trickle.

Legal

Data Processing Agreement

Last updated: May 11, 2026

1. Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", the data controller) and Trickle ("we", the data processor) and applies whenever we process personal data on your behalf in connection with the Trickle service.

2. Subject matter and duration

Subject matter: processing of HubSpot object identifiers and related metadata to provide workflow pacing. Duration: for the duration of your subscription plus the retention periods described in our Privacy Policy.

3. Nature and purpose of processing

We receive HubSpot record IDs from the Trickle workflow action, hold them in a queue, and re-enroll them at the throttled rate you configure. We do not enrich, profile, or analyze the underlying personal data.

4. Categories of data and data subjects

Data subjects: the individuals, companies, deals, and tickets in your HubSpot portal that pass through a Trickle-enabled workflow. Categories of data: HubSpot object IDs, workflow IDs, timestamps, and queue status.

5. Sub-processors

You authorize us to engage the following sub-processors: HubSpot (platform integration), Supabase and AWS (hosting and database), Cloudflare (edge delivery and DDoS protection), Stripe (billing), and Resend (transactional email). We will give 30 days' notice of any change to this list and you may object on reasonable grounds.

6. Security measures

We maintain technical and organizational measures including: TLS 1.2+ in transit, AES-256 at rest, encrypted OAuth token storage, role-based access control, SSO and hardware MFA for staff, audit logging, and continuous vulnerability scanning. A current security overview is available on request.

7. International transfers

Where personal data is transferred outside the EEA or UK, we rely on the Standard Contractual Clauses (Module 2: Controller to Processor) and the UK Addendum, incorporated by reference into this DPA.

8. Data subject requests

We will, taking into account the nature of processing, assist you in responding to data subject requests. Most requests can be fulfilled by you directly through HubSpot since we do not store record properties.

9. Personal data breach

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting your data, and provide the information reasonably necessary for you to meet your own notification obligations.

10. Audits

On reasonable notice, and no more than once per twelve months, you may request a written summary of our most recent independent security assessment. On-site audits are available to Enterprise customers under NDA.

11. Deletion or return of data

On termination of your subscription, we will delete all personal data processed on your behalf within 30 days, except where retention is required by law.

12. How to execute

This DPA is automatically incorporated into your subscription. If your organization requires a counter-signed copy, email legal@trickleflow.app and we will return one within five business days.