Last Updated: May 29, 2026
Customer is the "controller" or "business" (as applicable) with respect to Personal Data included in Customer Data.
IntentFlo is a "processor" or "service provider" (as applicable) that processes Personal Data on behalf of Customer solely to provide the Services.
Provision of the Services, including integrations, audience activation workflows, identity resolution support, hosting, troubleshooting, support, and security.
The term of the Terms, plus any period required for deletion and backup retention consistent with the Terms and this DPA.
Processing as necessary to provide, secure, maintain, and improve the Services, and to comply with applicable law.
May include business contact information, CRM records, audience identifiers (including hashed identifiers), campaign inputs, and other information submitted to the Services by or on behalf of Customer.
Customer's employees, contractors, prospects, leads, customers, and other individuals whose data Customer submits to the Services.
Customer represents and warrants that it:
Customer is responsible for the accuracy, quality, and legality of Customer Data.
Process Personal Data only on documented instructions from Customer, including as set forth in the Terms, this DPA, and Customer's use and configuration of the Services.
Ensure persons authorized to process Personal Data are subject to confidentiality obligations.
Implement reasonable administrative, technical, and organizational safeguards designed to protect Personal Data against unauthorized access, loss, alteration, or disclosure, including encryption in transit (TLS) and at rest where applicable.
Not "sell" Customer Data as that term is defined under applicable privacy laws, and not retain, use, or disclose Customer Data outside of providing the Services, except as permitted by applicable law and the Terms (including security, fraud prevention, and product improvement using de-identified or aggregated data where permitted).
Customer acknowledges that IntentFlo stores certain Customer Data (including business contact identifiers such as email addresses and phone numbers) in plaintext form at rest in AWS DynamoDB in the United States (us-east-1) for operational purposes. For clarity, "plaintext" refers to the logical data format prior to the storage layer's encryption; data stored in AWS is protected by encryption at rest and in transit provided by AWS and industry-standard protocols. Where supported by an advertising platform, IntentFlo applies SHA-256 hashing to identifiers at the time of transmission to advertising platforms for audience activation.
Customer authorizes IntentFlo to use Subprocessors to process Customer Data in connection with the Services.
A current list of Subprocessors is maintained at: intentflo.com/subprocessors/
IntentFlo will impose data protection obligations on Subprocessors that are at least as protective as those in this DPA, to the extent applicable to the Subprocessor's scope.
To the extent required by applicable law and reasonably requested by Customer, IntentFlo will provide reasonable assistance with responding to data subject requests (e.g., access, deletion, portability), to the extent Customer cannot fulfill such requests through the Services directly.
IntentFlo will notify Customer without undue delay after becoming aware of a confirmed Security Incident involving Customer Data. Notification will include, to the extent reasonably available, information about the nature of the incident and the steps taken or planned to address and mitigate it. Notification does not constitute an admission of fault or liability.
Upon termination or expiration of the Terms, IntentFlo will delete or de-identify Customer Data in accordance with the Terms and its backup retention cycles, unless retention is required by applicable law. Customer is responsible for exporting Customer Data prior to termination where the Services provide such functionality.
Upon reasonable written request and subject to confidentiality obligations, IntentFlo will provide information reasonably necessary to demonstrate compliance with this DPA. Customer acknowledges that IntentFlo may satisfy audit requests by providing summaries, security documentation, certifications, or third-party audit reports where available. On-site or in-depth audits, if any, must be mutually agreed in advance and may be subject to reasonable limitations to protect other customers and operational security.
Customer acknowledges that IntentFlo and its Subprocessors may process Customer Data in the United States and other locations where IntentFlo or its Subprocessors maintain facilities. Where required by applicable law (e.g., GDPR Chapter V), the parties will cooperate in good faith to implement appropriate transfer mechanisms.
The limitation of liability provisions in the Terms of Service apply to this DPA.
In case of conflict, this DPA controls with respect to data protection obligations only.
IntentFlo may update this DPA from time to time. Continued use of the Services after a material update constitutes acceptance. IntentFlo will provide reasonable notice of material changes.