moonflow-logo

Effective Date: November 1st, 2024
Last Updated: February 19th, 2026


 GDPR Compliance Policy Document for Data Processors


1. Introduction


1.1 Purpose

This document outlines Moonflow’s commitment as a Data Processor to comply with the General Data Protection Regulation (GDPR). It describes how we securely process individual and legal entities data on behalf of our clients in our SaaS for debt collection.


1.2 Scope

 This policy applies to all employees, contractors, and subprocessors involved in processing data on behalf of Moonflow’s customers.


2. Definitions

 ● Data: Any information that identifies or could identify a natural person, such as names,  contact details, payment histories, or account statuses.
 ● Data Subject: An individual or legal entity whose data is processed.
 ● Processing: Any operation performed on data, including collection, storage, use, analysis, or deletion.
 ● Data Controller: The entity (our customer) that determines the purposes and means of individual or legal entities data processing.
 ● Data Processor: Moonflow, responsible for processing data on behalf of the Data Controller.


3. Roles and Responsibilities


3.1 Data Protection Officer (DPO)

 The DPO ensures GDPR compliance and serves as the primary contact for data controllers, supervisory authorities, and data subjects.


3.2 Employees

 All employees are required to:

● Adhereto this policy and any instructions from the data controller.
● Undergo regular GDPR and data security training.


3.3 Subprocessors

Subprocessors engaged by Moonflow must:

● Comply with GDPR and any additional security measures outlined by Moonflow.


4. GDPR Principles for Data Processors

 As a Data Processor, Moonflow adheres to the following principles:


 4.1 Processing Under Instruction

 We process data exclusively based on electronic instructions provided by the data controller.


4.2 Confidentiality

 Access to data is restricted by the Data Controller exclusively to authorized personnel who have  signed confidentiality agreements.


4.3 Data Security

 Weimplement industry-leading security measures, including encryption and access controls, to  safeguard data.


4.4 Subprocessor Management

 Subprocessors are engaged only with the prior approval of the data controller. Moonflow ensures that all subprocessors adhere to GDPR standards.


4.5 Assistance to Data Controllers

We provide tools and support to:

 ● Respond to data subject requests (e.g., access, erasure, or rectification).
 ● Ensure compliance with data breach notification requirements.


5. Responsibilities to Data Controllers


5.1 Data Subject Rights


Moonflow assists the data controller in respecting the rights of data subjects, including:
 ● Access: Delivering tools to access payment or account details.
 ● Rectification: Updating incorrect data promptly.
 ● Erasure: Removing data as instructed by the data controller.
 ● Restriction of Processing: Applying restrictions where necessary.
 ● Portability: Providing data in a structured, commonly used format.


5.2 Data Breach Notifications

In the event of a data breach:
 ● Moonflow will notify the data controller immediately, including details of the breach and  steps taken to mitigate it.
 ● Adetailed report will be provided within 24 hours to assist with regulatory obligations.


5.3 Record of Processing Activities


 Moonflow maintains logs of processing activities, including:
 ● Data categories.
 ● Processing purposes.
 ● Subprocessors involved.
 ● Security measures applied.


5.4 Data Processing Agreements (DPAs)

All agreements with customers (data controllers) include explicit terms for GDPR compliance.


6. Data Security Measures


6.1 Technical and Organizational Measures


Encryption: Sensitive data is encrypted in transit and at rest.
Access Controls: Role-based access ensures only authorized personnel handle sensitive data.
Monitoring: Continuous monitoring and anomaly detection systems safeguard against unauthorized access.


6.2 Regular Audits

We conduct internal and third-party security audits to identify and address vulnerabilities.

 

6.3 Incident Response Plan

Moonflow has a documented incident response plan to ensure rapid containment and resolution of data breaches.


7. Subprocessor Management


7.1 Approval and Transparency

Moonflow engages only those subprocessors that comply with GDPR. A complete list of subprocessors can be found in our Privacy Policy.

7.2 Contracts and Compliance
Subprocessors are bound by DPAs and are subject to regular compliance checks to ensure adherence to GDPR.


 8. Legal Basis for Processing

Moonflow processes data only as instructed by the data controller and based on one or more of the following legal bases:
● Consent from the data subject.
● Performance of a contract.
● Legitimate interests pursued by the data controller.


9. Monitoring and Compliance


9.1 Internal Audits 
We conduct regular audits to ensure:
 ● Processing aligns with GDPR.
 ● Security measures are effective and up-to-date.


9.2 Client Reporting

Clients receive regular reports on processing activities and security measures.

10. Monitoring and Compliance

When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email. We (or service providers on our behalf) may then send communications and marketing to these email. You may opt out of receiving this advertising by visiting https://app.retention.com/optout. You also have the option to opt out of the collection of your personal data in compliance with GDPR. To exercise this option, please visit https://www.rb2b.com/rb2b-gdpr-opt-out. 

 

11. Amendments

This document is reviewed annually and updated to reflect changes in GDPR, business practices, or client needs.


12. Contact Information

For questions or concerns regarding this policy, please contact:

Data Protection Officer (DPO)
Moonflow
Email: jr@moonflow.com