M
MarketFlow

Data Processing Agreement

Last updated: February 1, 2026 ยท For GDPR Article 28 compliance

๐Ÿ“‹ About this DPA

This Data Processing Agreement ("DPA") forms part of the MarketFlow Terms of Service and applies where Neo IT Services processes personal data on behalf of the Customer as a data processor under GDPR.

1. Definitions

"Controller" means the Customer who determines the purposes and means of processing personal data. "Processor" means Neo IT Services, which processes personal data on behalf of the Controller. "Personal Data" has the meaning given in GDPR Article 4(1). "Processing" has the meaning given in GDPR Article 4(2).

2. Subject Matter and Duration

The Processor shall process Personal Data on behalf of the Controller for the purpose of providing the MarketFlow service, for the duration of the agreement, and until all Personal Data is deleted per the Controller's instructions.

3. Nature and Purpose of Processing

Collection, storage, and analysis of e-commerce event data (page views, purchases, add-to-cart, etc.) for the purpose of marketing analytics and automation as described in the MarketFlow documentation.

4. Types of Personal Data

Customer identifiers (email addresses, phone numbers where provided), behavioural data (pages visited, products viewed, purchases made), device identifiers (IP address, browser fingerprint), and UTM/attribution data.

5. Controller Obligations

The Controller shall ensure a valid legal basis exists for processing, provide required notices to data subjects, and promptly inform the Processor of any data subject rights requests or supervisory authority inquiries.

6. Processor Obligations

Process data only on documented instructions from the Controller. Ensure confidentiality. Implement appropriate technical and organisational security measures. Assist the Controller with data subject rights requests. Delete all data on termination.

7. Sub-processors

Neo IT Services uses the following sub-processors: Contabo GmbH (server infrastructure, Germany), Stripe Inc. (payment processing), Razorpay Software Pvt Ltd (payment processing, India only). The Processor will notify the Controller of any sub-processor changes with 30 days notice.

8. Data Transfers

Personal data is stored in the region selected by the Controller (India or EU/Germany). Data is not transferred outside the selected region without explicit instruction from the Controller.

9. Security Measures

TLS 1.3 encryption in transit. AES-256 encryption at rest. Access controls and audit logs. Regular security assessments. Incident response procedures with 72-hour breach notification.

Need a signed DPA?

Growth and Scale plan customers can request a countersigned DPA for their records.

Request Signed DPA โ†’ gdpr@marketflow.io