Last Updated Aug 13, 2025
Data Processor Agreement
ZyFlow Website and Application Privacy Statement
Data Subprocessors
Last Updated: January 30, 2026 Effective Date: January 30, 2026
1. Introduction
This document lists all third-party subprocessors ("Subprocessors") that Zyflow engages to process Customer Data on behalf of our customers. We maintain this list in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other privacy regulations.
By using Zyflow's services, you acknowledge and agree that we may engage these Subprocessors to process your data as described in our Privacy Policy and Data Processing Agreement.
2. Notification of Changes
We will provide customers with at least 30 days' prior notice of any new Subprocessor or changes to existing Subprocessors by:
Updating this page
Sending email notifications to account administrators
Posting notices in your Zyflow dashboard
Customers may object to new Subprocessors within this notice period by contacting us at privacy@zyflow.com.
3. Core Infrastructure Subprocessors
These Subprocessors are essential to the operation of Zyflow's platform and are used for all customers.
3.1 Cloud Infrastructure & Storage
Subprocessor | Service Description | Data Processed | Data Location | Website |
|---|---|---|---|---|
Amazon Web Services (AWS) | Cloud infrastructure, object storage (S3), content delivery | User data, files, media, application logs, backups | EU (configurable), US | aws.amazon.com |
Cloudflare | CDN, DDoS protection, R2 object storage | Files, media, cached content, request logs | Global network with EU nodes | cloudflare.com |
LocalStack | Development/testing infrastructure | Development data only (non-production) | Local development environments | localstack.cloud |
Purpose: Hosting, storage, and delivery of platform services and customer data.
3.2 Database & Cache Services
Subprocessor | Service Description | Data Processed | Data Location | Website |
|---|---|---|---|---|
PostgreSQL | Relational database | All application data including flows, users, connections, execution logs | Customer-controlled (self-hosted or cloud provider) | postgresql.org |
Redis | In-memory cache and message queue | Session data, cache, job queues, real-time data | Customer-controlled (self-hosted or cloud provider) | redis.io |
Purpose: Primary data persistence, caching, and message queue processing.
4. Communication & Email Services
Subprocessor | Service Description | Data Processed | Data Location | Website |
|---|---|---|---|---|
Mailgun | Transactional email delivery | Email addresses, email content, sending metadata | EU (api.eu.mailgun.net) | mailgun.com |
SMTP Providers | Email delivery (configurable) | Email addresses, email content | Varies by customer configuration | Various |
Slack | Team notifications and integrations | Messages, user data, webhook data | US | slack.com |
Discord | Community notifications | Messages, server data, user IDs | US | discord.com |
Microsoft Teams | Team collaboration | Messages, channel data, user information | Global (Microsoft datacenters) | microsoft.com/teams |
Twilio | SMS and voice communications | Phone numbers, message content, call data | US, Global | twilio.com |
Purpose: Sending system notifications, transactional emails, alerts, and enabling communication integrations.
5. AI & Machine Learning Services
These services are used when customers enable AI features or create workflows that utilize AI capabilities.
Subprocessor | Service Description | Data Processed | Data Location | Website |
|---|---|---|---|---|
OpenAI | Large language models, embeddings, image generation | User prompts, text content, images, conversation history | US | openai.com |
Anthropic | Claude AI language models | User prompts, text content, conversation context | US | anthropic.com |
Google (Gemini) | Generative AI models, vision models | User prompts, text, images, multimodal data | US, Global | ai.google.dev |
Microsoft Azure OpenAI | Enterprise AI models (Azure-hosted OpenAI) | User prompts, text content, embeddings | Azure regions (configurable, EU available) | azure.microsoft.com/openai |
Replicate | AI model inference and image generation | Images, model inputs, prompts | US | replicate.com |
ElevenLabs | Text-to-speech synthesis | Text content, voice parameters | US | elevenlabs.io |
AssemblyAI | Speech-to-text transcription | Audio files, transcription data | US | assemblyai.com |
Purpose: Providing AI-powered features, natural language processing, image generation, and intelligent automation.
Important Note: AI service usage is opt-in through workflow configuration. Data sent to AI services is controlled by customers and depends on the specific workflows they create.
6. Analytics & Monitoring
Subprocessor | Service Description | Data Processed | Data Location | Website |
|---|---|---|---|---|
PostHog | Product analytics and telemetry | Usage events, user identification, feature flags, session recordings | EU (eu.i.posthog.com) | posthog.com |
Sentry | Error tracking and performance monitoring | Error logs, stack traces, request metadata, performance metrics | Germany (de.sentry.io) | sentry.io |
Datadog | Infrastructure monitoring (optional) | System metrics, logs, traces | US, EU (configurable) | datadoghq.com |
Purpose: Monitoring platform health, tracking errors, analyzing product usage, and improving service quality.
Control: Analytics can be disabled by setting ZYFLOW_TELEMETRY_ENABLED=false in self-hosted deployments.
7. Authentication & Identity Services
Subprocessor | Service Description | Data Processed | Data Location | Website |
|---|---|---|---|---|
SAML Identity Providers | Enterprise SSO authentication | User identity, SAML assertions, attributes | Varies by customer's IdP | Customer-controlled |
OAuth 2.0 Providers | Third-party authentication | Authorization tokens, user profile data | Varies by provider | Various |
Google Workspace | Gmail, Calendar, Drive authentication | User identity, OAuth tokens, email, calendar data | Global (Google datacenters) | workspace.google.com |
Microsoft Graph | Microsoft 365 authentication | User identity, OAuth tokens, email, calendar, contacts | Global (Microsoft datacenters) | microsoft.com |
GitHub | Code repository authentication | User identity, repository access tokens | US | github.com |
Google reCAPTCHA | Bot prevention | CAPTCHA tokens, IP addresses, browser fingerprints | Global | google.com/recaptcha |
Purpose: User authentication, authorization, single sign-on, and security verification.
8. Integration Platform Subprocessors (100+ Services)
These third-party services are available as optional integrations through Zyflow's workflow builder. Data is only sent to these services when explicitly configured by customers in their workflows.
8.1 CRM & Sales
Salesforce, HubSpot, Pipedrive, Zoho CRM
8.2 Project Management
Asana, Monday.com, ClickUp, Trello, Jira
8.3 Communication & Collaboration
Slack, Discord, Microsoft Teams, Zoom
8.4 Cloud Storage & Documents
Google Drive, Dropbox, OneDrive, Box, Notion, Airtable, Google Sheets
8.5 Email & Marketing
Gmail, Outlook, Mailchimp, SendGrid
8.6 Payment Processing
Stripe, PayPal
8.7 E-Commerce
Shopify, WooCommerce
8.8 Customer Support
Zendesk, Freshdesk, Intercom
8.9 Social Media
Twitter/X, Facebook, Instagram, LinkedIn, TikTok
8.10 Developer Tools
GitHub, GitLab, Bitbucket
8.11 Cloud Platforms
AWS, Google Cloud Platform, Microsoft Azure
Important: Integration subprocessors only process data when customers explicitly configure workflows that use these integrations with their own authentication credentials.
9. Data Security Measures
All Subprocessors implement:
Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access Controls: Role-based access, principle of least privilege
Compliance: SOC 2, ISO 27001, GDPR compliance
Incident Response: Security incident procedures and notification
Data Retention: Automated data deletion and retention policies
10. International Data Transfers
Where data transfers occur outside the EEA:
Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
Adequacy Decisions: Transfers to countries with adequate data protection
Additional Safeguards: Supplementary measures for international transfers
11. Contact Information
Email: privacy@zyflow.com Data Protection Officer: dpo@zyflow.com Security Team: security@zyflow.com
