When you use RevFlowLab to process personal data about your own customers and contacts, you are the controller and we are your processor. This Agreement sets out how we handle that data: only on your instructions, under confidentiality, with security measures, named subprocessors, breach notification, and deletion or return when our relationship ends. It forms part of, and is governed by, our Terms of Service.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Client," the "Controller") and RevFlowLab ("we," "us," the "Processor"). It applies where, in providing the Service, we process personal data on your behalf, for example data about your customers, subscribers, leads, or contacts ("Client Personal Data"). For personal data where we determine the purposes and means of processing (such as your own account and billing data), we act as a controller and our Privacy Policy applies instead.
In this DPA, "data protection law" means all privacy and data protection laws applicable to the processing, including the EU and UK General Data Protection Regulation (GDPR), and applicable US state privacy laws.
You are responsible for the accuracy and lawfulness of the Client Personal Data you provide, and for having a valid legal basis and any required consents for us to process it on your behalf.
We maintain appropriate technical and organisational measures designed to protect Client Personal Data, including encryption in transit (TLS), encryption of stored sending credentials and tokens, access controls on a least-privilege basis, logical separation of client workspaces, and regular security reviews. We may update these measures over time provided the overall level of protection is not reduced.
You grant us general authorisation to engage the subprocessors listed in our Privacy Policy. We impose data protection obligations on each subprocessor that are materially equivalent to those in this DPA, and we remain responsible for their performance. Before adding or replacing a subprocessor that processes Client Personal Data, we will update that list and, on request, notify clients with an active DPA. You may object on reasonable data protection grounds within 30 days of notice; if we cannot reasonably accommodate the objection, you may terminate the affected part of the Service.
Taking into account the nature of the processing, we will assist you with appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights (access, correction, deletion, portability, objection, and similar). If a data subject contacts us directly about Client Personal Data, we will, where lawful, refer them to you and not respond substantively without your instruction. Requests may be sent to badis@revflowlab.com with subject line "DPA - Data Subject Request".
We will notify you without undue delay after becoming aware of a personal data breach affecting Client Personal Data, and in any event within 72 hours, providing the information reasonably available to us so that you can meet your own notification obligations. We will take reasonable steps to contain and remediate the breach.
On reasonable written notice, and no more than once per year unless required by a supervisory authority or following a breach, we will make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by you or an independent auditor you mandate. Audits are subject to confidentiality, must not disrupt our operations, and must respect the security and confidentiality of other clients' data.
Client Personal Data may be processed in countries other than your own, including by the subprocessors listed in our Privacy Policy. Where data protection law requires it (for example, for transfers from the UK or EEA), we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference where applicable.
Each party's liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service (Section 16).
On termination of the Service, and at your choice, we will delete or return all Client Personal Data and delete existing copies within 30 days, unless storage is required by law. Connected-account credentials and tokens are deleted promptly on disconnection or account closure.
This obligation does not apply to anonymised, aggregated statistical patterns that no longer constitute personal data and have already been incorporated into the system's learning models. That data cannot be individually identified, isolated, or extracted, contains nothing that identifies a data subject or your brand, and is retained as part of the system's learning infrastructure. This is consistent with Section 10.1 of our Privacy Policy.
This DPA is incorporated into and governed by the Terms of Service. In the event of a conflict between this DPA and the rest of the Terms regarding the processing of Client Personal Data, this DPA prevails. The governing law and dispute resolution provisions of the Terms (Section 19) apply to this DPA.
For DPA questions, subprocessor notices, or data subject requests:
badis@revflowlab.comSign / Request DPA - "DPA Request"
Data Subject Request - "DPA - Data Subject Request"
Subprocessor Notice - "Subprocessor Notification"