Data Processing Agreement

This agreement explains how DesksFlow processes the personal data your agency entrusts to us, and the commitments we make to protect it.

Last updated: June 14, 2026

1. Roles & definitions

Under data-protection law (including India's DPDP Act, 2023 and, where applicable, the GDPR):

  • You, the agency, are the "Data Controller"— the data about your clients/students belongs to you, and you decide how it's used.
  • DesksFlow is the "Data Processor" — we process that data only to provide the service to you, strictly on your instructions.

2. Scope of processing

We process the data your agency enters or uploads — client names, contact details, education and visa information, documents, and related records — for the sole purpose of operating the DesksFlow platform for you (storage, retrieval, communication, and the features you use).

3. Our commitment: we will never access or solicit your clients

DesksFlow and its personnel will not:

  • access, view, or use your clients' personal data except as strictly necessary to operate the service or provide support you request;
  • contact, market to, or solicit your clients or students for any purpose;
  • use your data to compete with you, or disclose it to anyone who would;
  • sell, rent, or share your data, or use it to train AI models.

DesksFlow is a software company — our business is providing this platform to you. This commitment is binding and enforceable.

4. Confidentiality

Everyone at DesksFlow with potential access to systems holding your data is bound by confidentiality obligations and operates on a least-privilege, need-to-know basis.

5. Security measures

We maintain technical and organisational measures appropriate to the sensitivity of the data, including encryption in transit and at rest, database-level tenant isolation (RLS), private document storage, access controls, and audit logging. Full detail is on our Security page.

6. Sub-processors

We engage a limited set of vetted sub-processors, each contractually bound to protect your data:

  • Supabase / AWS (Mumbai, India) — database, authentication, file storage
  • Vercel — application hosting
  • Resend — email delivery
  • Razorpay — subscription payments
  • Anthropic — optional AI features, used only when you invoke them

We will give notice of any material change to this list.

7. Data location

Your data is hosted in India (AWS Mumbai) and is not transferred out of the country in normal operation.

8. Your data, your control

  • You can export your data at any time.
  • You can delete individual client records, or your whole account, at any time.
  • On account closure, we delete your data within 30 days, except where law requires retention.

9. Breach notification

If a personal-data breach affecting your data occurs, we will notify you without undue delay after becoming aware of it, with the information you need to meet your own obligations.

10. Contact

For a countersigned copy of this DPA or any data-protection question, contact privacy@desksflow.com.

This page summarises our standard data-processing terms in plain language. Agencies requiring a formally executed agreement can request one at the address above.

DesksFlow is a product of Nadrel Technologies.