Legal
Data Processing Addendum
Last updated · May 2026
1. Roles
Customer is the Controller; RelyvFlow is the Processor. This DPA forms part of the agreement between us.
2. Sub-processors
AWS (hosting), Stripe (billing), Postmark (transactional email), Datadog (observability), Cloudflare (DDoS + WAF). 30-day notice for additions; right to object.
3. Security
We maintain SOC2 Type II, encrypt data at rest (AES-256) and in transit (TLS 1.3), and run annual penetration tests.
4. Breach notification
We notify Customer within 72 hours of confirming a breach involving Customer Personal Data.
5. International transfers
Standard Contractual Clauses (EU 2021/914) in place for any transfer outside the EEA.
6. Data subject requests
We assist Customer in fulfilling DSARs at no additional cost.
7. Termination
On termination, we delete or return all Customer Personal Data within 30 days unless legally required to retain.