Legal Document

Data Processing Agreement

Flowix — A Nebulix Product  ·  Last updated: 5 June 2026  ·  Effective: 5 June 2026

1. Scope

This Data Processing Agreement (DPA) forms part of the Terms between the customer and Nebulix for business use of Flowix. It applies when Nebulix processes personal data on behalf of a business customer.

2. Roles

The customer is the controller for personal data entered into Flowix (client names, team user accounts, job records, financial data). Nebulix is the processor for that customer data and may also act as controller for billing, support, and security records.

3. Processing Details

Subject matter: providing agency operations software including briefs, campaigns, pipeline management, proposals, job orders, invoicing, team management, and accounts.

Data categories: user names and emails, client names and contacts, campaign and job data, financial transactions, team roles, and activity logs.

Purpose: service delivery, security, billing, fraud prevention, and legal compliance.

4. Processor Obligations

  • Process customer personal data only on documented instructions, unless required by law.
  • Apply appropriate confidentiality, access control, and security safeguards (Supabase RLS, HTTPS, JWT auth).
  • Assist with reasonable data-subject, audit, deletion, and security requests.
  • Notify customers without undue delay after becoming aware of a confirmed personal data breach affecting customer data.

5. Sub-Processors

Nebulix may use the following categories of sub-processors for Flowix:

  • Supabase for database, authentication, and real-time features
  • Hetzner / Coolify for server infrastructure and container hosting
  • Stripe for subscription payment processing
  • Cloudflare for DNS and network security

Nebulix remains responsible for sub-processor performance as required by applicable data-protection law.

6. International Transfers

Flowix data is stored in Supabase (Tokyo region). Where data is processed outside the UAE or your home jurisdiction, Nebulix relies on contractual, technical, and organisational safeguards including encryption in transit (TLS) and at rest.

7. Deletion and Return

At the end of the subscription, Nebulix retains workspace data for 90 days to allow for data export, then deletes the organisation's records. Billing, tax, and legal records are retained as required by applicable law.

8. Contact

DPA requests: [email protected].

© 2026 Nebulix Technologies FZE LLC. Flowix. Terms·Privacy·Cookies·Refund·Subscription·DPA