Data Processing Terms

These Data Processing Terms (formerly referred to as our Data Processing Addendum, or DPA) form part of the agreement governing use of Bisonflow by a customer that submits or manages personal data in the service. It applies to the extent KYC SOFTWARE LIMITED processes Customer Personal Data on the customer's behalf under applicable data protection law.

If your organization needs a signed or procurement-specific version of this DPA, contact contact@bisonflow.com.

Customer is the controller or business customer for Customer Personal Data that it or its users choose to submit into the service for workspace, project, documentation, and collaboration purposes.

KYC SOFTWARE LIMITED acts as processor or service provider for that Customer Personal Data when we host, store, retrieve, transmit, organize, secure, or otherwise process it to provide the service.

For certain limited data such as account, billing, fraud-prevention, support, and service-improvement records, we may act as an independent controller where applicable law recognizes a separate-controller role.

• Subject matter: provision of the Bisonflow SaaS, including project operations, workspace collaboration, file handling, AI-enabled workflows, and related support.
• Duration: for the subscription term and any limited post-termination period required to complete deletion, return, support, legal retention, or security obligations.
• Nature of processing: collection, storage, organization, retrieval, hosting, structuring, transmission, deletion, and related processing needed to run the service.
• Categories of data subjects: customer personnel, workspace members, administrators, contractors, and other individuals whose data the customer chooses to include in the service.
• Categories of personal data: identifiers, business contact details, workspace content, task and document content, comments, attachments, prompts, transcripts, and related usage metadata.

• Process Customer Personal Data only on documented customer instructions as reflected in the customer's use of the service and the governing agreement, unless law requires otherwise.
• Use personnel and subprocessors subject to confidentiality and access restrictions appropriate to their roles.
• Implement and maintain reasonable technical and organizational measures designed to protect Customer Personal Data against unauthorized access, loss, misuse, or unlawful processing.
• Provide information reasonably needed to help the customer address applicable data protection obligations taking into account the nature of processing and the information available to us.

• Customer is responsible for its instructions, lawful basis, transparency, and permissions for any Customer Personal Data it submits to the service.
• Customer must not use the service to submit data that it is not authorized to process or to use the service in violation of applicable law.
• Customer is responsible for managing workspace access, administrator permissions, and account hygiene within its organization.

Our security measures are designed to include authenticated access controls, encrypted communications, vendor-managed infrastructure protections, logging and monitoring for operational security, and measures intended to limit access to authorized personnel and processors.

Because the service uses third-party infrastructure and processors, some measures are implemented through those providers as part of the service stack.

Customer authorizes us to use subprocessors that support delivery of the service. We will remain responsible for our subprocessors to the extent required by applicable law and our agreement with the customer.

Our current list of service providers is available at Service Providers.

Customer authorizes us and our subprocessors to process Customer Personal Data in countries where we or they operate, provided that we use safeguards reasonably designed to protect the transferred data where required by applicable law.

If the customer needs additional information about transfer mechanisms relevant to its use case, it may contact contact@bisonflow.com.

During the subscription term, the customer can generally access and manage Customer Personal Data through product functionality. After termination or expiration, we will delete or return Customer Personal Data within a reasonable period, except where retention is required for legal, tax, accounting, security, dispute-resolution, backup, or fraud-prevention purposes.

If we confirm an incident affecting Customer Personal Data that legally requires notice, we will notify the customer without undue delay as required by applicable law and the circumstances.

We will provide information reasonably necessary for the customer to understand our processing posture, subject to confidentiality, security, and proportionality limits.

Questions about these terms should be sent to contact@bisonflow.com.