Data Processing Addendum
Effective May 7, 2026
This Data Processing Addendum (“DPA”) supplements the Terms of Service (the “Agreement”) between you (the “Customer” or “Operator”, acting as “Controller” or “Business”) and RowRouter (acting as “Processor” or “Service Provider”) and governs the Processing of Personal Data carried out by RowRouter on the Operator’s behalf in connection with the Service. By using the Service to Process Personal Data of natural persons, the Operator and RowRouter are deemed to have entered into this DPA. A counter-signed counterpart is available on request from support@rowrouter.com.
1. Definitions
Capitalized terms used but not defined in this DPA have the meanings given in the Agreement, the GDPR (Regulation (EU) 2016/679), the UK GDPR, or the CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.), as applicable. “Sub-processor” means any third-party Processor engaged by RowRouter to Process Personal Data on behalf of the Operator.
2. Roles and Scope
The Operator is the Controller / Business of the Personal Data Processed through the Service. RowRouter is a Processor / Service Provider acting on the Operator’s documented instructions. The categories of data subjects, types of Personal Data, processing operations, and purposes are set out in the Privacy Policy and Annex 1 below.
3. Operator Instructions
RowRouter Processes Personal Data only on the Operator’s documented instructions, including with regard to international transfers, unless required to do otherwise by Union, Member State, or other applicable law to which RowRouter is subject. The Agreement, this DPA, the Privacy Policy, and the Operator’s configuration of the Service collectively constitute the Operator’s complete and final instructions. RowRouter will inform the Operator if, in its opinion, an instruction infringes applicable data protection law.
4. Confidentiality
RowRouter ensures that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations and have received appropriate training.
5. Security Measures
RowRouter implements the technical and organizational measures described in the Privacy Policy (Section 7) and Annex 2 below, including AES-256-GCM encryption of stored access tokens with versioned keys, SHA-256 hashing of recipient and magic-link tokens, HTTPS-in-transit, signed HTTP-only session cookies, row-level access controls, and isolated production environments. RowRouter regularly reviews and, where appropriate, updates these measures.
6. Sub-Processors
The Operator authorizes RowRouter to engage the Sub-processors listed in the Privacy Policy (Section 5) and to add or replace Sub-processors. RowRouter will give at least 30 days’ advance notice of any new Sub-processor by posting an updated list and emailing the address on file. The Operator may object on reasonable data-protection grounds; if the parties cannot resolve the objection within a further 30 days the Operator may terminate the Agreement for the affected Service.
RowRouter will impose data protection terms on each Sub-processor that are no less protective than those in this DPA and remains liable for each Sub-processor’s performance.
7. Data Subject Rights
Taking into account the nature of the Processing, RowRouter assists the Operator with appropriate technical and organizational measures, insofar as possible, in fulfilling requests by data subjects to exercise their rights under applicable law. Where a data subject contacts RowRouter directly regarding Personal Data the Operator controls, RowRouter will promptly forward the request to the Operator and refrain from responding directly except to confirm receipt.
8. Personal Data Breaches
RowRouter notifies the Operator without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data breach affecting Personal Data Processed on the Operator’s behalf, providing the information needed for the Operator to comply with its own breach notification obligations.
9. International Transfers
For transfers of Personal Data from the EEA, the United Kingdom, or Switzerland to a country without an adequacy decision, RowRouter relies on the EU Standard Contractual Clauses (Module 2: Controller to Processor, or Module 3: Processor to Sub-processor, as applicable), the UK International Data Transfer Addendum, and the Swiss FDPIC adequacy notice, each of which is incorporated by reference into this DPA. RowRouter will, on request, provide information about the transfer mechanisms applicable to a particular Sub-processor.
10. Audit
RowRouter makes available to the Operator, on reasonable written request and subject to confidentiality, information necessary to demonstrate compliance with Article 28 GDPR — including the Security & Trust statement at /security, this DPA, the current subprocessor list, and (when available) summary results of independent assessments such as penetration tests.
Where the Operator reasonably requires an audit beyond the documentation RowRouter provides, the parties will agree in good faith on scope, timing, and cost, subject to the following limitations: (a) audits may be conducted no more than once per twelve (12) months absent a Personal Data breach affecting the requesting Operator or a documented regulatory requirement; (b) the Operator will give at least thirty (30) days’ advance notice; (c) audits will be conducted during normal business hours and in a manner that does not unreasonably interfere with RowRouter’s operations; (d) the Operator and any third-party auditor will sign a confidentiality agreement on RowRouter’s standard terms before receiving non-public information; and (e) the Operator bears its own audit costs and reimburses RowRouter’s reasonable expenses incurred in cooperation with the audit. Nothing in this Section limits the rights of supervisory authorities under applicable law.
11. Return and Deletion
On termination of the Agreement, RowRouter deletes Personal Data Processed on the Operator’s behalf in accordance with the retention schedule in the Privacy Policy (Section 8) and the Termination clause in the Terms (Section 12), subject to any retention required by applicable law. Operational backups age out per RowRouter’s retention schedule.
12. Liability and Order of Precedence
Each party’s liability under this DPA is subject to the limitations of liability set out in the Agreement. In the event of a conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA controls.
13. CCPA / CPRA — Service Provider Certification
To the extent RowRouter Processes Personal Information (as defined in Cal. Civ. Code §1798.140(v)) of California consumers on the Operator’s behalf, RowRouter is a Service Provider as defined in Cal. Civ. Code §1798.140(ag). RowRouter certifies that it understands and will comply with the restrictions in Cal. Civ. Code §1798.140(ag)(1), and specifically that it shall not:
- sell or share Personal Information (within the meaning of the CCPA);
- retain, use, or disclose Personal Information for any purpose other than the specific purpose of performing the Service specified in the Agreement, including retaining, using, or disclosing the Personal Information for a commercial purpose other than performing the Service or as otherwise permitted by the CCPA and its implementing regulations;
- retain, use, or disclose Personal Information outside the direct business relationship between RowRouter and the Operator; or
- combine the Personal Information that RowRouter Processes on behalf of the Operator with Personal Information that RowRouter receives from another source, except as expressly permitted by the CCPA.
RowRouter will notify the Operator if it determines that it can no longer meet its obligations under the CCPA. The Operator may, on notice, take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information by RowRouter. RowRouter assists the Operator in responding to consumer rights requests under the CCPA in the manner described in Section 7.
14. Notices
Notices to RowRouter under this DPA may be sent to support@rowrouter.com or by post to:
RowRouterPrague, Czech Republic
Annex 1 — Description of Processing
- Subject matter and duration: as set out in the Agreement; for the duration of the Operator’s active use of the Service plus the post-termination retention window.
- Nature and purpose of Processing: generating row-scoped edit links to records in connected data sources; delivering those links to Recipients; recording opens and submissions for audit; writing approved submissions back to the connected data source; transactional email and billing.
- Categories of data subjects: Operators (and their team members), Recipients designated by Operators.
- Categories of Personal Data: identifiers (email, name), authentication artifacts (token hashes, IPs, session metadata), Customer Data (record content the Operator chooses to expose), submission content, billing metadata, audit event metadata. No special categories are intentionally Processed; the Operator must not configure the Service to Process special categories without first consulting RowRouter.
Annex 2 — Technical and Organizational Measures
A summary of the measures applied is published at /security and in the Privacy Policy (Section 7). Highlights:
- AES-256-GCM at-rest encryption with versioned keys for stored access tokens, with per-record additional authenticated data (AAD);
- SHA-256 hashing of recipient link tokens and magic-link tokens;
- HTTPS-only transit (TLS 1.2+); signed HTTP-only same-site session cookies;
- Row-level access controls scoped per Operator at the application layer;
- Least-privilege administrative access; production environment isolated from development;
- Logging and monitoring with retention sufficient to investigate incidents; token-redaction middleware to prevent recipient link leakage to observability tools.
Annex 3 — Sub-processors
Current Sub-processors authorized to Process Personal Data on the Operator’s behalf as of the Effective Date. RowRouter maintains the canonical list at /security and notifies Operators of additions or replacements at least thirty (30) days in advance per Section 6.
| Sub-processor | Function | Region | Transfer mechanism |
|---|---|---|---|
| Fly.io, Inc. | Application hosting, Postgres database, operational logs | United States (Ashburn, VA) | EU SCCs / UK IDTA |
| Resend, Inc. | Transactional email delivery | United States | EU SCCs / UK IDTA |
| Stripe, Inc. (and EU/UK affiliates) | Subscription billing and payment processing | United States; EEA payments routed via Stripe Payments Europe Ltd. (Ireland) | EU SCCs (intra-Stripe) / UK IDTA. Stripe is the controller of payment-card data it collects directly. |
The connected data source the Operator chooses to integrate (Airtable, Inc.; Notion Labs, Inc.; monday.com Ltd.; HubSpot, Inc.; Smartsheet Inc.; Shopify Inc.; or Intuit Inc. for QuickBooks Online) is not a Sub-processor of RowRouter, and the Operator’s relationship with each provider is governed independently.