Data Processing Agreement

Last updated: April 20, 2026

1. Parties and Scope

This Data Processing Agreement (the "DPA") is entered into between:

• Ridgepath Technologies (OPC) Private Limited, a company incorporated in India with its registered office in Jaipur, India, operating the Mistflow service ("Mistflow", "Processor"); and
• The customer entity that has accepted the Terms of Service and uses the Service to process personal data of end users ("Customer", "Controller").

This DPA governs Mistflow's processing of Customer Personal Data on Customer's behalf. It does not apply to data for which Mistflow is itself the controller (such as Customer's account details, billing information, plan descriptions, and product-usage analytics), which is governed by the Privacy Policy.

2. Definitions

Capitalized terms used and not defined in this DPA have the meanings given to them in the applicable Data Protection Laws or the Terms of Service. For convenience:

• "Data Protection Laws" means all applicable laws governing the processing of personal data, including India's Digital Personal Data Protection Act, 2023 ("DPDPA"), the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, the California Consumer Privacy Act as amended ("CCPA"), and any successor or equivalent legislation.
• "Customer Personal Data" means personal data of Customer's end users that Mistflow processes on Customer's behalf while operating the Service — principally data stored in databases, object storage, and logs provisioned for Customer's deployed applications.
• "Controller", "Processor", "Data Principal", "Data Subject", "Data Fiduciary", "Sub-processor", and "Personal Data Breach" have the meanings given in the applicable Data Protection Laws. Where GDPR terms differ from DPDPA terms, each is read in its local-law sense.
• "Service" means the Mistflow platform as defined in the Terms of Service.
• "SCCs" means the Standard Contractual Clauses adopted by the European Commission on June 4, 2021 (Module Two: controller-to-processor), as they may be amended, replaced, or supplemented.

3. Roles and Allocation of Responsibilities

The parties acknowledge and agree that, with respect to Customer Personal Data:

• Customer is the Controller / Data Fiduciary. Customer determines the purposes and means of processing and is responsible for the lawfulness, accuracy, necessity, and proportionality of the processing, including obtaining all consents, providing all notices, and responding to data-subject requests.
• Mistflow is the Processor / Data Processor. Mistflow processes Customer Personal Data only on Customer's documented instructions (which are given by Customer's configuration of the Service and use of the MCP tools), except as required by applicable law.
• Mistflow is a Service Provider as defined under the CCPA and will process Customer Personal Data only for the limited and specified business purpose of providing the Service.

4. Duration and Subject Matter of Processing

Mistflow processes Customer Personal Data for the duration of Customer's subscription to the Service plus any retention period set out in this DPA or the Privacy Policy. The subject matter, nature and purpose of processing, categories of Data Subjects, and types of personal data are described in Annex 1.

5. Mistflow's Obligations as Processor

Mistflow will:

1. Process on documented instructions only. Process Customer Personal Data only on Customer's documented instructions, including with regard to transfers of personal data to a third country, unless required to do so by law to which Mistflow is subject; in such case Mistflow will inform Customer of that legal requirement before processing, unless that law prohibits such information on important public-interest grounds.
2. Confidentiality. Ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
3. Security. Implement and maintain the technical and organisational measures described in Annex 2, designed to provide a level of security appropriate to the risk.
4. Sub-processors. Engage Sub-processors only in accordance with Section 7 of this DPA.
5. Data Subject Requests. Assist Customer, taking into account the nature of the processing, by appropriate technical and organisational measures insofar as possible, in fulfilling Customer's obligation to respond to requests for exercising Data Subject rights. Customer acknowledges that Customer is responsible for responding to such requests; Mistflow will provide reasonable cooperation.
6. Regulatory assistance. Assist Customer in ensuring compliance with obligations under Articles 32–36 GDPR, Section 8 DPDPA, and equivalent provisions, taking into account the nature of processing and the information available to Mistflow.
7. Deletion or return. At Customer's choice, delete or return all Customer Personal Data at the end of the provision of the Service, and delete existing copies, unless applicable law requires continued storage. Customer acknowledges that data in deleted or terminated projects is purged in accordance with the retention schedule in the Privacy Policy.
8. Records. Maintain the records of processing required by Article 30(2) GDPR and make them available to Customer on reasonable request.
9. Audits. Make available to Customer information necessary to demonstrate compliance with this DPA, and — not more than once per calendar year and at Customer's expense — allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable confidentiality, scheduling, scope, and security constraints. Customer agrees that third-party audit reports, certifications, and the Subprocessors page may satisfy this obligation where appropriate.

6. Customer's Obligations as Controller

Customer will:

• Comply with all Data Protection Laws applicable to Customer's processing of Customer Personal Data, including providing all required notices and obtaining all required consents from Data Subjects.
• Ensure its documented instructions to Mistflow are lawful.
• Use the Service's security, retention, and access controls in a reasonable manner, and keep its own credentials and API keys secure.
• Test, harden, and maintain the application layer — including code generated by Customer's chosen AI coding editor, the data model, input validation, authentication and authorization flows, rate limiting, output encoding, and secure configuration of third-party integrations — before making the application available to Data Subjects, and throughout the term. Mistflow secures the infrastructure layer; Customer secures the application.
• Not submit to the Service any special categories of personal data (e.g., health, biometric, financial account numbers) unless Customer has implemented appropriate additional safeguards and has notified Mistflow in writing.
• Respond to Data Subject requests and regulator inquiries relating to Customer Personal Data as Controller.

7. Sub-processors

Customer grants general written authorisation for Mistflow to engage Sub-processors to process Customer Personal Data. Mistflow's current Sub-processors are listed at mistflow.ai/subprocessors and in Annex 3.

Mistflow will:

• Enter into a written agreement with each Sub-processor that imposes data-protection obligations no less protective than those in this DPA.
• Remain liable to Customer for the performance of its Sub-processors' obligations.
• Give Customer at least 30 days' advance notice of the addition or replacement of any Sub-processor by updating the Subprocessors page and, where Customer has subscribed to updates, by email.
• On reasonable objection by Customer during the notice period, work with Customer in good faith to resolve the objection. If the parties cannot agree, Customer's sole and exclusive remedy is to terminate the affected Service by giving written notice, without prejudice to fees already paid.

8. International Transfers

Mistflow operates from India. Customer Personal Data may be transferred to and processed in other jurisdictions, including the United States and the European Union, where our infrastructure and Sub-processors operate.

Where the transfer of Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland requires additional safeguards, the parties are deemed to have entered into the SCCs (Module Two: controller-to-processor), with the following choices: (i) the optional docking clause in Clause 7 does not apply; (ii) Option 2 of Clause 9(a) applies with a 30-day notice period; (iii) the optional redress clause in Clause 11(a) does not apply; (iv) the competent supervisory authority under Clause 13 is that of Ireland; (v) the governing law under Clause 17 is the law of Ireland; (vi) the forum under Clause 18 is the courts of Ireland. Annexes I, II, and III of the SCCs are completed by the information in Annexes 1, 2, and 3 of this DPA. For transfers from the United Kingdom, the UK International Data Transfer Addendum applies; for transfers from Switzerland, the SCCs apply with the amendments required by the Swiss Federal Data Protection and Information Commissioner.

For transfers from India subject to DPDPA cross-border rules, Mistflow transfers Customer Personal Data only to jurisdictions not restricted by the Central Government under Section 16 of the DPDPA.

9. Personal Data Breach Notification

Mistflow will notify Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known and where reasonably available, the information required by Article 33(3) GDPR and Section 8(6) DPDPA, including the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed to mitigate the breach.

Mistflow will cooperate reasonably with Customer to investigate and remediate the breach. Customer is responsible for any notification to Data Subjects, regulators, or other parties that Customer is required to make as Controller.

10. Liability

Each party's liability under or in connection with this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations of liability set out in the Terms of Service. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under applicable law, including the rights of Data Subjects under the Data Protection Laws.

11. Term and Termination

This DPA takes effect when Customer accepts the Terms of Service or otherwise begins using the Service, and continues for as long as Mistflow processes Customer Personal Data on Customer's behalf. Sections 5 (Deletion or return), 9 (Breach notification), 10 (Liability), and 12 (Miscellaneous) survive termination to the extent necessary.

12. Miscellaneous

This DPA, together with the Terms of Service, Privacy Policy, and Subprocessors list, constitutes the entire agreement between the parties with respect to its subject matter. If any provision is found unenforceable, the rest remains in effect. In case of any conflict between this DPA and the Terms of Service regarding processing of Customer Personal Data, this DPA prevails. Mistflow may update this DPA to reflect changes in Data Protection Laws, Sub-processors, or technical and organisational measures; material changes will be announced on this page and, for active customers, by email.

This DPA is governed by the laws of India. The courts at Jaipur, India have exclusive jurisdiction over any dispute arising out of or relating to this DPA, subject to any non-waivable rights Customer or Data Subjects have under applicable Data Protection Laws.

Annex 1 — Description of Processing

Subject matter and nature of processing

Hosting and operating web applications that Customer builds through the Mistflow MCP server and dashboard. Processing activities include storing data in managed databases, storing uploaded objects, serving HTTP requests, operating authentication, handling background jobs, and generating logs.

Purpose

To provide the Service to Customer as described in the Terms of Service.

Categories of Data Subjects

End users of Customer's applications, and any other individuals whose personal data Customer chooses to submit through the Service.

Types of personal data

Determined by Customer. Typically: account identifiers, contact details, authentication credentials, user-generated content, usage and device metadata. Customer must not submit special-category data without the additional safeguards required by Data Protection Laws and prior written notice to Mistflow.

Duration

For the duration of Customer's use of the Service plus the retention periods set out in the Privacy Policy.

Annex 2 — Technical and Organisational Measures

Mistflow implements and maintains the following technical and organisational measures, which may be updated from time to time so long as the overall level of protection is not reduced:

• Encryption in transit. TLS 1.2 or higher for all customer-facing connections and connections to Sub-processors.
• Encryption at rest. Environment variables and other secrets are encrypted using a Fernet envelope scheme: each project has a per-project Data Encryption Key (DEK) which is itself encrypted by a master Key Encryption Key (KEK) held in Azure Key Vault and accessed via the backend's system-assigned Managed Identity. Managed database storage (Neon, Turso) uses encryption at rest provided by those Sub-processors.
• Key management. The master KEK is held in a dedicated Azure Key Vault, not logged, not exported, accessed only through Managed Identity by the production backend.
• Authentication. Customer authentication is provided by Clerk; multi-factor authentication is available for Customers. Mistflow personnel with production access use multi-factor authentication.
• Access control. Role-based access control on the backend; least-privilege access to production infrastructure; separation between production and non-production environments.
• API key storage. Customer API keys are stored as SHA-256 hashes; the plaintext key is returned only once at creation and never again.
• Logging and monitoring. Edge and application request logs are collected for security and abuse prevention; personally identifiable information is scrubbed from error traces before submission to Sentry and PostHog.
• Network security. Cloudflare-managed TLS, DDoS protection, and Web Application Firewall features on customer-facing traffic.
• Software development. Code review prior to merge, typed schemas at API boundaries (Zod on the MCP server, Pydantic on the backend), dependency-update monitoring.
• Vendor management. Each Sub-processor is subject to a written data-protection agreement at least as protective as this DPA.
• Backups and recovery. Customer databases (Neon, Turso) are backed up by those providers; build artifacts and project source snapshots (excluding .git/ and node_modules/) are retained in Cloudflare R2 to support rollback and template forking.
• Incident response. Documented internal process for detecting, triaging, containing, and notifying affected parties of personal data breaches within the timelines set out in Section 9.

Annex 3 — List of Sub-processors

The authoritative and current list of Sub-processors, including purpose and data categories, is maintained at mistflow.ai/subprocessors. As at the date of this DPA the Sub-processors are:

Contact

Data-protection questions, DSR assistance requests, and DPA countersignature requests: [email protected]. Legal notices: [email protected].