chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
41f551991664b1ca2e3b4fd15a5d6b923b8c924b
resolutionflow/legal/dpa.md
Michael Chihlas 41f5519916
All checks were successful
Mirror to GitHub / mirror (push) Successful in 6s
Details
docs(legal): add baseline legal documents (privacy, ToS, DPA, subprocessors, cookies) 
Generated by the resolutionflow-legal skill from a code scan of the FastAPI
backend + React frontend on commit 0564646. Each document is a starting
point for attorney review, not legal advice.

Includes:
- privacy-policy.md, terms-of-service.md, cookie-policy.md (public-facing)
- dpa.md (contractual; signed with MSP customers)
- subprocessor-list.md (Railway, Anthropic, Voyage, Stripe, Resend, Sentry,
  PostHog, Google Fonts — confirmed live as of scan)
- data-inventory.md + classification.md (Phase 1/2 working files)
- attorney-review-checklist.md (consolidated [LEGAL REVIEW] punch list)
- implementation-verification.md (claim-by-claim audit vs. actual code)

Three blocking issues filed before public publication:
- #175 deletion-on-offboarding (or rewrite retention claims)
- #176 narrow Sentry send_default_pii + Session Replay config
- #177 EU/UK consent for PostHog + Google Fonts

Public-facing documents intentionally route physical-mail requests through
support@ rather than publishing the LLC's registered address.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 12:51:19 -04:00

21 KiB
Raw Blame History

Data Processing Agreement

Effective Date: 2026-05-14 Version: 1.0

DRAFT — not legal advice. This DPA was generated from a code scan with reasonable defaults. Commercial-risk provisions (audit rights, breach SLA, sub-processor notice period, liability allocation) are flagged for attorney calibration.

This Data Processing Agreement ("DPA") supplements the Terms of Service ("Terms") between ResolutionFlow LLC ("ResolutionFlow," "we," "us," or "Processor") and the customer identified in the applicable subscription or order form ("Customer," "you," "your," or "Controller"). This DPA applies to ResolutionFlow's processing of Personal Data on behalf of Customer in connection with the Services.

Where the Terms and this DPA conflict regarding the processing of Personal Data, this DPA controls.

1. Definitions

Terms not defined here have the meanings given in the Terms. The following terms have the meanings set forth below:

  • "Applicable Data Protection Laws" means all laws and regulations applicable to the parties' processing of Personal Data, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other US state comprehensive privacy laws in force.
  • "Customer Data" means the data Customer or its authorized users submit to the Services or that ResolutionFlow retrieves on Customer's behalf from connected systems.
  • "Personal Data" means any information within Customer Data relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws. "Personal Information" has the meaning under CCPA/CPRA and is included within Personal Data for purposes of this DPA.
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by ResolutionFlow to process Personal Data on Customer's behalf.
  • "Processing" has the meaning given under Applicable Data Protection Laws and includes any operation performed on Personal Data, whether automated or not.
  • "Data Subject Request" means a request from a Data Subject to exercise rights under Applicable Data Protection Laws.

2. Roles and scope

2.1 Roles

For Customer Data containing Personal Data:

  • Customer is the Controller (or, where Customer itself processes on behalf of its own customers, the Processor) of the Personal Data.
  • ResolutionFlow is the Processor acting on Customer's documented instructions.

Under CCPA/CPRA terminology, ResolutionFlow acts as a Service Provider to Customer.

2.2 Chain of processing

Customer acknowledges that, where Customer is itself a Processor acting on behalf of its own end-clients (for example, an MSP processing PSA data on behalf of its IT-service clients), ResolutionFlow acts as a Sub-processor to Customer in that chain. Customer represents that it has the legal authority under its agreements with its end-clients to appoint ResolutionFlow as a Sub-processor.

2.3 Subject matter and details

The subject matter, duration, nature and purpose of processing, types of Personal Data, and categories of Data Subjects are described in Annex A.

2.4 Documented instructions

ResolutionFlow processes Personal Data only on Customer's documented instructions. The Terms, this DPA, and Customer's configuration and use of the Services constitute Customer's complete and final instructions for processing.

If ResolutionFlow believes an instruction violates Applicable Data Protection Laws, it will inform Customer without undue delay and may suspend that processing.

2.5 No use for ResolutionFlow's purposes

ResolutionFlow will not retain, use, sell, share, or disclose Personal Data for any purpose other than performing the Services for Customer, except:

  • For internal use to operate, secure, and improve the Services in a manner consistent with Customer's instructions and using de-identified or aggregated information
  • As required by law

ResolutionFlow will not "sell" or "share" Personal Data as those terms are defined under CCPA/CPRA, and will not combine Customer's Personal Data with personal information received from other sources except as permitted under CCPA/CPRA service-provider exemptions.

3. ResolutionFlow obligations

3.1 Compliance

ResolutionFlow will comply with Applicable Data Protection Laws in performing its obligations under this DPA.

3.2 Confidentiality

ResolutionFlow will ensure that personnel authorized to process Personal Data are bound by written confidentiality obligations.

3.3 Security measures

ResolutionFlow will implement and maintain appropriate technical and organizational measures designed to protect Personal Data, as described in Annex B.

3.4 Sub-processors

3.4.1 Authorization

Customer authorizes ResolutionFlow to engage the Sub-processors listed in Annex C (the current list is also published at the Subprocessor List).

3.4.2 Notification of new Sub-processors

ResolutionFlow will provide at least 30 days' prior notice of any new Sub-processor by updating the Subprocessor List and notifying Customer through the Services or by email. [LEGAL REVIEW: 30 days is a common baseline; some enterprise buyers will insist on 60-90 days]

3.4.3 Objection

Customer may object to a new Sub-processor on reasonable data-protection grounds by notice to support@resolutionflow.com within the notice period. If the parties cannot resolve the objection in good faith, Customer may terminate the affected portion of the Services and receive a prorated refund of prepaid fees for the unused period.

3.4.4 Sub-processor obligations

ResolutionFlow will impose on each Sub-processor data-protection obligations materially equivalent to those in this DPA, and ResolutionFlow remains liable to Customer for the performance of its Sub-processors' obligations.

3.5 Assistance to Customer

ResolutionFlow will provide reasonable assistance to Customer in:

  • Responding to Data Subject Requests, taking into account the nature of the processing and information available to ResolutionFlow
  • Ensuring compliance with security, breach-notification, and data-protection-impact-assessment obligations under Applicable Data Protection Laws

ResolutionFlow may charge for assistance that exceeds the scope of standard Services usage, at its then-current rates.

3.6 Data Subject Requests

If ResolutionFlow receives a Data Subject Request directly relating to Customer Data, it will promptly forward the request to Customer and will not respond except on Customer's instruction or as required by law.

3.7 Personal Data Breach

ResolutionFlow will notify Customer of a confirmed Personal Data Breach affecting Personal Data without undue delay and in any event within 72 hours of confirming the Breach. The notification will include, to the extent known:

  • Nature of the Breach
  • Categories and approximate number of Data Subjects and records affected
  • Likely consequences
  • Measures taken or proposed to address the Breach

ResolutionFlow will provide reasonable cooperation in Customer's regulatory notifications. [LEGAL REVIEW: 72 hours follows the GDPR baseline; some enterprise buyers demand 24-48 hours]

3.8 Audit rights

3.8.1 Information

ResolutionFlow will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including by providing copies of relevant third-party audit reports (such as SOC 2, when available).

3.8.2 Audit

Where third-party reports are insufficient to satisfy Customer's legitimate audit needs, Customer (or an independent auditor mutually agreed by the parties) may, on at least 30 days' written notice and not more than once per 12-month period, conduct an audit of ResolutionFlow's data-protection practices. Audits will be conducted during business hours, will not unreasonably interfere with ResolutionFlow's operations, and will be subject to confidentiality obligations. Customer bears its own audit costs.

3.8.3 SCC audits

For audits required under Standard Contractual Clauses, those clauses prevail to the extent of inconsistency.

4. Customer obligations

4.1 Lawful basis

Customer represents and warrants that it has all necessary rights, consents, and legal bases to share Personal Data with ResolutionFlow and to authorize the processing described in this DPA. This includes, where Customer is acting on behalf of its own end-clients, having appropriate agreements in place authorizing ResolutionFlow's processing.

4.2 Permitted data categories

Customer will not submit (and will use reasonable efforts to prevent its users from submitting) to the Services:

  • Special categories of Personal Data under GDPR Article 9 (or analogous categories under other Applicable Data Protection Laws) except as appears incidentally in ticket content
  • Protected Health Information as defined under HIPAA, unless a Business Associate Agreement is in place between Customer and ResolutionFlow
  • Payment card data, other than Stripe-collected payment information for ResolutionFlow's own billing
  • Government-issued identifiers (Social Security numbers, passport numbers, driver's license numbers) of third parties

4.3 Data Subject communications

Customer is responsible for providing notices to Data Subjects regarding ResolutionFlow's processing under this DPA, and for responding to Data Subject Requests, with ResolutionFlow's reasonable assistance as set out in Section 3.5.

5. International transfers

5.1 Transfers from the EEA, UK, and Switzerland

To the extent ResolutionFlow's processing involves transfer of Personal Data from the European Economic Area, United Kingdom, or Switzerland to a country not subject to an adequacy decision, the parties agree:

  • For EEA transfers: the Standard Contractual Clauses (Module 2 — Controller to Processor, or Module 3 — Processor to Processor, as applicable) approved by the European Commission in Decision 2021/914 are incorporated by reference and apply as if set out in full.
  • For UK transfers: the UK Addendum to the EU SCCs (issued by the UK ICO) is incorporated by reference.
  • For Swiss transfers: the SCCs apply with appropriate adaptations under Swiss law.

The Module(s), the parties' roles, optional clauses, and Annex content are specified in Annex D.

5.2 EU-US Data Privacy Framework

If ResolutionFlow becomes certified to the EU-US Data Privacy Framework (or its UK or Swiss extensions), the parties may, at Customer's election, rely on that certification as the transfer mechanism in lieu of the SCCs. [LEGAL REVIEW: consider applying for DPF certification when eligible]

6. Term, return, and deletion

6.1 Term

This DPA applies for as long as ResolutionFlow processes Personal Data on Customer's behalf.

6.2 Return or deletion

Upon termination of the Services, ResolutionFlow will, at Customer's election:

  • Make Personal Data available for export through the Services for 30 days following termination, OR
  • Provide a one-time export of Personal Data in a structured, commonly-used format upon Customer's reasonable request

After the export window, ResolutionFlow will delete or anonymize Personal Data, except where retention is required by law. ResolutionFlow will certify deletion upon request. [LEGAL REVIEW: today, deletion of account-scoped Personal Data on customer offboarding is not automated. Either implement scheduled deletion or rewrite this section to describe the actual flow. We strongly recommend the former before signing this DPA with enterprise customers.]

6.3 Backup retention

Customer acknowledges that Personal Data may persist in routine backups for up to 90 days after deletion, and that ResolutionFlow will not actively delete Personal Data from backups but will not restore deleted Personal Data from backups except to recover from a system failure.

7. Liability

The Terms govern allocation of liability between the parties, except that any provisions of the SCCs governing liability between the parties under those clauses apply in addition to (and not in limitation of) the Terms.

8. Order of precedence

To the extent of any conflict regarding the processing of Personal Data, the order of precedence is:

  1. The Standard Contractual Clauses (where they apply)
  2. This DPA
  3. The Terms

9. General

9.1 Modifications

ResolutionFlow may update this DPA to reflect changes in Applicable Data Protection Laws or its operations, provided that no update will materially reduce the protections afforded to Customer or Personal Data without Customer's consent.

9.2 Severability

If any provision of this DPA is held unenforceable, the remaining provisions remain in effect.

9.3 Entire agreement on processing

This DPA, together with its Annexes and the SCCs (where applicable), constitutes the entire agreement between the parties regarding processing of Personal Data under the Services.

9.4 Notices

Notices under this DPA may be sent to support@resolutionflow.com. For service of legal process or any notice requiring a physical mailing address for ResolutionFlow LLC, contact support@resolutionflow.com to receive the appropriate address.

Annex A — Description of Processing

Subject matter: Processing of Personal Data within Customer Data as necessary to provide the Services.

Duration: For the term of Customer's subscription, plus the export and deletion windows in Section 6.

Nature and purpose: Hosting, storing, transmitting, displaying, indexing, embedding, analyzing, and otherwise processing Customer Data as necessary to deliver the Services. This includes AI-assisted features that involve transmission of Personal Data to designated Sub-processors, generation of resolution notes and escalation packages, computation of vector embeddings for similarity search, and write-back to Customer's PSA platform when instructed by Customer.

Types of Personal Data (illustrative, not exhaustive):

  • Names, email addresses, phone numbers, and job titles of Customer's personnel
  • Names, email addresses, phone numbers, and contact records of Customer's end-clients and their personnel (as they appear in PSA records, tickets, and notes)
  • Tenant/site identifiers (e.g., ConnectWise company IDs), configuration data, and infrastructure identifiers (hostnames, IP addresses) that appear in ticket content
  • Free-text content submitted by Customer's users to ticket intake, AI sessions, chat threads, scratchpads, escalation reasons, resolution summaries, feedback, and similar fields
  • Files uploaded by Customer's users (PDFs, DOCX, images, log files) and text extracted from them
  • AI conversation transcripts that incorporate any of the above
  • Audit-log records of Customer's users' actions, including IP addresses

Categories of Data Subjects:

  • Customer's personnel and authorized users
  • Customer's end-clients and their personnel (where Customer is itself a Processor or service provider to those end-clients)
  • Other individuals whose Personal Data appears in tickets, communications, files, or system records routed through the Services

Sensitive data: Customer is instructed not to submit sensitive categories. Incidental sensitive data appearing in free-text ticket content is processed only as part of the broader ticket and is not used by ResolutionFlow for any sensitive-data-specific purpose.

Annex B — Technical and Organizational Measures

[LEGAL REVIEW: this annex mirrors actual implementation as of the scan date. Update before contracting with each new enterprise customer.]

ResolutionFlow implements the following technical and organizational measures:

B.1 Encryption

  • In transit: TLS for all production traffic between Data Subject browsers, the Services, and Sub-processors
  • At rest — infrastructure layer: Customer Data stored in PostgreSQL and object storage is encrypted at rest by our infrastructure provider (Railway). [LEGAL REVIEW: verify Railway encryption-at-rest attestation]
  • At rest — application layer: PSA integration credentials (e.g., ConnectWise public and private keys) are additionally encrypted at the application layer using Fernet (AES-128-CBC + HMAC-SHA256) with a key derived from a server-side secret via HKDF-SHA256
  • Passwords: stored as bcrypt hashes with a work factor of 12; plaintext passwords are never stored

B.2 Access control

  • Role-based access control within Customer accounts (super_admin, account owner, admin, engineer, viewer)
  • Tenant isolation at the database layer using PostgreSQL row-level security keyed on account_id
  • Principle of least privilege for ResolutionFlow personnel access
  • Authentication of users via email + password (bcrypt-hashed) or federated OAuth (Google, Microsoft)
  • JWT-based session tokens with short-lived access tokens (5 minutes) and rotated refresh tokens bounded by idle and absolute session limits

B.3 Network and infrastructure security

  • Hosting on infrastructure providers that maintain industry-standard security certifications
  • Network segmentation between production and non-production environments
  • Patching and dependency management processes
  • Monitoring for unauthorized access via centralized logs and error monitoring
  • Rate limiting on authentication endpoints

B.4 Operational security

  • Confidentiality obligations binding all personnel with access to Personal Data
  • Documented incident response procedures [LEGAL REVIEW: confirm an incident response plan is documented]
  • Security awareness expected of personnel [LEGAL REVIEW: formalize annual training when team grows]

B.5 Data isolation

  • Logical separation of Customer Data between Customer tenants enforced at the database (RLS) and application layers
  • Global tables (such as platform-wide flow templates and step categories) contain no Personal Data
  • Cross-tenant access is restricted to ResolutionFlow super-admin personnel acting under audit

B.6 Auditing and logging

  • Audit logs of administrative actions, role changes, account ownership transfers, and security-sensitive events
  • Error and performance monitoring via Sentry with sampled traces and Session Replay
  • Product-analytics events via PostHog identified by user and account

B.7 Business continuity

  • Regular backups of the production database maintained by Railway
  • Backups retained for up to 90 days
  • Recovery procedures exercised periodically [LEGAL REVIEW: formalize an RTO/RPO target]

B.8 Sub-processor oversight

  • Data Processing Agreement in place with each Sub-processor
  • Periodic review of Sub-processors' security postures

Annex C — Authorized Sub-processors

The authoritative list, including data categories, regions, and links to each Sub-processor's DPA, is published at the Subprocessor List and is incorporated into this DPA by reference. Customer will be notified of changes as described in Section 3.4.

As of the Effective Date, the authorized Sub-processors are:

Sub-processor Service Location DPA
Railway Corp. Application hosting, PostgreSQL, object storage US https://railway.com/legal/dpa
Anthropic, PBC LLM API for AI features US https://www.anthropic.com/legal/commercial-dpa
Voyage AI, Inc. Embedding API US [LEGAL REVIEW: confirm DPA URL]
Stripe, Inc. Payment processing US https://stripe.com/legal/dpa
Resend Transactional email US https://resend.com/legal/dpa
Functional Software, Inc. (Sentry) Error monitoring, traces, Session Replay US https://sentry.io/legal/dpa/
PostHog, Inc. Product analytics US https://posthog.com/dpa
Google LLC Google Fonts CDN Global Google's standard terms

Annex D — Standard Contractual Clauses Configuration

For transfers under the EU SCCs (Commission Decision 2021/914):

  • Module: Module 2 (Controller-to-Processor) for transfers where Customer is the Controller; Module 3 (Processor-to-Processor) for transfers where Customer is itself a Processor for its own end-clients. The applicable Module is determined by Customer's role.
  • Clause 7 (Docking clause): Not applicable.
  • Clause 9 (Use of sub-processors): Option 2 (general written authorization) applies; the notice period is as set out in Section 3.4.2 of this DPA.
  • Clause 11 (Redress): Option (independent dispute-resolution body) is not elected.
  • Clause 17 (Governing law): The law of Ireland. [LEGAL REVIEW: Irish law is the most common SCC choice; counsel may prefer another EU member state]
  • Clause 18 (Choice of forum and jurisdiction): The courts of Ireland. [LEGAL REVIEW]
  • Annex I.A. (List of Parties): The data exporter is Customer; the data importer is ResolutionFlow LLC.
  • Annex I.B. (Description of Transfer): As set out in Annex A of this DPA.
  • Annex I.C. (Competent supervisory authority): Irish Data Protection Commission. [LEGAL REVIEW: confirm based on Customer's location]
  • Annex II (Technical and Organisational Measures): As set out in Annex B of this DPA.
  • Annex III (Sub-processors): As set out in Annex C of this DPA.

For UK transfers, the UK Addendum to the EU SCCs (Information Commissioner's Office, "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses") is incorporated, and Table 4 of the Addendum is completed such that neither party may end the Addendum as set out in Section 19 unless otherwise agreed. [LEGAL REVIEW: confirm Table 4 election with counsel]

Reference in New Issue View Git Blame Copy Permalink