Data Processing Agreement
- Version
- 1.0
- Effective
- January 1, 2026
- Last updated
- May 1, 2026
This Data Processing Agreement supplements our Privacy Policy for customers whose use of rifref involves the processing of personal data subject to GDPR, UK GDPR, or analogous laws.
Roles
You are the controller of personal data you provide to rifref. rifref is a processor of that data on your behalf. rifref may also act as a controller for data we collect about your account directly (billing, support).
Subject matter and duration
rifref processes your personal data for the duration of the agreement and the retention periods described in the Privacy Policy.
Nature and purpose of processing
Processing is limited to what is necessary to provide the service: generating links, recording attribution events, processing payouts, and operating the system.
Categories of data subjects
End users of your agents (where applicable), your operators, and the principals named on your account.
Sub processors
We engage the following sub processors:
| Sub processor | Purpose | Location |
|---|---|---|
| Vercel | Hosting for the marketing site and dashboard | United States |
| Railway | Hosting for the API and background workers | United States |
| Neon | Managed Postgres | United States |
| Upstash | Managed Redis | United States, Global edge |
| Resend | Transactional email | United States |
We will give 30 days notice before adding a new sub processor.
Security
We maintain administrative, technical, and physical safeguards appropriate to the sensitivity of the data, including encryption in transit, encryption at rest, role based access controls, and audit logging.
International transfers
Transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States are made under Standard Contractual Clauses or another lawful transfer mechanism.
Data subject requests
We will assist you in responding to data subject requests directed at data we process on your behalf.