Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between AmbassadorFlow (GrowSocial LTD, the “Processor”, “we”, “us”) and the business entity that registers for or uses the AmbassadorFlow Platform (the “Client”, “you”, “Controller”).

It applies when we process Personal Data on your behalf as a Processor under GDPR Article 28 and equivalent laws. It is incorporated by reference into our Terms and Conditions and should be read together with our Privacy Policy (especially §10 and §14).

If there is a conflict between this DPA and the Terms regarding the processing of End Customer Data, this DPA prevails for processing matters. All other Terms provisions (including limitation of liability and indemnity) remain in effect.

1. Definitions

• Personal Data, Processing, Controller, Processor, Data Subject, and Supervisory Authority have the meanings in GDPR Article 4.
• End Customer Data means Personal Data relating to your customers, ambassadors, affiliates, creators, referred buyers, or visitors that we Process on your behalf through the Platform.
• Platform means the AmbassadorFlow services described in the Terms, including go.ambassadorflow.com, app.ambassadorflow.com, Shopify app, WooCommerce plugin, and Ambassador Center pages we host for you.
• Sub-processor means a third party engaged by us to Process End Customer Data.
• Standard Contractual Clauses or SCCs means the European Commission’s approved contractual clauses for international data transfers.

2. Subject matter, duration, and nature of processing

2.1 Subject matter

Operation of referral, ambassador, affiliate, and (where enabled) influencer campaign modules you configure on the Platform.

2.2 Duration

For the term of your subscription and use of the Platform, plus any period required to delete or return data under Section 11 and mandatory law (including Shopify shop/redact schedules).

2.3 Nature and purpose

Processing includes collection, storage, organisation, retrieval, use, disclosure, anonymisation, and deletion of End Customer Data to:

• Operate referral and reward programmes you configure
• Generate, deliver, and track discount codes, store credit, and rewards
• Attribute orders and provide reporting
• Detect and reduce fraud, self-referrals, and abuse
• Send transactional communications you enable
• Respond to data-subject and regulatory requests via mandatory platform webhooks and your instructions

2.4 Types of Personal Data

As configured by you and described in Privacy Policy §14, including:

• Identity and contact data (name, email, platform customer ID)
• Order and transaction references (order numbers, reward history, billing city/country)
• Technical and usage data (IP address, browser session hashes, cookie tokens, device/referrer fields on journey events)
• Communications content (transactional email bodies and recipient addresses)

2.5 Categories of data subjects

• Your referral ambassadors and programme participants
• Referred buyers and site visitors interacting with referral surfaces
• Affiliate and creator partners (where those modules are enabled)

3. Client obligations (Controller)

You agree to:

1. Determine a lawful basis under applicable privacy law for Processing End Customer Data and for instructing us to Process it.
2. Provide transparent privacy notices and programme terms to End Customers (including Ambassador Center privacy pages and store policy snippets).
3. Ensure instructions to us comply with applicable law and do not cause us to Process data unlawfully.
4. Configure programme rules (rewards, discounts, eligibility) responsibly and review them before and during live operation.
5. Respond to End Customer rights requests as Controller; we assist as set out in Section 9.
6. Maintain security of your store accounts, API tokens, and plugin credentials.

3.1 How you instruct us

You do not need to send AmbassadorFlow a separate legal document each time you want End Customer Data processed. In a SaaS platform, your instructions are given through how you use and configure the service:

• Signing up and installing — creating an account, installing the Shopify app or WooCommerce plugin, and accepting the Terms and this DPA;
• Platform configuration — programme settings you control (rewards, discounts, eligibility, approval rules, enabled touchpoints, email templates, fraud/security settings such as optional email verification, block lists);
• Day-to-day operation — automated processing required to run what you configured (for example tracking referrals, creating discount codes, sending configured transactional emails, attributing orders, running fraud checks);
• Written support requests — specific actions you ask us to perform (for example help with a GDPR export, correction, or deletion).

AmbassadorFlow will not use End Customer Data for its own unrelated purposes (such as selling data or building advertising profiles). We process End Customer Data only to deliver the Platform services described in the Terms, Privacy Policy §14, and this DPA.

4. Processor obligations (AmbassadorFlow)

We will:

1. Process End Customer Data only on your instructions as described in Section 3.1 and within the scope of the Terms and Privacy Policy §14, unless EU or Member State law requires otherwise (in which case we will inform you where legally permitted).
2. Ensure persons authorised to Process End Customer Data are bound by confidentiality.
3. Implement appropriate technical and organisational measures as described in Privacy Policy §6 (TLS, access controls, logging with 30-day retention, backups, incident response).
4. Not engage another Processor (Sub-processor) without meeting Section 5.
5. Assist you with Data Subject requests and regulatory enquiries as described in Sections 9–10.
6. Delete or return End Customer Data as described in Section 11 on termination or your instruction, subject to mandatory retention.
7. Make available information reasonably necessary to demonstrate compliance and allow audits as in Section 12.
8. Notify you without undue delay if we become aware of a Personal Data breach affecting End Customer Data.

5. Sub-processors

5.1 Authorised Sub-processors

You authorise us to use the Sub-processors listed at ambassadorflow.com/sub-processor-list as of the date you accept the Terms or this DPA.

Current Sub-processors include (with privacy policies):

• Hetzner Online GmbH (hosting)
• Twilio SendGrid (email delivery)
• MillionVerifier (optional email validation)
• Shopify Inc. (Shopify integration data flows)

Stripe (privacy policy) processes Client billing data only and is not a Sub-processor for End Customer Data unless explicitly stated otherwise in an updated sub-processor list.

5.2 Changes

We may add or replace Sub-processors by updating the public sub-processor list and, where required, notifying you. You may object on reasonable grounds relating to data protection by emailing support@ambassadorflow.com within 30 days of notice. If we cannot reasonably accommodate the objection, you may terminate the affected service or the agreement in accordance with the Terms.

5.3 Flow-down

We impose data-protection obligations on Sub-processors substantially similar to this DPA, including appropriate security measures and, where applicable, SCCs for transfers outside the EEA.

6. International transfers

Primary storage is in the EEA (Hetzner EU). Where End Customer Data is transferred to a country without an adequacy decision, we rely on appropriate safeguards, including SCCs (for example for SendGrid in the United States). Details are in Privacy Policy §5 and the sub-processor list.

7. Security measures

We maintain measures appropriate to the risk, including those summarised in Privacy Policy §6. You acknowledge that no system is completely secure and that you share responsibility for fraud prevention and programme configuration as described in the Terms (including §19).

8. Confidentiality

We treat End Customer Data as confidential and restrict access to personnel and contractors who need it to provide the Platform, subject to confidentiality obligations.

9. Assistance with data-subject requests

We will assist you in responding to Data Subject requests to exercise their rights (access, rectification, erasure, restriction, portability, objection) where technically feasible and where we Process the relevant data on your behalf.

Shopify stores: We implement mandatory GDPR webhooks:

• customers/data_request — compile an export and deliver it to your store contact email.
• customers/redact — anonymise matching End Customer Data in our systems.
• shop/redact — schedule deletion of store-scoped data after uninstall.

For other platforms or manual requests, contact support@ambassadorflow.com. We aim to respond within one month unless a shorter platform deadline applies.

10. Personal Data breaches

We will notify you without undue delay after becoming aware of a Personal Data breach affecting End Customer Data, providing information reasonably available to us to support your regulatory and Data Subject notifications. You are responsible for notifying authorities and Data Subjects where you are the Controller.

11. Deletion and return of data

On termination of the agreement or on your documented request:

• We will delete or anonymise End Customer Data within the timelines in Privacy Policy §14.6 and our retention procedures, except where law requires retention.
• Upon Shopify shop/redact, we schedule purge of store-scoped data (typically after a defined grace period following uninstall).
• We are not obliged to retain End Customer Data after deletion deadlines except audit logs retained for security (without unnecessary personal data).

You may export data available in the Platform before termination. After purge, recovery may not be possible.

12. Audits and information

We will make available reasonable information about our compliance with this DPA (for example summaries of security measures and sub-processor list). You may conduct or commission an audit no more than once per 12-month period on 30 days’ written notice, during normal business hours, subject to confidentiality and minimal disruption.

Unless required by a Supervisory Authority or a confirmed material breach, audits are limited to documentation review and remote sessions; on-site audits require mutual agreement and may be charged at reasonable rates if disproportionately burdensome.

13. Liability

Liability for Processing is subject to the limitation of liability and indemnity provisions in the Terms. Each party remains liable to Data Subjects under applicable law for its own role as Controller or Processor.

14. Order of precedence and amendments

This DPA is incorporated into the Terms. We may update this DPA to reflect legal, product, or sub-processor changes by posting a revised version at ambassadorflow.com/dpa.

15. Contact

Data protection and DPA enquiries:
support@ambassadorflow.com
GrowSocial LTD, Level 5, Carolina Court, Giuseppe Cali Street, Ta’Xbiex XBX 1425, Malta

Schedule A — Processing details (summary)