Data Processing Addendum

Template language — to be reviewed by qualified counsel before execution. By using RecovraFlow to process personal data of your end-customers, you agree to this Data Processing Addendum ("DPA"), which forms part of our Terms of Service.

1. Roles

With respect to personal data you upload, sync, or otherwise submit to the Service about your end-customers ("Customer Personal Data"), you act as the controller (or "business" under CCPA) and RecovraFlow acts as the processor (or "service provider" under CCPA), processing only on your documented instructions.

2. Subject matter, duration, nature, and purpose

• Subject matter: provision of the chargeback recovery and dispute management Service.
• Duration: the term of your subscription, plus any post-termination retention required to provide the Service or comply with law.
• Nature and purpose: ingesting dispute data from connected payment processors, storing and displaying it to authorized users, generating AI-assisted rebuttal text for human review, and submitting rebuttal evidence at your instruction.
• Types of personal data: end-customer names, email addresses, billing addresses, transaction identifiers, order details, IP addresses, dispute reason codes, evidence files you upload.
• Categories of data subjects: your end-customers and prospective customers.

3. Processor obligations

RecovraFlow will:

• Process Customer Personal Data only on your documented instructions, including the Service configuration and these Terms;
• Ensure persons authorized to process Customer Personal Data are bound by confidentiality;
• Implement appropriate technical and organizational security measures (Annex A below);
• Engage sub-processors only under the terms of Section 5;
• Assist you, taking into account the nature of the processing, in responding to data subject requests and meeting your obligations under Articles 32–36 GDPR;
• Delete or return all Customer Personal Data after the end of the Service, at your choice, unless retention is required by law;
• Make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you (subject to reasonable confidentiality, scope, frequency, and cost terms).

4. Security measures (Annex A)

• Encryption of Customer Personal Data in transit (TLS 1.2+) and at rest;
• Role-based access control with least-privilege principles;
• Multi-factor authentication for administrative access;
• Audit logging of administrative and security-relevant events;
• Network and platform hardening, vulnerability management, and dependency scanning;
• Background checks where legally permitted, and security awareness training for personnel;
• Documented incident response and business-continuity processes.

5. Sub-processors

You provide a general written authorization for RecovraFlow to engage the sub-processors listed at Sub-processors. We will provide notice of any intended addition or replacement of sub-processors with at least 30 days' notice (typically by updating the page and notifying you in-product or by email), giving you a reasonable opportunity to object on legitimate data-protection grounds. RecovraFlow remains liable for the acts and omissions of its sub-processors to the same extent as for its own.

6. International transfers

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Module 2 or 3 as applicable) and, for UK transfers, the UK International Data Transfer Addendum.

7. Personal data breach notification

RecovraFlow will notify you without undue delay, and in any event within 72 hours, after becoming aware of a Customer Personal Data breach, with the information reasonably available at the time and follow-up updates as more is known.

8. CCPA service-provider terms

To the extent RecovraFlow processes "personal information" of California residents on your behalf, it is a "service provider" under CCPA/CPRA. RecovraFlow will not:

• Sell or share such personal information;
• Retain, use, or disclose it outside the direct business relationship with you;
• Combine it with personal information received from or on behalf of others, except as permitted by CCPA regulations.

RecovraFlow will provide the same level of privacy protection required of you under CCPA and notify you if it can no longer meet its obligations.

9. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits a data subject's rights under applicable law.

10. Order of precedence

If there is a conflict between this DPA and the Terms with respect to processing of Customer Personal Data, this DPA prevails.

11. Contact

Data-protection contact: privacy@recovraflow.com.