Is FirmFlow really $29/month with no per-user fees?

Yes! FirmFlow charges a flat monthly fee. The Starter plan is $29/month and Pro is $89/month — both include your entire team with no per-user charges.

Are the e-signatures legally binding?

Yes. FirmFlow uses draw-to-sign with a full audit trail including timestamp, IP address, device info, and signer identity. Meets eIDAS (EU/UK), ESIGN Act (US), and equivalent legislation worldwide.

How does the 14-day free trial work?

Sign up with just your email — no credit card required. Full access to all features for 14 days. Choose a plan at the end or your account is simply paused — no charge.

Yes. Each firm's data is isolated using row-level security. All files are encrypted with AES-256. We offer 2FA, full audit logging, and GDPR-compliant data handling.

What currencies do you support?

FirmFlow supports 10 currencies: GBP, EUR, USD, CHF, CAD, AUD, SEK, NOK, DKK, and PLN. Currency is auto-detected on signup.

⬡ FirmFlow ← Back to home

Data Processing Agreement

Last updated: 29 March 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between FirmFlow Ltd ("Processor", "we") and the Firm Owner ("Controller", "you") and governs the processing of personal data by FirmFlow on behalf of the Controller.

This DPA is entered into in compliance with Article 28 of the UK GDPR and EU GDPR.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.

"Data Subject" means the individual whose personal data is being processed (e.g., your Clients).

"Sub-processor" means any third party engaged by FirmFlow to process personal data on behalf of the Controller.

3. Scope of Processing

3.1 Subject Matter: Provision of the FirmFlow SaaS platform for document management, e-signatures, invoicing, time tracking, messaging, and client portal services.

3.2 Duration: For the duration of the subscription agreement plus the data retention period specified in our Privacy Policy.

3.3 Nature and Purpose: Storage, organisation, retrieval, transmission, and display of personal data as necessary to provide the Platform services.

3.4 Types of Personal Data: Names, email addresses, phone numbers, addresses, financial information (invoice amounts, payment status), documents, signatures, messages, and time entries.

3.5 Categories of Data Subjects: Clients of the Firm Owner and their contacts.

4. Obligations of the Processor

FirmFlow shall: (a) Process personal data only on documented instructions from the Controller, unless required by law; (b) Ensure that persons authorised to process personal data are bound by confidentiality obligations; (c) Implement appropriate technical and organisational security measures; (d) Not engage sub-processors without prior authorisation of the Controller; (e) Assist the Controller in responding to data subject requests; (f) Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations; (g) Delete or return all personal data upon termination of the agreement, at the Controller's choice; (h) Make available all information necessary to demonstrate compliance with these obligations.

5. Sub-processors

The Controller provides general authorisation for FirmFlow to engage sub-processors. Current sub-processors are: Supabase (database and authentication, EU), Vercel (hosting, global CDN), Stripe (payment processing, US/EU), Resend (email delivery, US), and Anthropic (AI processing, US).

FirmFlow will notify the Controller of any changes to sub-processors at least 30 days in advance. The Controller may object to a new sub-processor within 14 days of notification.

6. Security Measures

FirmFlow implements the following security measures: (a) AES-256 encryption at rest; (b) TLS 1.2+ encryption in transit; (c) Row-level security for data isolation between firms; (d) Two-factor authentication (TOTP); (e) Regular automated backups; (f) Access logging and audit trails; (g) Principle of least privilege for internal access; (h) Regular security assessments.

7. Data Breach Notification

In the event of a personal data breach, FirmFlow shall: (a) Notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach; (b) Provide sufficient information to enable the Controller to meet its obligations to report the breach to supervisory authorities and data subjects; (c) Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

8. International Transfers

Where personal data is transferred outside the UK/EEA, FirmFlow ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission and the UK Information Commissioner's Office.

9. Data Subject Rights

FirmFlow will assist the Controller in fulfilling its obligations to respond to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection. FirmFlow will promptly notify the Controller if it receives a request directly from a data subject.

10. Audit Rights

The Controller has the right to audit FirmFlow's compliance with this DPA. FirmFlow will cooperate with reasonable audit requests and provide relevant documentation. Audits shall be conducted with reasonable notice and during normal business hours.

11. Termination

Upon termination of the subscription, FirmFlow will: (a) Cease processing personal data on behalf of the Controller; (b) At the Controller's choice, delete or return all personal data within 30 days; (c) Delete existing copies unless retention is required by law.

12. Contact

FirmFlow Ltd
Email: hello@firmflow.org
Website: www.firmflow.org