Data Processing Addendum

This Data Processing Addendum ("DPA") applies when Avalon processes personal information or Customer Content on behalf of a customer under the Avalon Terms of Service, an order form, or another written agreement. If a signed agreement between Avalon and a customer includes a separate DPA, that signed DPA controls for that customer.

For this DPA, "Avalon" means Avalon Flow Inc., a subsidiary of Questili LLP, unless a signed order form or customer agreement identifies a different contracting entity.

1. Roles

For Customer Content processed through Avalon, the customer is generally the controller, business, or equivalent decision-maker for its users, email correspondents, meeting participants, CRM contacts, Slack users, and other data subjects. Avalon acts as a processor, service provider, or equivalent service provider when it processes that Customer Content to provide Avalon.

Avalon may act as an independent controller or business for limited account, billing, security, website, product analytics, support, abuse-prevention, and legal-compliance data as described in the Privacy Policy.

2. Subject matter and duration

Avalon processes Customer Content to provide an email and calendar work action layer for Gmail/Google Workspace and Outlook/Microsoft 365, including mailbox/calendar sync, Flowboard, summaries, drafts, search, meeting briefs, due dates, memory, automations, analytics, integrations, support, security, and related services.

Processing continues for the subscription, pilot, account, or agreement term and any post-termination period needed for export, deletion, backup expiry, legal compliance, dispute resolution, security, or audit obligations.

3. Categories of data

Depending on configuration, Customer Content may include:

• account and user identity information;
• email metadata, email bodies, attachments, snippets, labels, folders, categories, thread IDs, and message IDs;
• calendar events, availability, meeting metadata, attendees, titles, descriptions, locations, and meeting context;
• contacts, people, relationship context, customer/account history, and CRM-related data;
• prompts, instructions, edits, approvals, rejects, corrections, AI outputs, summaries, drafts, classifications, meeting briefs, Daily Pulse items, due dates, search results, and memory entries;
• Flowboard cards, status, priority, labels, rules, automations, audit receipts, logs, and workflow history;
• Slack, Salesforce, MCP, custom endpoint, and model-provider data selected by customer configuration;
• support, diagnostic, observability, usage, billing, and security metadata.

4. Categories of data subjects

Customer Content may relate to customer employees, contractors, administrators, users, email correspondents, customers, prospects, vendors, partners, meeting attendees, Slack workspace members, CRM contacts, and other people whose information appears in connected systems.

5. Processing instructions

Avalon processes Customer Content only to provide, secure, support, maintain, troubleshoot, and improve Avalon; comply with customer configuration and user instructions; comply with law; and fulfill obligations under applicable agreements.

Customer instructs Avalon to process Customer Content as necessary for enabled features and connected services. Customer is responsible for ensuring its instructions are lawful and that it has provided required notices, consents, approvals, and authority.

Avalon will inform the customer if Avalon believes an instruction violates applicable law, unless legally prohibited from doing so.

6. Confidentiality

Avalon restricts personnel access to Customer Content to people who need access for authorized business purposes such as providing, securing, supporting, or improving Avalon. Personnel with access to Customer Content are subject to confidentiality obligations.

7. Security measures

Avalon maintains administrative, technical, and organizational measures designed to protect Customer Content against unauthorized access, loss, misuse, alteration, and disclosure. These measures may include access controls, encryption, logging, monitoring, least-privilege permissions, secret management, backups, vulnerability management, and incident-response processes.

Security measures are described further in the Avalon Security Practices document.

8. Subprocessors

Avalon may use subprocessors to provide, secure, support, analyze, bill for, and improve Avalon. The current customer-facing list is in the Avalon Subprocessors document.

Avalon remains responsible for subprocessor processing of Customer Content to the extent required by applicable law and the customer agreement. Customer-controlled systems such as customer local models, customer custom endpoints, customer Google accounts/Google Workspace tenants, customer Microsoft tenants, customer Slack workspaces, and customer Salesforce/MCP systems are the customer's responsibility unless a signed agreement states otherwise.

9. International transfers

Avalon and its subprocessors may process Customer Content in countries other than where the customer or data subjects are located. Where required, Avalon will use appropriate safeguards for cross-border transfers, such as applicable contractual terms or other lawful transfer mechanisms.

10. Assistance with privacy requests

Avalon will provide reasonable assistance for customer privacy requests, including access, correction, deletion, export, restriction, objection, or portability requests, to the extent the request relates to Customer Content processed by Avalon and the customer cannot reasonably fulfill it without Avalon.

Requests should be sent to support@avalonflow.com.

11. Deletion and return

At termination or upon valid request, Avalon will delete or return Customer Content according to the Data Retention and Deletion Policy, product controls, and any applicable agreement. Some data may remain in backups, audit logs, billing records, security logs, legal holds, or records needed for dispute resolution, compliance, fraud prevention, or security until those records expire or deletion is legally and technically appropriate.

12. Personal data breach and security incidents

Avalon will notify affected customers without undue delay after confirming a security incident involving Customer Content that requires notice under applicable law or agreement. Notice may include available information about the nature of the incident, affected data, mitigation steps, and customer actions where appropriate.

Customer is responsible for notifying its users, regulators, customers, or other parties when the customer is legally responsible for that notice.

13. Audits and information

Avalon will provide reasonable information needed to demonstrate compliance with this DPA, such as security practices, subprocessors, incident process, and data-handling summaries. Audit rights, questionnaires, penetration-test evidence, or security reports may be handled under a customer agreement, NDA, or reasonable access process.

14. Customer responsibilities

Customer is responsible for:

• using Avalon lawfully;
• configuring scopes, users, model routes, custom endpoints, automations, and connected services appropriately;
• providing notices and obtaining consents or approvals where required;
• avoiding unnecessary sensitive or regulated data unless supported by the agreement and product controls;
• reviewing AI outputs and external actions;
• maintaining customer-side security controls and credentials;
• complying with connected-service terms and model-provider licenses.

15. Order of precedence

If this DPA conflicts with the Terms of Service, this DPA controls for personal-information processing obligations. If this DPA conflicts with a signed customer DPA or enterprise agreement, the signed agreement controls.

16. Contact

For DPA or data-processing questions, contact support@avalonflow.com.