Data Processing Agreement

Data Processing Agreement (Summary)

This page summarizes the key points of our Data Processing Agreement. For a full, signed copy for your records, contact support@inflowave.io.

Parties & roles

The DPA is between AIAGS Ltd (Inflowave) and you (the customer). Under this agreement:

  • You are the data controller (or equivalent under local law).
  • Inflowave is the data processor for personal data you send to the platform.

Subject matter & duration

Inflowave processes personal data solely to provide the services described in your subscription, including Instagram CRM, messaging, analytics, and marketplace functionality. Processing continues for as long as you maintain an active account and for the retention periods described in our Privacy Policy.

Subprocessors

We rely on carefully selected subprocessors for infrastructure, payments, communications, analytics, and integrations (for example, Supabase, AWS, Stripe, SendGrid, and Meta/Instagram).

The DPA:

  • Lists core subprocessors and their roles.
  • Requires subprocessors to provide comparable security and privacy safeguards.
  • Commits to notifying you of material changes to the subprocessor list where required.

Security measures

Inflowave commits to implementing appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Access controls, least-privilege permissions, and audit logging.
  • Regular backups and disaster recovery procedures.
  • Security monitoring and incident response runbooks.

You can read more on our Security page.

Data subject rights

Under the DPA, we assist you in fulfilling data subject requests (access, deletion, correction, portability, etc.) where Inflowave is involved in processing. This is coordinated through our support channels and is subject to authentication and legal requirements.

International transfers

When personal data leaves the UK/EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, as described in our Privacy Policy.

Breach notification

In the unlikely event of a personal data breach affecting your data, Inflowave will notify you without undue delay and provide the information required by GDPR and other applicable laws, so that you can meet your own notification obligations.

Requesting a signed DPA

If your organization requires a signed copy of the full DPA for vendor due diligence or audits, email support@inflowave.io and our team will provide the latest version and signature process.