1. Application and precedence
This Data Processing Addendum (“DPA”) forms part of the ReachFlow Terms of Service between Customer and PixelCode Studio Inc., operating ReachFlow. It applies where ReachFlow processes Personal Data on Customer’s behalf in connection with the service.
If this DPA conflicts with the Terms concerning Personal Data processing, this DPA controls to the extent of the conflict.
2. Definitions
“Applicable Data Protection Law” means privacy and data-protection law applicable to the processing, including PIPEDA and, where applicable, provincial Canadian privacy laws, the GDPR, UK GDPR, or other mandatory law.
“Customer Personal Data” means Personal Data contained in Customer Data that ReachFlow processes on Customer’s behalf.
“Controller,” “Processor,” “Data Subject,” “Personal Data,” “Process,” and “Supervisory Authority” have the meanings assigned by Applicable Data Protection Law.
3. Roles and instructions
Customer is the Controller or organization responsible for Customer Personal Data. ReachFlow is the Processor or service provider, except where ReachFlow independently determines processing purposes for account administration, security, billing, abuse prevention, and legal compliance.
ReachFlow will process Customer Personal Data only on Customer’s documented instructions, including the Terms, Customer’s use and configuration of the service, and support requests, unless required by law.
4. Customer obligations
Customer will:
- ensure its instructions and processing comply with Applicable Data Protection Law;
- provide required notices and obtain required consent or other lawful authority;
- limit Customer Personal Data to what is necessary;
- respond to Data Subject requests and regulatory inquiries;
- avoid uploading prohibited or highly sensitive data unless expressly agreed in writing.
5. Confidentiality
ReachFlow will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations and access it only as necessary for their duties.
6. Security measures
ReachFlow will maintain reasonable technical and organizational measures appropriate to risk, which may include access controls, authentication, logging, encryption in transit, encryption at rest where supported, backups, vulnerability and patch management, restricted administrative access, incident response, and vendor management.
Customer acknowledges that security is a shared responsibility and must configure user access, credentials, exports, sender accounts, and integrations securely.
7. Subprocessors
Customer authorizes ReachFlow to engage subprocessors for hosting, email delivery, monitoring, support, billing, security, and related operations. Current core subprocessors may include Amazon Web Services and Vultr.
ReachFlow will require subprocessors that process Customer Personal Data to provide data-protection obligations appropriate to the services they perform. ReachFlow remains responsible for its subprocessors to the extent required by Applicable Data Protection Law.
Customer may request current subprocessor information by contacting support@pixelcode.ca.
8. International transfers
Customer authorizes processing in Canada, the United States, and other locations where ReachFlow or its subprocessors operate. ReachFlow will use legally recognized transfer and contractual mechanisms where required.
If the GDPR or UK GDPR applies and a restricted transfer requires Standard Contractual Clauses or an equivalent transfer mechanism, the applicable legally approved clauses are incorporated to the extent necessary, with Customer as data exporter and ReachFlow as data importer, unless another mechanism applies.
9. Data Subject requests
Taking into account the nature of processing, ReachFlow will provide reasonable assistance to Customer with access, correction, deletion, objection, restriction, portability, or similar requests. Where a Data Subject contacts ReachFlow regarding Customer Personal Data, ReachFlow may direct the request to Customer.
10. Security incidents
ReachFlow will notify Customer without undue delay after becoming aware of a confirmed breach of security safeguards involving Customer Personal Data where notification is required by Applicable Data Protection Law. Notice will include available information reasonably necessary for Customer to meet its obligations.
Notification is not an admission of fault or liability. Customer is responsible for determining whether notification to individuals or authorities is required.
11. Assistance and assessments
ReachFlow will provide reasonable information and assistance concerning security, impact assessments, consultations, and compliance requests, taking into account the nature of processing and information available. Additional or exceptional assistance may be subject to reasonable fees.
12. Audits
Upon reasonable written request, ReachFlow will provide available information reasonably necessary to demonstrate compliance with this DPA. If that information is insufficient and law requires an audit, Customer may conduct an audit no more than once annually through an independent auditor, subject to confidentiality, scope, security, timing, and non-disruption requirements. Customer bears audit costs unless a material breach is found.
13. Return and deletion
During the subscription, Customer may export Customer Data using available features. After termination, ReachFlow will delete or anonymize Customer Personal Data within a reasonable period unless retention is required or permitted for backups, legal obligations, security, fraud prevention, disputes, or suppression purposes.
14. Processing details
Subject matter and duration
Hosting and processing Customer Personal Data to provide ReachFlow for the duration of the Customer account and applicable retention period.
Nature and purpose
Collection, storage, organization, segmentation, retrieval, transmission, campaign delivery, automation, reporting, suppression, support, security, and deletion.
Categories of Data Subjects
Customer users, subscribers, contacts, prospects, customers, event participants, and other individuals whose information Customer submits.
Types of Personal Data
Names, email addresses, organization and role information, custom fields, consent and subscription records, engagement and delivery events, IP or device information where collected, campaign interactions, and other data configured by Customer.
Sensitive data
The service is not intended for sensitive personal data unless expressly agreed in writing and lawfully configured by Customer.
15. Contact
DPA and privacy questions may be sent to support@pixelcode.ca.