Data processing addendum
Last updated: 2026-04-22
Draft notice: these terms are a working draft authored by the AccessiFlow team. They have not yet been reviewed by a lawyer qualified in your jurisdiction. Before production launch we will publish reviewed versions and notify existing customers of any material changes. Questions: legal@accessiflowfiji.com.
This Data Processing Addendum (“DPA”) supplements our Terms of service and applies where AccessiFlow (DevPulse Fiji, the “Processor”) processes personal data on behalf of a customer (“Controller”) subject to the EU GDPR, UK GDPR, or equivalent regimes.
Scope of processing
The widget itself processes no personally identifiable information. The DPA is in place for the dashboard: account emails, team membership, audit-log entries, and telemetry country codes. See our privacy policy for the complete list.
Our obligations as Processor
- Process personal data only on documented Controller instructions — in practice, the actions you take through the dashboard and API.
- Ensure our personnel handling personal data are bound by confidentiality.
- Implement appropriate technical and organisational measures: encryption in transit (TLS 1.2+) and at rest (AES-256 via Neon), Argon2id password hashing, AES-256-GCM TOTP secret encryption, least-privilege access, audit logging.
- Assist the Controller with data-subject rights requests (access, correction, deletion, portability).
- Notify the Controller without undue delay of a personal-data breach.
Sub-processors
We use the following sub-processors. Each has a DPA in place with us; we’ll give at least 30 days notice before adding or changing any.
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon (AWS) | Primary database hosting | ap-southeast-2 (Sydney) |
| Vercel | Application hosting | Global edge, primary US |
| Cloudflare | DNS, CDN, widget delivery | Global |
| Paddle | Merchant of record, billing | UK / global |
| Resend | Transactional email | US |
| Sentry | Error tracking (PII-scrubbed) | US |
International transfers
Where personal data of EU / UK / Swiss residents is transferred outside the EEA / UK / Switzerland, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and equivalent UK addenda with each sub-processor.
Security incidents
We will notify affected Controllers by email within 72 hours of confirming a personal data breach, with the facts known at the time and subsequent updates as the investigation proceeds.
Return or deletion on termination
On termination we soft-delete your data immediately and hard-delete 30 days later (so we can recover from accidents). You can request immediate hard-deletion at any time.
Audit
Controllers may request an audit once per calendar year by written notice, at least 30 days in advance. We will provide documentation sufficient to evidence compliance with this DPA; on-site audits by reasonable, qualified third parties are accommodated at cost.
Signing
This DPA takes effect automatically when you agree to the Terms of service. Customers requiring a counter-signed version for their records can request one at legal@accessiflowfiji.com.