Data Processing Agreement (DPA)

Version 1.0 — Effective from May 5, 2026

This Data Processing Agreement (“DPA”) forms part of the FeedFlow Terms of Service between you (the “Controller”) and FeedFlow (“Processor”). It applies where you use FeedFlow to process personal data of your website visitors.

1. Definitions

“Personal Data,” “Processing,” “Controller,” and “Processor” have the meanings given in the GDPR (EU 2016/679).

2. Subject matter and purpose

FeedFlow processes the following categories of data on your behalf:

  • Widget embed events (widget ID, timestamp, approximate country derived from IP — IP not stored)
  • OAuth tokens from your connected social accounts

Processing purpose: providing the widget rendering and analytics service you have subscribed to.

3. Processor obligations

FeedFlow will:

  • Process data only on documented instructions from you
  • Ensure persons authorised to process data are bound by confidentiality
  • Implement appropriate technical and organisational measures (see our Security page)
  • Not engage sub-processors without prior notice (see Subprocessors)
  • Assist you in responding to data subject rights requests
  • Delete or return all data upon termination of the agreement
  • Provide information necessary to demonstrate compliance with GDPR Article 28

4. International transfers

Data is stored in AWS us-east-1 (USA). Transfers from the EU/UK are covered by the EU Standard Contractual Clauses (SCCs) incorporated by reference into this DPA.

5. Security

We apply the security measures described in our Privacy Policy, including encryption at rest, TLS in transit, and access controls.

6. Audit rights

You may request an audit (or review of audit reports) no more than once per year with 30 days advance notice.

Need a signed DPA?

By using FeedFlow as a paying customer you accept this DPA. If your procurement team requires a countersigned copy, email us.

Request signed DPA