1. Roles
You are the data controller for personal data of your customers and affiliates. Rekomi, operated by Uplup Inc., is the data processor. Each party complies with applicable data protection law.
2. Scope of processing
Rekomi processes personal data only on documented instructions from you, except as required by law. Personal data covered: affiliate names, emails, addresses, tax forms, payout history; customer email or hashed identifier when used for attribution; and historical affiliate, conversion, commission, and customer-attribution records (including customer emails and Stripe customer/subscription identifiers) that you import from a previous affiliate platform.
3. Sub-processors
Rekomi uses sub-processors listed at /legal/subprocessors. We notify you of changes at least 30 days in advance. You may object to a new sub-processor; if we cannot reasonably accommodate the objection, you may terminate the affected service.
4. Security measures
Multi-tenant row-level security, encryption at rest (AES-256) and in transit (TLS 1.3), signed webhooks, and audit logging. Detailed security model at /security.
5. International transfers
Personal data may be processed in the United States by sub-processors. Where required by EU or UK law, we rely on the Standard Contractual Clauses (SCCs) for EU data and the UK International Data Transfer Addendum for UK data, with sub-processors handling EU or UK personal data.
6. Personal data breach notification
Rekomi notifies you of a confirmed personal data breach within 72 hours of discovery, including the nature of the breach, affected categories, likely consequences, and remediation taken.
7. Data subject requests
Rekomi assists you in responding to data subject access, rectification, erasure, and portability requests. Most requests can be fulfilled directly by you via the admin app; for the rest, contact support@rekomi.com.
8. Audit rights
On-site audit is available for Enterprise customers with reasonable advance notice. Independent third-party audit reports will be made available under NDA when those engagements complete.
9. Data return and deletion
On termination, Rekomi makes personal data available for export for 30 days, then deletes it. Backups containing personal data are retained on our standard schedule and overwritten on rotation.
10. Conflict
Where this DPA conflicts with the Terms of Service, this DPA prevails for matters of personal data processing.
We keep this addendum current as the product evolves. Enterprise variants and custom amendments are available on request at support@rekomi.com.