Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Railflows ("Processor") and the customer organisation ("Controller") and applies whenever Railflows processes Personal Data on the Controller's behalf in connection with the Service.

Last revised 2026-05-19

1. Definitions

"GDPR" means Regulation (EU) 2016/679. "Personal Data", "Controller", "Processor", "Data Subject", "Processing" and "Sub-processor" have the meanings given in the GDPR. "Service" means the Railflows RFQ workspace at railflows.com.

2. Subject matter and duration

Railflows processes Personal Data on behalf of the Controller for the purpose of providing the Service. Processing continues for as long as the Controller has an active account, plus any retention period required by law or by these terms.

3. Nature and purpose of processing

Railflows processes Personal Data to authenticate users, deliver the RFQ workflow (submission, matching, response, reveal, comparison, outcome), notify users by email and maintain an audit trail of sensitive actions.

4. Categories of data and data subjects

Data subjects

• Authorised users of buyer organisations (employees, contractors).
• Authorised users of provider organisations.
• Named contacts the Controller chooses to associate with an RFQ.

Categories of Personal Data

• Identification: name, business email address, organisation affiliation, role.
• Authentication metadata: session start/expiry timestamps, source IP, user agent.
• RFQ content: any Personal Data the Controller chooses to include in free-text fields or uploaded documents.
• Audit metadata: actor, action, target and timestamp for sensitive operations.

Railflows requests no special categories of Personal Data (Article 9 GDPR) and asks Controllers not to upload such categories unless strictly necessary.

5. Controller and Processor responsibilities

The Controller determines the purposes and means of processing and is responsible for the lawful basis of submitting Personal Data to the Service. Railflows processes Personal Data only on documented instructions from the Controller, as set out in these terms, the Service configuration and the Controller's use of the Service.

Railflows will inform the Controller without undue delay if, in its opinion, an instruction infringes GDPR or other applicable data protection law.

6. Security measures

Railflows maintains appropriate technical and organisational measures to protect Personal Data, as described at /security. These include: encryption in transit (TLS 1.3) and at rest (AES-256), role-based authorisation, magic-link authentication with hashed single-use tokens, server-side session control, rate-limited sign-in, audit logging of sensitive actions, and least-privilege access for personnel.

7. Sub-processors

The Controller authorises Railflows to engage the sub-processors listed at /security. Railflows will give the Controller advance notice of any new sub-processor and an opportunity to object on reasonable data-protection grounds before the new sub-processor is engaged.

8. International transfers

Where Personal Data is transferred outside the European Economic Area, Railflows relies on appropriate safeguards under Chapter V GDPR, including the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) where applicable. Cloudflare D1 storage is currently configured for the European region; transactional email is delivered via Resend (US).

9. Data subject rights

Railflows will assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to Data Subject requests under Articles 15–22 GDPR (access, rectification, erasure, restriction, portability, objection). The Controller can initiate these via privacy@railflows.com.

10. Personal data breach notification

Railflows will notify the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller's data. Notification will include, to the extent known: the nature of the breach, categories and approximate numbers of data subjects and records affected, likely consequences, and measures taken or proposed to address it.

11. Audit rights

Railflows will make available to the Controller information necessary to demonstrate compliance with this DPA, including third-party assurance reports when available, and will allow for and contribute to audits conducted by the Controller or a mandated auditor, on reasonable prior notice and subject to confidentiality.

12. Return and deletion

On termination of the Service, Railflows will, at the Controller's choice, delete or return all Personal Data to the Controller and delete existing copies, unless retention is required by law. Audit logs may be retained as long as required for legal defence and incident investigation.

13. Liability and order of precedence

In the event of conflict between this DPA and the Terms of Service, this DPA prevails for matters relating to the processing of Personal Data. All other terms of the Terms of Service remain in effect.