Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Use between the Customer (“Customer”, “Controller”) and Notivio (“Processor”, “we”, “us”).

This DPA applies when Notivio processes personal data on behalf of the Customer in connection with the provision of the Notivio service.

For the purposes of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection or privacy laws, the parties agree that:

• The Customer acts as the Data Controller
• Notivio acts as the Data Processor

The Customer determines the purposes and means of processing personal data. Notivio processes personal data solely on behalf of the Customer to provide the service.

Notivio processes personal data only on documented instructions from the Customer, including instructions provided through the use and configuration of the Notivio service.

The Customer instructs Notivio to process personal data as necessary to:

• operate the Notivio platform
• process Slack integration events
• store notification configuration
• deliver SMS notifications
• maintain system logs and service reliability
• provide customer support and security monitoring

Configuration settings and notification rules defined by the Customer within the platform constitute documented processing instructions.

Notivio processes personal data only as necessary to operate the service, including:

• receiving notification events from Slack integrations
• storing configuration settings
• processing phone numbers
• delivering SMS notifications
• maintaining logs and delivery metadata
• providing technical support and system monitoring

Personal data processed through the service is not used for advertising or marketing purposes.

The service may process the following categories of personal data:

• phone numbers
• Slack workspace identifiers
• Slack channel identifiers
• user identifiers
• email addresses
• notification configuration
• delivery logs and metadata
• IP addresses and technical logs

Personal data processed through the service may relate to:

• Customer employees
• Customer contractors
• Customer team members
• individuals designated to receive system notifications

The Customer represents and warrants that:

• it has a lawful basis for processing personal data
• it has the right to provide phone numbers and other personal data to Notivio
• recipients of SMS notifications have been informed where required by law

The Customer is responsible for the content of notifications and compliance with applicable telecommunications and data protection laws.

Notivio may use trusted third-party service providers (“sub-processors”) to operate the platform, including:

• Twilio – SMS delivery
• Stripe – payment processing
• Slack – workspace integration
• cloud hosting providers

All sub-processors are contractually required to maintain appropriate security and data protection standards. Notivio remains responsible for processing performed by its sub-processors.

Notivio implements appropriate technical and organizational measures to protect personal data, including:

• encrypted communication (HTTPS / TLS)
• secure infrastructure and hosting
• access controls and authentication
• system monitoring and logging
• internal access restrictions

Where reasonably possible, Notivio will assist the Customer in responding to requests from individuals exercising their data protection rights, including requests for:

• access to personal data
• correction or deletion
• restriction of processing
• data portability

The Customer is responsible for ensuring that recipients of SMS notifications have been informed or have provided consent where required under applicable telecommunications or marketing laws.

Notivio acts solely as a technical service provider delivering notifications configured by the Customer and does not determine the recipients or content of messages.

The Customer agrees not to use the service to send unsolicited marketing, spam, harassment, or unlawful communications.

Notivio will notify the Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer data and will provide available information regarding the nature of the breach and steps taken to mitigate it.

Where personal data is transferred outside the European Economic Area or the United Kingdom, Notivio ensures appropriate safeguards are in place, including Standard Contractual Clauses or other legally recognized transfer mechanisms. Where applicable, transfers may rely on Standard Contractual Clauses or other legally recognized safeguards.

Personal data is retained only as long as necessary to provide the service and comply with legal obligations. Upon termination of the service, personal data will be deleted or anonymized within a reasonable period unless retention is required by law.

This Data Processing Agreement remains in effect for as long as Notivio processes personal data on behalf of the Customer.

For questions regarding data processing or privacy matters, contact:

privacy@notivio.app