DPA

Data processing addendum.

The terms that govern our role as a data processor for the personal data of your shoppers. Forms part of the Terms of Service.

Last updated ยท May 14, 2026

1. Definitions

  • Customer โ€” The brand or merchant accepting the Agreement.
  • Customer Data โ€” Personal data that Customer uploads to, or generates within, the Service.
  • Data Subject โ€” An individual whose personal data appears in Customer Data โ€” typically a shopper.
  • Sub-processor โ€” A third party engaged by GFL to assist in processing Customer Data.
  • Applicable Law โ€” GDPR, UK GDPR, CCPA/CPRA, PIPEDA, and other data-protection laws relevant to the parties.

2. Roles

Customer is the Controller. GFL is the Processor. Where GFL determines purposes for its own legitimate business (security, fraud prevention, aggregate analytics), GFL acts as Controller for that limited use.

3. Scope & instructions

GFL will process Customer Data only on documented instructions from Customer โ€” meaning the configuration of the Service and any written instructions provided through support channels. Customer is responsible for the lawfulness of those instructions.

4. Sub-processors

Customer authorizes GFL to engage Sub-processors. The current list is published at trust.growthflowline.com/subprocessors. GFL will give Customer at least 30 days notice before adding or replacing a Sub-processor. Customer may object on reasonable grounds; the parties will work in good faith to address the objection.

5. Security

GFL maintains the technical and organizational measures described on our security page, including PCI DSS Level 1, SOC 2 Type II, encryption at rest and in transit, least-privilege access controls, and ongoing penetration testing.

6. International transfers

For transfers out of the EEA / UK / Switzerland, the parties enter into the EU Standard Contractual Clauses (Module 2 โ€” Controller โ†’ Processor) incorporated herein by reference. The UK Addendum and the Swiss Annex apply where relevant. For US transfers, GFL is certified under the Data Privacy Framework.

7. Data subject requests

If a Data Subject contacts GFL with a request, GFL will route it to Customer without delay. GFL provides self-service tooling inside the Service to help Customer respond โ€” export, delete, restrict, rectify.

8. Breach notification

GFL will notify Customer of any Personal Data Breach without undue delay โ€” and in any event within 48 hours of confirmation. The notification will describe nature, scope, likely consequences, and the measures GFL is taking.

9. Audits

Customer is entitled to audit GFL's compliance with this DPA. In practice, GFL satisfies this by providing its SOC 2 Type II report and other third-party attestations on request, under NDA. On-site audits are available to Enterprise customers, with at least 30 days notice, during business hours, no more than once per 12 months.

10. Return & deletion

At termination or on Customer's written request, GFL will return Customer Data (export) within 90 days and delete it from active systems and from backups within 35 days thereafter. Some metadata required for legal or accounting obligations may be retained longer, in encrypted form.

Counter-signatures

This DPA takes effect on the date Customer accepts the Terms. A counter-signed PDF is available on request โ€” email legal@growthflowline.com.