Data Processing Agreement (DPA)
Last updated: June 9, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between VillaFlow (“Processor”) and the company or individual subscribing to the Service (“Controller,” “you,” or “your”) and applies wherever VillaFlow processes personal data on your behalf in connection with the VillaFlow platform.
1. Definitions
- Personal Data — any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
- Processing — any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- Data Subject — the individual whose personal data is being processed (e.g. your staff members, property owners, or contractors).
- Applicable Law — the Thailand Personal Data Protection Act B.E. 2562 (PDPA) and any other applicable data protection regulations.
2. Roles & Responsibilities
You (the Controller) determine the purposes and means of processing personal data in your use of VillaFlow — for example, which staff are added, what owner information is stored, and which villas are managed.
VillaFlow (the Processor) processes personal data only on your documented instructions and for the purpose of delivering the Service.
3. Data VillaFlow Processes on Your Behalf
In the course of providing the Service, VillaFlow may process the following categories of personal data on your behalf:
- Staff profiles: names, email addresses, phone numbers, LINE user identifiers, preferred language, role, and login activity.
- Property owner details: names, contact details, access levels, and portal activity.
- Villa and operational data: property addresses, job records, maintenance history, approval requests, photos, checklists, and reports.
- Contractor information: names and contact details where provided.
4. VillaFlow’s Obligations as Processor
VillaFlow agrees to:
- Process personal data only on your documented instructions, including those set out in these Terms and in the operation of the Service.
- Ensure that personnel authorized to process personal data are under appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorized access.
- Not engage any sub-processor without informing you in advance and ensuring equivalent data protection obligations are in place with that sub-processor.
- Assist you, where reasonably possible, in responding to data subject rights requests (access, correction, deletion, portability) where the data is within VillaFlow’s control.
- Notify you without undue delay — and in any event within 72 hours of becoming aware — of any personal data breach affecting your Customer Data.
- At your written request, delete or return all personal data at the end of the Service relationship, unless retention is required by applicable law.
- Make available to you, on reasonable request, the information necessary to demonstrate compliance with this DPA.
5. Your Obligations as Controller
You agree to:
- Ensure that you have a lawful basis for collecting and providing personal data to VillaFlow for processing.
- Obtain any necessary consents from staff, property owners, and other individuals whose data is entered into the Service.
- Provide any required privacy notices to data subjects regarding your use of VillaFlow.
- Comply with applicable data protection law, including the Thailand PDPA, in your use of the Service.
6. Sub-Processors
VillaFlow currently uses the following categories of sub-processors to deliver the Service:
- Cloud hosting and infrastructure providers — for data storage and platform operation.
- Stripe — for payment processing (billing data only; not operational Customer Data).
- LINE Corporation — for task and notification delivery via the LINE messaging platform. LINE processes only the data necessary to deliver messages and receive responses within the workflow you enable.
We will provide advance notice of any new sub-processors that process your Customer Data. If you have a reasonable objection, please contact us within 14 days of the notice.
7. International Data Transfers
Your data may be processed in countries outside Thailand. Where this occurs, VillaFlow will ensure appropriate safeguards are in place — for example, standard contractual clauses or equivalent mechanisms — to protect personal data in accordance with applicable law.
8. Security Measures
VillaFlow maintains appropriate technical and organizational measures including, but not limited to:
- Encrypted data transmission (TLS/HTTPS).
- Access controls and role-based permissions within the platform.
- Regular security monitoring and vulnerability management.
- Staff confidentiality obligations regarding customer data.
9. Data Subject Rights
If a data subject (e.g. a staff member or property owner) contacts VillaFlow directly to exercise a rights request under applicable law, we will notify you promptly and will not act on that request without your instruction, unless required by law.
10. Duration
This DPA is effective for the duration of your subscription to the Service and terminates when the Service agreement ends, subject to any data retention obligations under applicable law.
11. Governing Law
This DPA is governed by the laws of Thailand. In the event of conflict between this DPA and the Terms of Service, this DPA takes precedence with respect to data processing obligations.
12. Contact
For data protection queries, contact us via our Contact page.