Legal
Data Processing Agreement
ReimburseFlow processes customer data on your behalf. This DPA describes that relationship.
1. Roles
The customer organization is the data controller. ReimburseFlow (Liveupx) is the data processor, acting only on documented instructions from the controller.
2. Scope of processing
Personal data of the controller's users and reimbursement subjects, processed to deliver the platform's contracted functionality.
3. Security measures
- Tenant isolation enforced at data, service, and route layers.
- Encryption in transit (TLS 1.2+) and at rest.
- Append-only audit log of privileged actions.
- Access on least-privilege, with 2FA for privileged roles.
- Private object storage with signed, expiring URLs.
- Vendor risk reviews of all subprocessors.
4. Subprocessors
The current list is at /subprocessors. We notify customers of material changes with at least 30 days' notice and offer a reasonable objection mechanism.
5. International transfers
We rely on Standard Contractual Clauses for transfers out of the EU. Enterprise customers can pin storage region.
6. Data subject requests
The controller fulfills data subject requests using self-serve tools. We provide reasonable assistance for complex cases.
7. Breach notification
We notify the controller without undue delay and within 72 hours of becoming aware of a personal data breach affecting controller data.
8. Audit
The controller may, no more than once per year, request reasonable evidence of our security measures, subject to confidentiality.
9. Return and deletion
On termination, controller data is returned or deleted within 90 days, except where statutory retention applies.
10. Acceptance
For Enterprise contracts, a signed countersigned DPA is available on request to legal@reimburseflow.com.