Last updated 2026-06-25 · Incorporated into the Terms of Service for business customers
For personal data you submit to the Service ("Customer Personal Data"), you are the Controller and Flow AI is the Processor, acting only on your documented instructions (which include your use of the Service and its settings). For account, billing, and security data we determine the purposes of, we act as an independent Controller under our Privacy Policy.
Subject matter: provision of the Flow AI routing and inference-gateway Service. Duration: the term of your account plus the retention window in §6. Nature & purpose: routing, transmitting, and processing requests to Upstream Providers and eligible operators to return AI outputs, plus billing and abuse prevention. Data types: the content of prompts/outputs you submit and account/usage metadata. Data subjects: you, your personnel, and any individuals referenced in your prompts.
You authorize Flow AI to engage the sub-processors and Upstream Providers listed at flowaiapi.com/subprocessors, including independent operators for eligible non-sensitive traffic. We impose data-protection obligations on sub-processors no less protective than this DPA and remain responsible for their performance. We will give at least 30 days' notice of a new sub-processor handling Customer Personal Data; you may object on reasonable data-protection grounds, in which case we will work with you in good faith or you may terminate the affected Service.
We maintain measures including: encryption in transit (TLS) and at rest for cached/stored data; least-privilege access controls; content-free routing (model selection never reads prompt content); automatic exclusion of secret/PII-flagged prompts from third-party operators; audit logging; and SOC 2-aligned practices (see Trust & security).
Operational logs are retained for 30 days; prompt/output content is processed transiently and not retained beyond that operational window (see the Data & Training Policy). On termination, we delete or return Customer Personal Data within a commercially reasonable period, except where retention is required by law.
Flow AI operates from Singapore and engages sub-processors and Upstream Providers in other jurisdictions outside Singapore (see the sub-processor list). Where required for transfers of EEA/UK personal data, the EU Standard Contractual Clauses (and the UK Addendum) are incorporated by reference, with Flow AI as data importer, and apply to onward transfers to sub-processors.
We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, with the information reasonably available to help you meet your notification obligations.
On reasonable request and subject to confidentiality, we will provide information necessary to demonstrate compliance with this DPA, including available third-party reports when issued.
This DPA is a standard template and is not legal advice. Business customers with specific requirements should contact legal@flowaiapi.com.