LumberFlow
This Data Processing Addendum ("DPA") forms part of the Terms of Service between the Customer ("Controller") and LumberFlow Inc. ("Processor").
This Data Processing Addendum (“DPA”) forms part of the Agreement between Customer (“Business”) and LumberFlow LLC (“Service Provider”). This DPA reflects the parties’ agreement regarding the processing and protection of Personal Information in accordance with applicable US privacy laws, including:
California Consumer Privacy Act (CCPA/CPRA)
Virginia Consumer Data Protection Act (VCDPA)
Colorado Privacy Act (CPA)
Connecticut Data Privacy Act (CTDPA)
Utah Consumer Privacy Act (UCPA)
Texas Data Privacy and Security Act (TDPSA)
Any similar US state privacy laws that may come into effect
If Customer requires GDPR or global data processing terms, LumberFlow can provide a Global DPA Addendum upon request.
Under this DPA:
“Personal Information” or “Personal Data” means any information linked or reasonably linkable to an identified or identifiable natural person as defined under US privacy laws.
“Business” means Customer as defined under relevant state privacy laws.
“Service Provider” means LumberFlow as defined under the CCPA and equivalent terms under other state laws (e.g., “Processor”).
“Processing” means any operation performed on Personal Information.
“Deidentified Data” means data that cannot reasonably identify an individual and meets the criteria under applicable laws.
“Customer Data” means any data or content Customer submits or routes through the Service.
Service Provider processes Personal Information solely to provide the LumberFlow Service, including:
parsing emails, documents, RFQs, quotes, and communications
extracting procurement data using AI and automation
routing communications through shared inboxes (e.g., rfq@lumberflow.com)
displaying and analyzing procurement data
operating, maintaining, supporting, and improving the Service
Service Provider will not:
sell Personal Information
share Personal Information for cross-context behavioral advertising
use Personal Information for its own marketing or profiling
combine Personal Information with other data except as permitted for Service Provider purposes
These restrictions satisfy the requirements of CCPA/CPRA §1798.140(v) and similar US privacy laws.
Personal Information may include:
Names, emails, phone numbers, job titles
Supplier and buyer contact details
Business communications and purchasing records
Data contained within RFQs, quotes, emails, or business documents
Metadata and usage information related to the Service
Service Provider shall:
Process Personal Information only:
to provide and improve the Service, or
as required by applicable law.
Service Provider shall NOT:
sell Personal Information
retain, use, or disclose Personal Information outside the direct business relationship
use Personal Information for targeted advertising
use Personal Information to train generalized AI models not specific to the Customer’s use case
Personnel handling Personal Information are bound by confidentiality obligations.
Service Provider will implement and maintain the safeguards detailed in Annex A.
Service Provider shall notify Customer of any unauthorized access or breach of Personal Information without unreasonable delay.
To the extent required by law, Service Provider will assist Customer in handling consumer rights requests including:
access
deletion
correction
opt-out rights (where applicable)
Customer authorizes Service Provider to use Sub-processors to provide the Service.
Service Provider will maintain an updated list of Sub-processors and provide it upon request.
Service Provider will ensure Sub-processors are bound by written agreements with privacy and security obligations at least as protective as this DPA.
Service Provider will notify Customer of material changes to Sub-processors and provide Customer the ability to reasonably object.
Upon Customer request or termination of the Agreement:
Service Provider will return or delete Customer Data,
except where retention is required by law or for limited backup/archival purposes.
Backups containing Personal Information will be deleted according to a standard retention cycle.
Service Provider may create and use deidentified or aggregated data for:
analytics
benchmarking
improving the Service
product development
Service Provider will:
maintain deidentification as required under CCPA/CPRA §1798.140(m)
not attempt to reidentify deidentified data
Customer is responsible for:
ensuring it has all necessary rights to provide Personal Information to Service Provider
obtaining any required consents for routing emails and communications through shared inboxes
complying with its own privacy obligations to its employees, suppliers, and business contacts
Upon written request (no more than once per year), Service Provider will make available documentation necessary to demonstrate compliance with this DPA.
Remote audits or review of Service Provider’s third-party security certifications will satisfy audit requirements unless otherwise required by law.
The liability limitations in the Agreement apply to this DPA in full.
This DPA is governed by the same governing law as the Agreement (typically Washington state law), except where prohibited by applicable privacy laws.
LumberFlow maintains industry-standard security measures, including:
TLS 1.2+ for data in transit
AES-256 encryption at rest
Role-based access
MFA for administrative users
Strict least-privilege policies
Hosting via Vercel and Neon, with SOC 2 / industry certifications
Network isolation and firewalling
Application and system logging
Real-time monitoring (Sentry, etc.)
Threat and anomaly detection
Confidentiality agreements
Security training
Access reviews
Automated backups
Disaster recovery plans
Isolation of customer datasets
Guardrails to prevent inter-customer data leakage
No use of Customer Data to train generalized public models