Data Processing Addendum

Last Updated: May 29, 2026

This Data Processing Addendum ("DPA") forms part of the IntentFlo Terms of Service between Intentflo LLC ("IntentFlo") and the customer ("Customer"). This DPA applies to Customer Data that constitutes "Personal Data" (or similar term) under applicable data protection laws and is processed by IntentFlo on Customer's behalf in connection with the Services.

Where there is a conflict between this DPA and the Terms, this DPA controls with respect to the parties' data protection obligations.
Section 1 — Roles of the Parties

1.1 Customer as Controller

Customer is the "controller" or "business" (as applicable) with respect to Personal Data included in Customer Data.

1.2 IntentFlo as Processor

IntentFlo is a "processor" or "service provider" (as applicable) that processes Personal Data on behalf of Customer solely to provide the Services.

Section 2 — Scope of Processing

2.1 Subject Matter

Provision of the Services, including integrations, audience activation workflows, identity resolution support, hosting, troubleshooting, support, and security.

2.2 Duration

The term of the Terms, plus any period required for deletion and backup retention consistent with the Terms and this DPA.

2.3 Nature and Purpose

Processing as necessary to provide, secure, maintain, and improve the Services, and to comply with applicable law.

2.4 Types of Personal Data

May include business contact information, CRM records, audience identifiers (including hashed identifiers), campaign inputs, and other information submitted to the Services by or on behalf of Customer.

2.5 Categories of Data Subjects

Customer's employees, contractors, prospects, leads, customers, and other individuals whose data Customer submits to the Services.

Section 3 — Customer Obligations

Customer represents and warrants that it:

Customer is responsible for the accuracy, quality, and legality of Customer Data.

Section 4 — IntentFlo Obligations

4.1 Process on Instructions

Process Personal Data only on documented instructions from Customer, including as set forth in the Terms, this DPA, and Customer's use and configuration of the Services.

4.2 Confidentiality

Ensure persons authorized to process Personal Data are subject to confidentiality obligations.

4.3 Security

Implement reasonable administrative, technical, and organizational safeguards designed to protect Personal Data against unauthorized access, loss, alteration, or disclosure, including encryption in transit (TLS) and at rest where applicable.

4.4 No Sale of Customer Data

Not "sell" Customer Data as that term is defined under applicable privacy laws, and not retain, use, or disclose Customer Data outside of providing the Services, except as permitted by applicable law and the Terms (including security, fraud prevention, and product improvement using de-identified or aggregated data where permitted).

4.5 Data Storage and Hashing

Customer acknowledges that IntentFlo stores certain Customer Data (including business contact identifiers such as email addresses and phone numbers) in plaintext form at rest in AWS DynamoDB in the United States (us-east-1) for operational purposes. For clarity, "plaintext" refers to the logical data format prior to the storage layer's encryption; data stored in AWS is protected by encryption at rest and in transit provided by AWS and industry-standard protocols. Where supported by an advertising platform, IntentFlo applies SHA-256 hashing to identifiers at the time of transmission to advertising platforms for audience activation.

Section 5 — Subprocessors

5.1 Authorization

Customer authorizes IntentFlo to use Subprocessors to process Customer Data in connection with the Services.

5.2 Current List

A current list of Subprocessors is maintained at: intentflo.com/subprocessors/

5.3 Flow-Down

IntentFlo will impose data protection obligations on Subprocessors that are at least as protective as those in this DPA, to the extent applicable to the Subprocessor's scope.

Section 6 — Assistance with Data Subject Requests

To the extent required by applicable law and reasonably requested by Customer, IntentFlo will provide reasonable assistance with responding to data subject requests (e.g., access, deletion, portability), to the extent Customer cannot fulfill such requests through the Services directly.

Section 7 — Security Incidents

IntentFlo will notify Customer without undue delay after becoming aware of a confirmed Security Incident involving Customer Data. Notification will include, to the extent reasonably available, information about the nature of the incident and the steps taken or planned to address and mitigate it. Notification does not constitute an admission of fault or liability.

Section 8 — Deletion and Return of Customer Data

Upon termination or expiration of the Terms, IntentFlo will delete or de-identify Customer Data in accordance with the Terms and its backup retention cycles, unless retention is required by applicable law. Customer is responsible for exporting Customer Data prior to termination where the Services provide such functionality.

Section 9 — Audits and Compliance Assistance

Upon reasonable written request and subject to confidentiality obligations, IntentFlo will provide information reasonably necessary to demonstrate compliance with this DPA. Customer acknowledges that IntentFlo may satisfy audit requests by providing summaries, security documentation, certifications, or third-party audit reports where available. On-site or in-depth audits, if any, must be mutually agreed in advance and may be subject to reasonable limitations to protect other customers and operational security.

Section 10 — International Transfers

Customer acknowledges that IntentFlo and its Subprocessors may process Customer Data in the United States and other locations where IntentFlo or its Subprocessors maintain facilities. Where required by applicable law (e.g., GDPR Chapter V), the parties will cooperate in good faith to implement appropriate transfer mechanisms.

Section 11 — Miscellaneous

11.1 Limitation of Liability

The limitation of liability provisions in the Terms of Service apply to this DPA.

11.2 Order of Precedence

In case of conflict, this DPA controls with respect to data protection obligations only.

11.3 Updates

IntentFlo may update this DPA from time to time. Continued use of the Services after a material update constitutes acceptance. IntentFlo will provide reasonable notice of material changes.

Data protection inquiries: info@intentflo.com
Intentflo LLC · Virginia, United States