Data Processing Addendum
Effective: March 30, 2026Questions? Contact admin@segflowai.com
For enterprise and business customers
1. Scope and Applicability
This Data Processing Addendum ("DPA") supplements the Terms of Service between you ("Data Controller") and SegFlow AI LLC, a Texas limited liability company ("Data Processor"), and governs the processing of personal data in connection with the Service. This DPA applies when you provide personal data to us for processing through the SegFlow AI platform. This DPA is governed by the laws of the State of Texas, consistent with the governing-law provision of the Terms of Service.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that you provide through the Service.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
"Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
3. Processing Purpose and Instructions
We will process Personal Data solely for the purpose of providing the Service as described in the Terms of Service. We will process Personal Data only in accordance with your documented instructions, unless required by applicable law to do otherwise.
Human-in-the-Loop QA Processing. For paid-tier accounts (Starter, Professional, and Enterprise), Personal Data submitted in connection with a cost segregation project is reviewed by authorized SegFlow AI personnel as part of a quality assurance sanity check before the AI-generated draft is released to the customer. Standard turnaround is within 48 hours on Starter and the same business day on Professional (for studies submitted before 12pm PT; otherwise the next business day). Enterprise turnaround is set in the customer's contract. This processing is undertaken to provide the Service (catching obvious AI errors before they reach the customer) and is considered a documented instruction of the customer when the customer submits a project to a paid-tier workspace. QA personnel access only the specific project being reviewed, only for the duration of the sanity check, and access is logged. Free-tier projects are processed by AI only and do not undergo human QA review. Customers who require that no SegFlow AI personnel access their Personal Data during processing should use the free tier or contact us at admin@segflowai.com to discuss alternative arrangements.
4. Confidentiality
We ensure that all personnel authorized to process Personal Data — including the QA review personnel described in Section 3 — are bound by written confidentiality obligations and have undergone confidentiality training. We will not disclose Personal Data to third parties except as necessary to provide the Service or as required by law.
5. Security Measures
We implement and maintain appropriate technical and organizational measures to protect Personal Data, including:
- Data is hosted on Vercel's infrastructure, which provides AES-256 encryption at rest and TLS 1.2+ encryption in transit as platform-level security features. SegFlow AI LLC does not implement application-level encryption beyond these platform defaults.
- Role-based access controls with least-privilege principles
- Regular security assessments and vulnerability testing
- Incident detection and response procedures
- Employee security training and awareness programs
- Secure data centers with SOC 2 Type II compliance (via cloud providers)
6. Sub-processors
We use the following sub-processors to deliver the Service. All sub-processors are bound by data processing agreements and process data only as directed by SegFlow AI LLC.
| Sub-Processor | Purpose | Location |
|---|---|---|
| OpenAI, Inc. | AI asset detection and classification (GPT-4 Vision) | United States |
| Anthropic, PBC | AI engineering appraisal (Claude) | United States |
| Replicate, Inc. | Image segmentation (Meta SAM2) | United States |
| Stripe, Inc. | Payment processing and subscription management | United States |
| Vercel, Inc. | Cloud hosting, database (Postgres), and CDN | United States |
| ScraperAPI | Property photo retrieval (Zillow integration) | United States |
We will notify customers of any new sub-processors at least 30 days before they begin processing Personal Data by posting an update to this page and emailing the contact address on your account.
7. Data Subject Rights
We will assist you in responding to data subject requests to access, correct, delete, or port Personal Data, to the extent technically feasible and as required by applicable data protection law.
8. Data Breach Notification
In the event of a Personal Data breach, we will notify you without undue delay (and in any event within 72 hours of becoming aware of the breach) and provide sufficient detail for you to meet your own notification obligations under applicable law.
9. Data Transfers
If Personal Data is transferred outside of your jurisdiction, we will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or other legally recognized transfer mechanisms.
10. Audit Rights
You may audit our compliance with this DPA, subject to reasonable notice and during normal business hours. We will provide reasonable cooperation and access to relevant information. Audits shall not unreasonably interfere with our operations.
11. Return and Deletion of Data
Upon termination of the Service, we will, at your election, return or delete all Personal Data within 90 days, except where retention is required by applicable law. We will certify deletion upon request.
12. Duration
This DPA remains in effect for the duration of our processing of Personal Data under the Terms of Service and will automatically terminate when we cease all processing of Personal Data on your behalf.
13. Contact
For DPA-related inquiries, contact us at admin@segflowai.com.