Skip to content
ParseFlow

Data Processing Agreement

Last updated: March 22, 2026

1. Scope and Purpose

This Data Processing Agreement (“DPA”) supplements the Terms of Service between ParseFlow(“Processor”) and you (“Controller”) regarding the processing of personal data through our document extraction API service.

2. Definitions

  • Personal Data: Any data relating to an identified or identifiable natural person contained in uploaded documents.
  • Processing: Any operation performed on personal data, including extraction, analysis, and temporary storage.
  • Sub-processor: Third-party service providers engaged by ParseFlow to assist in data processing.

3. Data Processing Details

  • Nature of processing: Automated document data extraction via OCR and pattern matching
  • Purpose: Converting unstructured documents into structured JSON data
  • Duration: Documents are processed in real-time. Extracted results are cached for up to 90 days.
  • Data subjects: Individuals whose data appears in uploaded documents
  • Data categories: Names, addresses, financial data, identification numbers (as contained in documents)

4. Processor Obligations

ParseFlow shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Not engage sub-processors without prior consent
  • Assist the Controller with data subject requests
  • Delete or return all personal data upon termination
  • Make available information necessary to demonstrate compliance

5. Security Measures

  • TLS 1.3 encryption for all data in transit
  • Encryption at rest for cached extraction results
  • API key hashing (SHA-256) — we never store raw API keys
  • In-memory document processing — no permanent file storage
  • Rate limiting and file size validation
  • Regular security assessments

6. Sub-processors

Current sub-processors:

  • Vercel Inc. — Hosting and CDN (USA)
  • Upstash Inc. — Redis data caching (EU/USA)
  • Stripe Inc. — Payment processing (USA)

7. International Transfers

Data may be transferred to the USA where our sub-processors operate. Such transfers rely on Standard Contractual Clauses (SCCs) and the sub-processors' compliance certifications.

8. Data Breach Notification

In the event of a personal data breach, ParseFlow will notify the Controller without undue delay and within 72 hours of becoming aware of the breach.

9. Contact

Data Protection Officer: dpo@parseflow.dev

We use cookies to improve your experience and analyze site traffic. See our Privacy Policy for details.