Payments are in test mode. Use card 4242 4242 4242 4242 for demo checkouts.

Legal

Data Processing Agreement

ReimburseFlow processes customer data on your behalf. This DPA describes that relationship.

1. Roles

The customer organization is the data controller. ReimburseFlow (Liveupx) is the data processor, acting only on documented instructions from the controller.

2. Scope of processing

Personal data of the controller's users and reimbursement subjects, processed to deliver the platform's contracted functionality.

3. Security measures

  • Tenant isolation enforced at data, service, and route layers.
  • Encryption in transit (TLS 1.2+) and at rest.
  • Append-only audit log of privileged actions.
  • Access on least-privilege, with 2FA for privileged roles.
  • Private object storage with signed, expiring URLs.
  • Vendor risk reviews of all subprocessors.

4. Subprocessors

The current list is at /subprocessors. We notify customers of material changes with at least 30 days' notice and offer a reasonable objection mechanism.

5. International transfers

We rely on Standard Contractual Clauses for transfers out of the EU. Enterprise customers can pin storage region.

6. Data subject requests

The controller fulfills data subject requests using self-serve tools. We provide reasonable assistance for complex cases.

7. Breach notification

We notify the controller without undue delay and within 72 hours of becoming aware of a personal data breach affecting controller data.

8. Audit

The controller may, no more than once per year, request reasonable evidence of our security measures, subject to confidentiality.

9. Return and deletion

On termination, controller data is returned or deleted within 90 days, except where statutory retention applies.

10. Acceptance

For Enterprise contracts, a signed countersigned DPA is available on request to legal@reimburseflow.com.