Legal
Data Processing Agreement
Last updated: May 11, 2026
1. Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", the data controller) and Trickle ("we", the data processor) and applies whenever we process personal data on your behalf in connection with the Trickle service.
2. Subject matter and duration
Subject matter: processing of HubSpot object identifiers and related metadata to provide workflow pacing. Duration: for the duration of your subscription plus the retention periods described in our Privacy Policy.
3. Nature and purpose of processing
We receive HubSpot record IDs from the Trickle workflow action, hold them in a queue, and re-enroll them at the throttled rate you configure. We do not enrich, profile, or analyze the underlying personal data.
4. Categories of data and data subjects
Data subjects: the individuals, companies, deals, and tickets in your HubSpot portal that pass through a Trickle-enabled workflow. Categories of data: HubSpot object IDs, workflow IDs, timestamps, and queue status.
5. Sub-processors
You authorize us to engage the following sub-processors: HubSpot (platform integration), Supabase and AWS (hosting and database), Cloudflare (edge delivery and DDoS protection), Stripe (billing), and Resend (transactional email). We will give 30 days' notice of any change to this list and you may object on reasonable grounds.
6. Security measures
We maintain technical and organizational measures including: TLS 1.2+ in transit, AES-256 at rest, encrypted OAuth token storage, role-based access control, SSO and hardware MFA for staff, audit logging, and continuous vulnerability scanning. A current security overview is available on request.
7. International transfers
Where personal data is transferred outside the EEA or UK, we rely on the Standard Contractual Clauses (Module 2: Controller to Processor) and the UK Addendum, incorporated by reference into this DPA.
8. Data subject requests
We will, taking into account the nature of processing, assist you in responding to data subject requests. Most requests can be fulfilled by you directly through HubSpot since we do not store record properties.
9. Personal data breach
We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting your data, and provide the information reasonably necessary for you to meet your own notification obligations.
10. Audits
On reasonable notice, and no more than once per twelve months, you may request a written summary of our most recent independent security assessment. On-site audits are available to Enterprise customers under NDA.
11. Deletion or return of data
On termination of your subscription, we will delete all personal data processed on your behalf within 30 days, except where retention is required by law.
12. How to execute
This DPA is automatically incorporated into your subscription. If your organization requires a counter-signed copy, email legal@trickleflow.app and we will return one within five business days.