Referral Fuel Data Processing Addendum

1. Definitions and interpretation

Unless otherwise defined in this DPA, capitalised terms have the meaning given in the Terms.

• Data Protection Laws: UK GDPR, the Data Protection Act 2018, PECR, and any applicable guidance or codes of practice issued by the ICO.
• Controller, Processor, Personal Data, Processing, Data Subject: have the meanings given in the UK GDPR.
• Customer Personal Data: Personal Data processed by Referral Fuel on behalf of the Customer in connection with the Services.

2. Roles of the parties

2.1 Customer as Controller

The Customer is the Controller of Customer Personal Data.

2.2 Referral Fuel as Processor

Referral Fuel acts solely as a Processor when processing Customer Personal Data on the Customer's documented instructions.

2.3 Independent Controller activities

This DPA does not apply to personal data processed by Referral Fuel as a Controller, which is governed by the Privacy Policy.

3. Scope of processing

3.1 Subject matter

Provision of referral tracking, email sending infrastructure, landing pages, analytics, and related platform functionality.

3.2 Duration

For the duration of the Customer's use of the Services, plus any post-termination period required for deletion, backup retention, or legal compliance.

3.3 Nature and purpose of processing

• Storing and managing contact lists
• Sending emails on Customer's behalf
• Referral attribution and reward tracking
• Deliverability, abuse prevention, and system security

3.4 Categories of Data Subjects

• Subscribers
• Referrers
• Referred Visitors
• Customer employees or contractors (Authorised Users)

3.5 Types of Personal Data

• Email addresses
• Names (where provided)
• Referral identifiers
• IP address and technical metadata
• Campaign interaction data

Special category data and criminal offence data are expressly prohibited.

4. Customer obligations

The Customer warrants that:

• it has a lawful basis for processing Customer Personal Data;
• it has provided all required privacy notices to Data Subjects;
• it will not provide special category data or criminal offence data;
• its instructions comply with Data Protection Laws.

The Customer is solely responsible for:

• consent collection and records;
• responding to Data Subject rights requests;
• compliance with PECR and marketing laws.

5. Referral Fuel obligations

Referral Fuel shall:

5.1 Process on documented instructions

process Customer Personal Data only on documented instructions from the Customer;

5.2 Confidentiality

ensure persons authorised to process data are bound by confidentiality obligations;

5.3 Security measures

implement appropriate technical and organisational measures to protect Customer Personal Data;

5.4 Assistance

assist the Customer, taking into account the nature of processing, with:

• Data Subject rights requests;
• DPIAs and consultations (where legally required);

5.5 Breach notification

notify the Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data;

5.6 Deletion and return

delete or return Customer Personal Data on termination in accordance with Section 10.

6. Security measures

Referral Fuel implements technical and organisational measures appropriate to the risk, including:

• access controls and authentication;
• encryption in transit;
• logical separation of customer data;
• monitoring and logging;
• incident response procedures.

No system is guaranteed to be secure.

7. Subprocessing

7.1 General authorisation

The Customer provides general authorisation for Referral Fuel to engage subprocessors.

7.2 Current subprocessors

As at the date of this DPA, subprocessors include:

• Amazon Web Services (AWS) – hosting and infrastructure
• Stripe – payment processing (limited metadata)
• Mailgun – email delivery infrastructure

7.3 Changes to subprocessors

Referral Fuel may add or replace subprocessors from time to time. Continued use of the Services constitutes acceptance of such changes.

7.4 Liability for subprocessors

Referral Fuel remains fully liable for subprocessors' compliance with this DPA.

8. International transfers

Where Customer Personal Data is transferred outside the UK:

• appropriate safeguards will be used, including the UK IDTA or UK Addendum to SCCs;
• transfers will comply with Chapter V UK GDPR.

9. Audits

The Customer may audit Referral Fuel's compliance only:

• where required by law; or
• following a confirmed Personal Data Breach attributable to Referral Fuel.

Audits must be reasonable, proportionate, and not disrupt operations. Referral Fuel may satisfy audit requests via written responses, certifications, or third-party reports.

10. Deletion and return of data

Upon termination:

• Referral Fuel will delete or anonymise Customer Personal Data within a reasonable period;
• backups may be retained temporarily for security and continuity;
• deletion is subject to legal retention requirements.

11. Liability and indemnity

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms.

The Customer indemnifies Referral Fuel against claims arising from:

• unlawful instructions;
• failure to obtain valid consent;
• breach of marketing or data protection laws.

12. Governing law

This DPA is governed by the laws of England and Wales. Courts of England and Wales have exclusive jurisdiction.

Schedule 1 – Article 28(3) required information

This DPA, together with Sections 3 and 6, satisfies Article 28(3) UK GDPR requirements regarding subject matter, duration, nature, purpose, data types, and security measures.