Legal & compliance centre

Product-specific documents governing CleanFlow. GuardFlow agreements and policies remain separate.

Browse policies

CleanFlow Data Processing Agreement

Last updated: 15 July 2026.

This DPA forms part of the CleanFlow agreement. The Customer is the controller and FORGEAI STUDIO LTD is the processor for Customer Data, except where each party acts as an independent controller as described in the Privacy Notice.

1. Processing details

  • Subject: providing, securing, supporting and maintaining CleanFlow.
  • Duration: the subscription term plus the agreed export, retention and backup-deletion period.
  • Nature and purpose: hosting, organising, displaying, transmitting, backing up, troubleshooting and deleting Customer Data on documented instructions.
  • People: Customer staff, cleaners, contractors, applicants, client contacts, site visitors and authorised users.
  • Data: identity, contact, employment and availability data; schedules, attendance and location evidence; checklists, photos, inspections and documents; client, site, invoice and support records; device and audit data. Special-category or criminal-offence data is processed only where the Customer lawfully chooses to provide it and gives documented instructions.

2. Processor obligations

We will process Customer Data only on documented instructions, including lawful transfer instructions; ensure authorised personnel are bound by confidentiality; apply appropriate technical and organisational measures; notify the Customer if an instruction appears to infringe data-protection law; and provide reasonable information needed to demonstrate compliance.

3. Security and incidents

Measures include logical tenant isolation, role-based access, authentication controls, encryption in transit, managed infrastructure, audit logging, backup and recovery processes, vulnerability and dependency management, and incident procedures proportionate to risk. We will notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer Data and provide available information for the Customer’s assessment and notifications.

4. Sub-processors and transfers

The Customer gives general authorisation for sub-processors needed to deliver CleanFlow, including Supabase, Cloudflare, Resend and Stripe where relevant. We remain responsible for imposing materially equivalent data-protection obligations. We will give reasonable notice of a material new sub-processor; the Customer may object on reasonable data-protection grounds. Restricted transfers use a lawful UK transfer mechanism and supplementary measures where required.

5. Assistance

Taking account of the processing and information available, we will reasonably assist with data-subject requests, security, breach assessment, data-protection impact assessments and regulator consultation. Additional work outside normal service may be charged at an agreed reasonable rate where the need was not caused by our breach.

6. Return, deletion and audit

At the Customer’s choice and subject to law, we will return or delete Customer Data after termination. Residual encrypted backups are isolated and removed through normal rotation. Once per year, the Customer may request relevant compliance information; if that is insufficient, it may conduct a proportionate audit on reasonable notice, subject to confidentiality, security and avoiding disruption. Each party bears its own routine audit costs.

7. Priority and contact

If this DPA conflicts with the Terms on processing Customer Data, this DPA takes priority. Liability follows the signed agreement except where law requires otherwise. Data-protection requests: cleanflowsupport@novastacks.co.uk.