Data Processing Agreement
Last updated: April 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Evans Consulting, trading as Riffboard ("Processor", "we", "us"), and you, the customer ("Controller", "you").
This DPA applies whenever you use features of the Service that involve Riffboard storing or processing personal data about third parties on your behalf (for example, fan data in the Superfans feature). It does not apply to your own account data, which is governed by our Privacy Policy.
1. Definitions
- "Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have the meanings given in the GDPR (Regulation (EU) 2016/679).
- "Processor Data" means personal data that you, as Controller, submit to the Service for processing on your behalf.
2. Roles and Scope
You are the Controller of the Processor Data. We process it solely on your documented instructions to provide the Service. We do not process Processor Data for our own purposes.
The categories of data subjects, types of personal data, and purposes of processing are determined by your use of the Service features (see Section 2A of our Privacy Policy).
3. Controller Obligations
You are responsible for:
- Ensuring you have a lawful basis (such as consent or legitimate interest) to collect and process the personal data you submit to the Service.
- Providing any required notices to data subjects about how their data is processed.
- Responding to data subject requests (access, rectification, erasure, portability) using the tools we provide (fan detail view, data export, and deletion features).
- Ensuring the accuracy and relevance of the personal data you submit.
4. Processor Obligations
We will:
- Process Processor Data only on your documented instructions (including as described in the Terms of Service and this DPA), unless required to do otherwise by applicable law.
- Ensure that persons authorised to process the Processor Data have committed themselves to confidentiality.
- Implement appropriate technical and organisational security measures (see Section 6).
- Assist you in fulfilling your obligations to respond to data subject requests, using the tools provided in the Service.
- At your choice, delete or return all Processor Data upon termination of the Service, subject to applicable legal retention requirements.
- Make available to you all information necessary to demonstrate compliance with this DPA.
5. Sub-processors
We use the following sub-processors to provide the Service. By accepting these Terms, you authorise our use of these sub-processors:
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Supabase | PostgreSQL database and file storage | EU (AWS eu-west-1, Ireland) |
| Vercel | Application hosting and serverless functions | US (iad1) |
| Resend | Transactional email delivery | US |
| MailerLite | Email marketing integration (fan data sync, only when configured) | EU (Lithuania) / US |
We will notify you before adding or replacing a sub-processor by updating this page. If you object to a new sub-processor, you may terminate your use of the affected feature.
6. Security Measures
We implement appropriate technical and organisational measures to protect Processor Data, including:
- Encryption in transit (TLS 1.2+) and at rest
- Row Level Security (RLS) at the database level to isolate workspace data
- Role-based access control within each workspace (Owner, Manager, Member, Viewer)
- Regular security reviews and dependency updates
- Secrets stored in encrypted environment variables, never in source code
7. Personal Data Breach Notification
We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Processor Data. Our notification will include the nature of the breach, likely consequences, and measures taken or proposed to address it.
8. Data Retention and Deletion
Processor Data is retained for as long as your account is active and you choose to keep it. You may delete individual records at any time using the deletion features in the Service. When you delete a fan record, all associated engagement history, stage transitions, and notes are permanently removed.
Upon termination of your account, we will delete all Processor Data within 30 days, unless retention is required by applicable law.
9. Assistance with Data Subject Rights
We provide tools within the Service to help you respond to data subject requests:
- Access and portability — Export individual fan data as JSON, or export all fan data as CSV from Settings
- Rectification — Edit any fan record directly in the Service
- Erasure — Delete individual fan records with full cascade deletion
- Restriction — Use the "Do Not Contact" flag to restrict processing of specific records
10. Governing Law
This DPA is governed by the laws of the Netherlands and the GDPR. Any disputes arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands.
Contact
For questions about this DPA, please contact us at privacy@riffboard.com.