Effective Date: June 3, 2026

Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the RecordFlow Terms of Service ("Terms") between you (the "Customer") and RecordFlow ("RecordFlow", "we", or "us"). It applies whenever Customer uses the RecordFlow admin-managed Zoom Marketplace app to archive cloud recordings of other Zoom users in a Zoom account that Customer administers. In that scenario Customer is the controller of member personal data under Article 28 of Regulation (EU) 2016/679 ("GDPR") and equivalent laws (UK GDPR, Swiss FADP, and US state privacy statutes such as the CCPA/CPRA) and RecordFlow is the processor.

Customer's acceptance of the Terms constitutes execution of this DPA. No separate signature or countersignature is required. In the event of a conflict between this DPA and the Terms, this DPA prevails as to the processing of member personal data described below.

1. Subject Matter & Duration

Subject matter. RecordFlow processes (a) the cloud-recording content of each Zoom user that Customer has enabled in the RecordFlow admin dashboard ("Members") — including video, audio, transcript, chat, and meeting-summary files produced by Zoom — and (b) directory and sync-history data about those Members.

Duration. Processing continues from the moment Customer first authorizes the admin-managed app for its Zoom account and ends 30 days after the latest of (a) the last administrator of that Zoom account deauthorizing the app, (b) Customer's written notice to terminate this DPA, or (c) Customer's account-deletion request to support@recordflow.org.

2. Nature & Purpose of the Processing

Nature. Streaming download from Zoom's cloud-recording API, short-lived in-memory holding during transfer, upload to a Google Drive folder that Customer designates, and storage of per-meeting metadata (meeting topic, start time, sync status, Drive folder ID, the identifiers of files already transferred) in RecordFlow's database.

Purpose. Archival of the Members' Zoom cloud recordings to a Google Drive folder under Customer's control, so Customer retains a backup of those recordings outside Zoom. RecordFlow does not use Member personal data for any other purpose, does not train any machine-learning model on it, and does not sell it.

3. Categories of Data Subjects & Personal Data

Data subjects. The Members of Customer's Zoom account that Customer enables in the RecordFlow admin dashboard, and any third parties who speak or appear in those Members' meetings.

Categories of personal data processed:

  • Member directory data: Member name, work email address, Zoom user ID, Zoom account ID, sync-enabled toggle state, and per-member last-archived timestamp.
  • Recording content: meeting video, audio, transcript (VTT and Google Doc), chat log, AI-generated meeting summary, timeline markers, and recording metadata (meeting topic, start time, duration). This content may incidentally include any category of personal data the meeting participants choose to discuss, and may include special-category data under Art. 9 GDPR depending on the meeting's subject matter — Customer is responsible for assessing whether its lawful basis covers that scenario.
  • Sync activity: per-meeting sync status (observed, started, in-sync, synced, error, …), Google Drive folder identifiers, identifiers of recording files already transferred, error messages, cumulative bytes uploaded.

4. Sub-Processors

Customer authorizes RecordFlow to engage the following sub-processors. The list below is current as of the Effective Date and is also reflected in the "Third-Party Services" section of our Privacy Policy, which is the canonical reference for active sub-processors:

  • Cloudflare, Inc. — Workers compute, D1 SQLite database, R2 object storage; primary infrastructure provider. Region: global multi-region.
  • Google LLC / Google Ireland Ltd. — Google Drive (destination storage chosen by Customer); Google OAuth.
  • Resend, Inc. — Transactional email delivery for notifications.
  • Functional Software, Inc. (d/b/a Sentry). — Error tracking and session-replay diagnostics.

Adding or replacing a sub-processor. RecordFlow will give Customer at least 30 days' advance notice (by email to the address on file and by updating the Privacy Policy) before engaging a new sub-processor or replacing an existing one. During that 30-day window Customer may object in writing to support@recordflow.org; if Customer's objection cannot be reasonably resolved, Customer may terminate this DPA and the Terms with respect to the admin-managed app and request return / deletion of Member personal data under §6 below.

Sub-processor obligations. RecordFlow flows down the substantive obligations of this DPA to each sub-processor through written agreements, and remains liable to Customer for any sub-processor's failure to meet those obligations to the same extent RecordFlow would be liable for its own failure.

5. Security & Breach Notification

Technical and organisational measures. RecordFlow maintains the following measures, which Customer accepts as appropriate to the risk of the processing described in §2:

  • Encryption at rest: all stored OAuth tokens (Zoom and Google), session cookies, and OAuth state are encrypted with AES-256-GCM before being written to the database.
  • Encryption in transit: every connection between RecordFlow and Zoom, Google, Resend, and the Customer's browser uses TLS 1.2 or higher.
  • Recording content is not persisted on RecordFlow infrastructure. Recording bytes are streamed in 10 MB chunks from Zoom's servers through a Cloudflare Worker and uploaded directly to Customer's chosen Google Drive folder; they exist in worker memory only for the duration of the active transfer.
  • Authentication: OAuth 2.0 with PKCE for Zoom and Google; encrypted session cookies; no plaintext credential storage.
  • Auto-delete audit log: when Customer or a Member enables the optional auto-delete-after-archive feature, every delete attempt is recorded in an INSERT-only audit log retained for 24 months.
  • Access control: production database access is restricted to RecordFlow personnel with a documented operational need; session-replay and error-tracking access is restricted to the same personnel set.

Breach notification. RecordFlow will notify Customer in writing (email to the address on file is sufficient) without undue delay and in any event within 72 hours after becoming aware of a personal-data breach affecting Member personal data, so that Customer can satisfy its own notification obligations under Art. 33 GDPR. The notification will include, to the extent then known: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address and mitigate the breach.

6. Audit & Return / Deletion

Audit right. Customer may, on at least 30 days' prior written notice to support@recordflow.org and not more than once per calendar year (more often only if required by a supervisory authority or following a confirmed personal-data breach), request a written response to a reasonable security questionnaire and copies of any then-current third-party security attestations RecordFlow holds for itself or its sub-processors. The parties will negotiate in good faith any on-site or system-level audit that Customer's regulator specifically requires.

Return / deletion on termination. On termination of this DPA (see §1 above), RecordFlow will, within 30 days, delete all Member directory data, per-member sync history, and stored OAuth tokens for the affected Zoom account. Recording content already copied into Customer's Google Drive remains in Customer's Drive — RecordFlow only ever writes to that Drive, never deletes from it. Customer may instead request return of the deleted directory / history data in a portable format, in which case RecordFlow will deliver the export within the same 30-day window before deleting its copy.

7. International Transfers

Where this DPA involves the transfer of Member personal data originating in the EU/EEA, UK, or Switzerland to a country that is not the subject of an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Decision 2021/914) by reference, with Customer as data exporter and RecordFlow as data importer. RecordFlow flows down equivalent transfer mechanisms to its sub-processors (see §4). Copies of the operative SCCs are available on request to support@recordflow.org.

8. Customer Instructions & Processor Obligations

RecordFlow will process Member personal data only on Customer's documented instructions, which are set out in (a) this DPA, (b) the Terms, and (c) the in-app configuration choices Customer makes through the RecordFlow admin dashboard (which Members are enabled, which Google Drive folder is the destination, whether transcript-only mode is on, whether auto-delete is on). If RecordFlow believes a Customer instruction infringes GDPR or another data protection law, it will inform Customer without undue delay and may suspend performance of that instruction until Customer confirms or amends it.

RecordFlow ensures that personnel authorized to process Member personal data are bound by confidentiality obligations and have received appropriate data-protection training. RecordFlow assists Customer, taking into account the nature of the processing and the information available, in meeting Customer's own obligations under Articles 32 to 36 GDPR (security, breach notification, DPIAs, prior consultation) and Articles 12 to 23 GDPR (data-subject rights — see also "Member rights pathway" in our Privacy Policy).

9. Contact

Data-protection enquiries, sub-processor objections, audit requests, and data-subject-rights requests under this DPA should be sent to support@recordflow.org. Postal correspondence: Adam Dobrawy, al. Jerozolimskie 89/43, 02-001 Warszawa, Poland.

Your acceptance of the Terms of Service constitutes execution of this DPA. No countersignature is required.