1. Overview
Floway Studio acts as the Data Controller for end-user personal data. The technical service providers below (sub-processors) act as Data Processors and only process data on our instructions.
Each sub-processor has signed a Data Processing Agreement with us (using their standard DPA template or ours) committing to: (a) process data only for the specified purpose, (b) apply appropriate security measures, (c) assist us in fulfilling user rights requests, (d) notify us of data breaches promptly, (e) return or delete data after the contract ends.
2. Cloudflare, Inc.
Cloudflare provides our infrastructure and CDN, including: D1 database, Pages hosting, Workers runtime. (R2 object storage will be enabled when avatar upload ships — not currently in use.)
- Data processed: ALL data is stored on Cloudflare infrastructure
- Location: global network (US, EU, Asia, ...) — nearest data center selected
- DPA: https://www.cloudflare.com/cloudflare-customer-dpa/
- Certifications: ISO 27001, SOC 2 Type II, GDPR/CCPA-ready
- Encryption: AES-256 at rest, TLS 1.3 in transit
3. payOS (Vietnamese payment gateway)
payOS processes domestic VND payments (bank transfer / QR code) when you buy a credit pack. We NEVER store your bank account or card details — payOS and your bank handle that; we only receive the order code, amount and transaction status.
- Data processed: order code, amount (VND), payment status, transaction reference (NO account/card numbers — handled by payOS and your bank)
- Location: Vietnam (payment data processed domestically, not transferred abroad)
- Docs: https://payos.vn/docs/
- Security: webhook authenticated via HMAC-SHA256 signature (merchant secret key)
4. Resend, Inc.
Resend sends transactional emails (password reset, payment receipts) on our behalf.
- Data processed: recipient email, email content, delivery status
- Location: United States (via AWS US regions)
- DPA: https://resend.com/legal/dpa
- Transfers: SCC
5. Google LLC (OAuth)
Google is an optional identity provider if you choose to sign in with Google. We receive email, Google ID, name, and avatar URL via the OAuth 2.0 + OpenID Connect protocol.
- Data processed: only activated when you choose "Sign in with Google"
- Location: Google global servers
- Policy: https://policies.google.com/privacy
- Certifications: ISO 27001, SOC 2/3
6. Sentry, Inc.
Sentry tracks technical errors (crash reports, stack traces) so we can detect and fix incidents quickly. We do NOT send user personal data with error reports — only stack traces and technical context.
- Data processed: stack trace, browser/OS info, request ID (NOT email, password, or work content)
- Location: United States
- DPA: https://sentry.io/legal/dpa/
- Transfers: SCC
7. Changes to sub-processor list
When we add or change a sub-processor, we will:
- Update this page with details and the change date
- Notify all customers who have made a transaction via email at least 14 days before the new sub-processor begins processing data
- Customers have the right to object; if you disagree you may stop using the service and request handling of any unused credits per the Refund Policy
8. Enterprise customers
If your organization requires a separate signed DPA (particularly EU customers with internal GDPR Art. 28 obligations), we provide a standard template free of charge. Contact hello@flowaystudio.com with your legal entity name, business registration number, and Data Protection Officer contact.
If you are an enterprise customer (EU) requiring a custom DPA between Floway Studio and your organization to comply with internal Art. 28 obligations, please contact hello@flowaystudio.com — we provide a template free of charge.