Skip to main content

RAGFlow Data Processing Agreement (DPA)

Last Updated: 2026-04-23

This Data Processing Agreement (“DPA”) forms part of the master service agreement, terms of service, order form, or other written agreement between RAGFlow, Inc**.** (“RAGFlow”, “Processor”) and the customer entity identified in such agreement (“Customer”, “Controller”) (the “Principal Agreement”). This DPA reflects the parties’ commitment to comply with applicable data protection and privacy laws (“**Data Protection Laws**”) when RAGFlow processes Personal Data on behalf of Customer.

In case of conflict between this DPA and the Principal Agreement regarding the processing of Personal Data, this DPA will prevail.

1. Parties and Purpose

1.1 Purpose

Customer may provide Personal Data to RAGFlow in connection with Customer’s use of RAGFlow’s products and services. RAGFlow will process such data on behalf of Customer solely to provide the services described in the Principal Agreement (“Services”) and in accordance with Customer’s documented instructions.

1.2 Relationship

This DPA does not create a partnership, joint venture, or agency relationship between the parties.

2. Definitions

  • Personal Data: Information relating to an identified or identifiable natural person that is processed under this DPA.
  • Controller: The entity that determines the purposes and means of the processing of Personal Data.
  • Processor: The entity that processes Personal Data on behalf of the Controller.
  • Subprocessor: Any third party (including RAGFlow affiliates) engaged by RAGFlow that processes Personal Data on behalf of Customer.
  • Applicable Data Protection Laws: Laws such as the EU General Data Protection Regulation (EU GDPR), UK GDPR, Swiss Federal Act on Data Protection, California Consumer Privacy Act (CCPA), and other laws applicable to the parties.
  • Standard Contractual Clauses (SCCs): The European Commission’s standard clauses (Module 2: Controller-to-Processor) for cross-border personal data transfers, including any UK or Swiss addenda.
  • Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal Data.
  • Documented Instructions: Written instructions from Customer to RAGFlow regarding Personal Data processing (e.g., this DPA, the Principal Agreement, Customer’s service configuration).
  • Customer Personal Data: Personal Data that Customer submits to RAGFlow for processing on behalf of Customer.
  • Account / Usage Data: Data about Customer’s account, billing, usage, and other administrative records processed by RAGFlow as an independent controller for security, support, analytics and legal obligations.

3. Scope and Roles

3.1 Controller and Processor Roles

Customer acts as the Controller and RAGFlow acts as the Processor with respect to Customer Personal Data. RAGFlow will process Customer Personal Data only on Documented Instructions, unless required by law (in which case RAGFlow will inform Customer unless prohibited).

3.2 Dual Roles and Data Segregation

  • Customer Personal Data: RAGFlow processes this solely as a Processor.
  • Account / Usage Data: RAGFlow may process this data as an independent controller for its legitimate business operations (e.g., security monitoring, billing, technical logs, compliance auditing). RAGFlow will implement appropriate safeguards and honor the confidentiality of Account / Usage Data.

3.3 Deployment Models

  • Hosted Service: RAGFlow operates the Services in its managed environment and is responsible for applicable Security Measures under Section 5.
  • Customer‑Hosted / Bring‑Your‑Own‑Cloud: When Customer hosts RAGFlow’s software on Customer’s infrastructure, Customer is responsible for infrastructure-level security (e.g., network configuration, physical security). RAGFlow remains responsible for software-level security and support as defined in this DPA.

3.4 Processing Purpose

RAGFlow provides tools for building AI agents, retrieval augmented generation (RAG) pipelines and vector stores. Processing includes receiving, storing, parsing, indexing, embedding, retrieving, and returning Customer‑provided content and queries, as well as generating AI outputs based on Customer inputs and configurations.

3.5 No Training of Proprietary Models by Default

RAGFlow will not use Customer Personal Data to train or improve its proprietary foundation models unless explicitly agreed in writing.

3.6 Customer Responsibilities

Customer is responsible for:

  1. Ensuring a lawful basis for collecting and providing Personal Data to RAGFlow.
  2. Providing necessary notices and obtaining required consents from data subjects.
  3. Configuring the Services and implementing Customer-side security controls in compliance with Applicable Data Protection Laws.

4. Processing Details

4.1 Categories of Data Subjects

Data subjects may include Customer’s employees, contractors, agents, end users, and other individuals whose data is uploaded or processed via the Services.

4.2 Types of Personal Data

Customer may process names, contact details, identifiers, usage logs, conversational inputs, documents, and other content submitted via the Services. Sensitive or special category data should only be processed with an appropriate lawful basis and must be configured accordingly.

4.3 Duration

RAGFlow will process Personal Data for the term of the Principal Agreement and delete or return such data upon termination or Customer request, subject to Section 10.

5. Security

5.1 Security Measures

RAGFlow implements appropriate technical and organisational measures (“Security Measures”) to protect Personal Data, considering the state of the art, implementation costs, nature and scope of processing, and risks to individuals. At a minimum, RAGFlow will:

  • Encryption: Encrypt Personal Data at rest and in transit using industry‑standard algorithms.
  • Access Controls: Enforce least‑privilege access controls and multi‑factor authentication for administrative access where feasible.
  • Data Segregation: Maintain logical separation of Customer data to prevent cross‑tenant access.
  • Logging & Monitoring: Maintain system logs and audit trails of access, configuration changes and deletions, with restricted write permissions.
  • Vulnerability Management: Conduct regular vulnerability scanning, penetration testing and timely application of security patches.
  • Personnel Security: Require confidentiality obligations and provide security training to personnel involved in Personal Data processing.
  • Business Continuity: Implement procedures for regular backup, disaster recovery and service resilience (e.g., high availability and failover), appropriate to the Services.

5.2 Security Addendum

RAGFlow maintains a detailed security standards document or addendum describing its Security Measures. This document (including any third‑party attestations) will be made available to Customer upon request and under reasonable confidentiality obligations. RAGFlow will update the Security Addendum as needed, provided that updates do not materially diminish overall security.

5.3 Material Changes to Security Measures

RAGFlow will notify Customer of any material changes to Security Measures that could meaningfully affect the protection of Personal Data. Where such changes could reduce protection or expand Subprocessor scope, RAGFlow will seek Customer’s feedback and, if required by law or the Principal Agreement, Customer’s written consent before implementing them, except where an urgent change is needed to address a security risk.

5.4 Breach Notification

If RAGFlow becomes aware of a Personal Data Breach affecting Personal Data, RAGFlow will notify Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notice will include known details of the breach, anticipated impact and mitigation actions. RAGFlow will reasonably assist Customer in meeting any legal obligations to notify regulators or data subjects.

6. Subprocessors

6.1 General Authorization

Customer grants RAGFlow a general authorization to engage Subprocessors as necessary to perform the Services.

6.2 Subprocessor List

RAGFlow will maintain a list of current Subprocessors, including their country of processing and general purpose, and will provide the list to Customer upon request or make it publicly available.

6.3 Subprocessor Obligations

RAGFlow will ensure each Subprocessor is bound by written contractual obligations no less protective than those in this DPA regarding confidentiality, security measures and data protection. RAGFlow remains fully liable for the performance of its Subprocessors’ obligations.

6.4 Changes and Objections

  • Notice: RAGFlow will notify Customer at least 30 days before adding a new Subprocessor that will process Personal Data.
  • Objection Period: Customer may object within 10 days of notice for legitimate data-protection reasons. If the parties cannot reach a resolution, Customer may terminate the affected Services solely with respect to the processing impacted by the new Subprocessor and receive a pro rata refund for any prepaid unused fees.
  • Notification Mechanism: RAGFlow may require Customer to subscribe to an email or dashboard notification service for subprocessor updates. If Customer fails to subscribe, it may be deemed to waive prior notice rights, though RAGFlow will still update the public list.

7. Assistance with Data Subject Rights and Impact Assessments

7.1 Data Subject Requests

Taking into account the nature of the processing, RAGFlow will provide tools or reasonable assistance to Customer to respond to data subject requests (e.g., access, rectification, deletion) under Applicable Data Protection Laws. RAGFlow will not respond directly to a data subject request unless required by law, in which case it will (where permitted) promptly notify Customer.

7.2 Data Protection Impact Assessments

Upon Customer’s reasonable request, RAGFlow will provide information required to assist Customer in conducting data protection impact assessments (DPIAs) and consult with supervisory authorities where required by law.

If RAGFlow receives a legally binding request from law enforcement or another authority for disclosure of Personal Data, RAGFlow will (unless legally prohibited) notify Customer before complying and will redirect the requester to Customer where possible.

8. International Data Transfers

8.1 Cross‑Border Mechanisms

Where RAGFlow transfers Personal Data from the European Economic Area (EEA), United Kingdom (UK) or Switzerland to a jurisdiction without a valid adequacy decision, the transfer will be governed by the SCCs (Module 2: Controller-to-Processor) and any required UK or Swiss addenda, which are incorporated by reference into this DPA.

8.2 Alternative Mechanisms

If the SCCs are amended, invalidated or replaced, the parties will cooperate in good faith to implement alternative lawful transfer mechanisms.

9. Data Deletion or Return

9.1 Deletion upon Termination

Upon termination of the Principal Agreement or upon written request by Customer, RAGFlow will, within 30 business days, delete or return all Customer Personal Data (including any copies) in RAGFlow’s possession, unless retention is legally required. If retention is required, RAGFlow will restrict processing to legal purposes only and continue to protect such data.

9.2 No Backup Services

Unless expressly agreed, the Services do not include long-term backup or archival storage of Customer Personal Data. Customer is responsible for its own backups. RAGFlow may maintain system backups for business continuity but will delete them according to its retention schedules.

10. Liability

The parties’ respective liabilities arising out of or in connection with this DPA are subject to the limitation of liability provisions set out in the Principal Agreement. Nothing in this DPA will limit a party’s liability for breaches of this DPA to the extent such limitation is prohibited by law.

11. Updates

RAGFlow may update this DPA as necessary to reflect changes in legal requirements or its services. RAGFlow will provide prior written notice of material changes. If Customer objects to a material change, the parties will work in good faith to reach a mutually acceptable solution. Failing resolution, Customer may terminate the affected Services.

12. Governing Law and Jurisdiction

This DPA will be governed by and construed in accordance with the law specified in the Principal Agreement. Any dispute arising under or in connection with this DPA will be resolved in the courts or arbitration forum stipulated in the Principal Agreement.