with breach notification laws and fulfilling any third-party notification obligations.

Customer’s Security Responsibilities

The Customer is responsible for:

  1. Securing its systems, devices, and access credentials used to interact with Backendless Services.
  2. Reviewing Backendless’s Security Measures to ensure they meet the Customer’s security requirements.
  3. Implementing additional safeguards as necessary to protect sensitive data.

Data Deletion

  1. During the Agreement:
    • Customers can delete User Personal Data through the Services. Deleted data is irretrievable once removed.
  2. After Termination:
    • Upon termination, Backendless will delete User Personal Data within 30 days unless retention is required by law.

Data Protection Impact Assessment

Backendless will assist the Customer, subject to applicable fees, in conducting data protection impact assessments (DPIAs) or consultations with regulatory authorities, as required under GDPR.

Order of Precedence

In the event of inconsistencies between the terms of this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to data processing and protection matters.

Contact Information

If you have questions about this DPA or need to exercise your data protection rights, please contact:

Backendless Corp.
7701 Lemmon Ave, Ste 260,
Dallas, TX 75209

Email: privacy@backendless.com