Data Processing Agreement

Subject matter, duration, nature, and purpose of processing

The subject matter of the processing is the provision of RetentBase, including hosted cancellation flows, APIs, account and workspace administration, issue detection, analytics, reporting, email delivery related to the service, webhook delivery, billing support, security monitoring, and customer support.

Processing continues for as long as the customer uses the relevant service features and for any limited period thereafter that is necessary for deletion workflows, security, legal retention obligations, and the establishment, exercise, or defense of legal claims.

Categories of data subjects

• Customer administrators, employees, contractors, and other authorized users.
• Business contacts and billing contacts connected to the customer relationship.
• End users, subscribers, or account holders whose cancellation or churn-related data is submitted by the customer.
• Other persons whose data the customer or its authorized users choose to include in the service.

Types of personal data

• Business identity and contact data, including names, business email addresses, company details, user roles, and account identifiers.
• Workspace and configuration data, including workspace names, return URLs, reason labels, offer settings, webhook settings, and API key metadata.
• Billing and commercial metadata, including billing contact details, invoice references, subscription status, and related business payment metadata.
• Cancellation and event data, including external user identifiers, plan names, reason keys, reason text, outcomes, offer interactions, timestamps, and customer-supplied metadata.
• Technical and security data, including IP addresses, request metadata, delivery logs, audit trails, and incident diagnostics relevant to the service.

Excluded and restricted data

Unless expressly agreed in writing, RetentBase is not intended to process special categories of personal data, criminal-offence data, children's data, payment card data, government identifiers, account passwords, financial account credentials, medical records, or other regulated high-risk data.

The customer shall configure the service, reason fields, free-text fields, metadata, integrations, and webhooks to avoid submitting excluded or unnecessary data and to keep Customer Personal Data limited to what is required for the customer's documented purposes.

Customer obligations

• The customer is responsible for the lawfulness of the processing instructions and for ensuring a valid legal basis for the processing of Customer Personal Data.
• The customer is responsible for providing any notices required by data protection law to its users, customers, or other data subjects.
• The customer shall ensure that Customer Personal Data is accurate, relevant, and limited to what is necessary for the intended use of the service.
• The customer shall not instruct processing that violates applicable law and shall not submit special categories of personal data or other highly sensitive data unless legally permitted and operationally appropriate.
• The customer remains responsible for maintaining independent records, fallback capture channels, and reconciliation procedures where loss, delay, or non-capture of Customer Personal Data in RetentBase could affect the customer's own legal, billing, support, or operational obligations.
• The customer remains responsible for records of processing, data protection impact assessments, prior consultations, transfer assessments, and other controller obligations required for its use of the service.
• The customer remains responsible for responding to data subject requests and supervisory authority inquiries, except to the extent this Agreement requires Hexonis to assist.

Processor obligations

• Hexonis shall process Customer Personal Data only on documented instructions from the customer, unless otherwise required by applicable law. Customer configuration, API calls, admin actions, and written support requests may constitute documented instructions where consistent with the Agreement and the service documentation.
• Hexonis shall ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations.
• Hexonis shall implement technical and organizational measures appropriate to the risk and to the services provided.
• Hexonis shall assist the customer, taking into account the nature of the processing and the information available, with requests relating to data subject rights, security incidents, data protection impact assessments, prior consultations, and supervisory inquiries where required by law.
• Hexonis shall inform the customer if, in its opinion, an instruction infringes applicable data protection law, unless prohibited from doing so by law.
• Hexonis may suspend or reject an instruction that is unlawful, technically unsupported, or materially threatens the security or confidentiality of the service or other customers.

Security measures

• Logical workspace isolation, server-side authorization, and role-based access controls designed to separate customer environments.
• Restricted access to production systems and secrets on a need-to-know basis.
• Transport encryption and secure service-edge delivery for supported traffic paths.
• Logging, monitoring, error detection, and incident response processes appropriate to the service.
• Controls around API credentials, webhook signing, and other service authentication mechanisms.
• Processes intended to support confidentiality, integrity, availability, and resilience appropriate to the service context.

Subprocessors

The customer grants Hexonis a general authorization to use subprocessors for the operation and support of the service. Current subprocessors are listed on the Subprocessor List page.

Hexonis shall remain responsible for the performance of its subprocessors to the extent required by applicable law and shall impose data protection obligations on them that are materially protective of Customer Personal Data.

Hexonis may replace or add subprocessors from time to time. Where legally required, Hexonis will update the public list and provide a reasonable mechanism for customer objection before the relevant change takes effect.

If the customer raises a reasonable data protection objection that cannot be resolved within a reasonable period, either party may terminate the affected services to the extent legally required.

International transfers

If Customer Personal Data is transferred to or accessed from a country outside the European Economic Area, Hexonis shall ensure that an applicable transfer mechanism under Chapter V GDPR is in place where required, such as an adequacy decision or the European Commission's Standard Contractual Clauses.

The customer authorizes transfers and remote access that are necessary for the operation, security, support, and maintenance of RetentBase through the listed subprocessors, subject to the safeguards required by this Agreement and applicable data protection law.

Hexonis may provide information reasonably necessary for the customer's transfer assessment through the public Subprocessor List, security documentation, contractual terms, or written responses, taking into account confidentiality, security, and third-party restrictions.

Data subject requests and regulatory cooperation

If Hexonis receives a request from a data subject or authority relating specifically to Customer Personal Data processed under this Agreement, Hexonis may redirect the request to the customer where appropriate.

The customer remains responsible for verifying the identity of requesters and the lawfulness of the action requested, except to the extent applicable law imposes duties directly on the processor.

If the customer requires assistance beyond the standard functionality of the service or beyond Hexonis's statutory obligations, Hexonis may charge reasonable fees for additional work, provided the request does not arise from Hexonis's own breach.

Personal data breaches

Hexonis shall notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and shall provide available information reasonably necessary for the customer to meet its own notification obligations, taking into account the nature of the processing and the information available to Hexonis.

Deletion and return of data

Upon termination of the relevant services, Hexonis shall delete or return Customer Personal Data in accordance with the customer's documented instructions and the functionality of the service, unless Hexonis is required or permitted by law to retain data.

If the customer does not request return within the applicable post-termination period supported by the service, deletion may occur by default subject to the Agreement, backup cycles, and legal retention duties.

Deletion may be subject to standard backup cycles, legal retention duties, fraud prevention, security investigation needs, and the preservation of evidence for legal claims.

Audit and information rights

Hexonis shall make available information reasonably necessary to demonstrate compliance with this Agreement. Audit requests must be reasonable, proportionate, and limited to information relevant to Customer Personal Data processed for the customer.

Unless a security incident or mandatory legal requirement justifies otherwise, audits shall take place no more than once per twelve-month period, on reasonable prior written notice, during normal business hours, and primarily through remote documentation review. On-site inspections are permitted only where strictly necessary, must not endanger the security or confidentiality of other customers, and shall be carried out at the customer's expense.

Audits do not include unrestricted access to source code, penetration testing, live production systems, or other customers' data unless separately required by mandatory law and implemented through an appropriate protective process.

Liability and precedence

To the extent legally permitted, the liability limitations and exclusions agreed in the main contract apply to this Agreement as well. Nothing in this Agreement limits liability that cannot be limited under applicable law.

If there is a conflict between this Agreement and the main service terms regarding the processing of Customer Personal Data, this Agreement prevails for that specific conflict.