Data Processing Agreement (DPA) for RefundCat

Last Updated: September 26, 2024

This Data Processing Agreement (the “DPA”) forms part of the Terms of Service or other written agreement (the “Agreement”) between RefundCat (“Processor”) and its customer (“Controller”). This DPA is effective as of the date Controller uses RefundCat’s services and governs the processing of personal data under applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1. Definitions

1.1. “Personal Data”: Any information relating to an identified or identifiable natural person processed under this Agreement.
1.2. “Processing”: Any operation performed on Personal Data, such as collection, storage, use, or deletion.
1.3. “Applicable Laws”: Data protection laws, including the GDPR, CCPA/CPRA, and other relevant laws.
1.4. “Controller”: The entity determining the purposes and means of processing Personal Data.
1.5. “Processor”: RefundCat, which processes Personal Data on behalf of the Controller.

2. Processing of Personal Data

2.1. Scope: Processor will process the following types of Personal Data:
	•	User name and email address (collected during registration via Google login).
	•	Subscription status and related payment data (received from Stripe).

2.2. Purpose: Processor will process Personal Data to:
	•	Complete user registration.
	•	Manage subscription status.
	•	Facilitate refund processing and update refund outcomes.

2.3. Duration: Processor will retain Personal Data for as long as necessary to provide services under the Agreement, unless otherwise requested by the Controller.

3. Processor Obligations

3.1. Processor will:
	•	Process Personal Data only as instructed by the Controller and strictly for the purposes set forth in this DPA.
	•	Ensure that all personnel authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
	•	Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

3.2. Processor will promptly inform the Controller if it believes that any instruction violates applicable data protection laws.

3.3. Processor will assist the Controller in ensuring compliance with its legal obligations under applicable laws, including obligations relating to:
	•	Responding to data subject requests.
	•	Data protection impact assessments (DPIAs).
	•	Notifications to supervisory authorities or data subjects in case of a data breach.

3.4. Processor will make available all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or its appointed auditor.

4. Security Measures

4.1. Technical and Organizational Measures:
Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:
	•	Protecting Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
	•	Relying on third-party service providers (e.g., Supabase, Stripe, Vercel) to implement secure data handling practices.

4.2. Data Storage:
All Personal Data is stored in a database hosted by Supabase, with the primary storage location in the United States.

4.3. Access Controls:
Access to Personal Data is limited to authorized personnel who require such access to perform their duties.

4.4. Data Transmission:
Where applicable, Processor will ensure secure transmission of Personal Data, including encryption protocols supported by sub-processors (e.g., HTTPS).

4.5. Data Breach Notification:
In the event of a data breach affecting Personal Data, Processor will:
	•	Notify the Controller without undue delay, and no later than 72 hours after becoming aware of the breach.
	•	Provide sufficient details of the breach to enable the Controller to comply with its legal obligations, including:
	•	The nature of the breach.
	•	Categories and approximate number of data subjects and data records affected.
	•	Likely consequences of the breach.
	•	Measures taken or proposed to address the breach.

    
5. Sub-Processors

5.1. Processor may engage the following sub-processors:
	•	Supabase: Database hosting and storage.
	•	Stripe: Payment processing.
	•	Vercel: Application hosting and logging.

5.2. Processor will ensure that sub-processors are subject to obligations consistent with this DPA.

6. Cross-Border Data Transfers

6.1. Controller acknowledges that Personal Data may be transferred to the United States or other countries where sub-processors are located. Processor will take steps to ensure such transfers comply with Applicable Laws, including implementing Standard Contractual Clauses (SCCs) where required.

7. Data Subject Rights

7.1. Processor will assist Controller in responding to requests from data subjects to exercise their rights, including access, rectification, and erasure.

7.2. Processor will promptly notify Controller of any such request received directly.

8. Data Retention and Deletion

8.1. Processor will retain Personal Data for the duration of the Agreement, unless the Controller requests deletion.
8.2. Upon receiving a deletion request (via [email protected]), Processor will delete the requested data within 30 days unless otherwise required by law.

9. Liability and Indemnity

9.1. Processor’s liability for any breach of this DPA will be limited to the extent permitted under the Agreement.
9.2. Controller shall indemnify Processor for any costs arising from non-compliance with Applicable Laws by the Controller.

10. Termination

10.1. Upon termination of the Agreement, Processor will delete or return all Personal Data to the Controller, unless otherwise required by law.

11. Miscellaneous

11.1. This DPA is governed by the laws specified in the Agreement.
11.2. This DPA may be updated to reflect changes in data protection laws or Processor’s practices.