Effective Date: November 1st, 2024
Last Updated: December 4th, 2024


 GDPR Compliance Policy Document for Data Processors


 1. Introduction


 1.1 Purpose


 This document outlines Moonflow’s commitment as a Data Processor to comply with the
 General Data Protection Regulation (GDPR). It describes how we securely process individual
 and legal entities data on behalf of our clients in our SaaS for debt collection.


 1.2 Scope


 This policy applies to all employees, contractors, and subprocessors involved in processing data
 on behalf of Moonflow’s customers.


 2. Definitions


 ● Data: Any information that identifies or could identify a natural person, such as names,
 contact details, payment histories, or account statuses.
 ● Data Subject: An individual or legal entity whose data is processed.
 ● Processing: Any operation performed on data, including collection, storage, use,
 analysis, or deletion.
 ● Data Controller: The entity (our customer) that determines the purposes and means of
 individual or legal entities data processing.
 ● Data Processor: Moonflow, responsible for processing data on behalf of the Data
 Controller.


 3. Roles and Responsibilities


3.1 Data Protection Officer (DPO)


 The DPO ensures GDPR compliance and serves as the primary contact for data controllers,
 supervisory authorities, and data subjects.


 3.2 Employees


 All employees are required to:

 ● Adhereto this policy and any instructions from the data controller.
 ● Undergo regular GDPR and data security training.


 3.3 Subprocessors


 Subprocessors engaged by Moonflow must:

 ● Comply with GDPR and any additional security measures outlined by Moonflow.

 


 4. GDPR Principles for Data Processors


 As a Data Processor, Moonflow adheres to the following principles:


 4.1 Processing Under Instruction


 We process data exclusively based on electronic instructions provided by the data controller.


 4.2 Confidentiality


 Access to data is restricted by the Data Controller exclusively to authorized personnel who have
 signed confidentiality agreements.


 4.3 Data Security


 Weimplement industry-leading security measures, including encryption and access controls, to
 safeguard data.


 4.4 Subprocessor Management


 Subprocessors are engaged only with the prior approval of the data controller. Moonflow
 ensures that all subprocessors adhere to GDPR standards.


 4.5 Assistance to Data Controllers


Weprovide tools and support to:

 ● Respond to data subject requests (e.g., access, erasure, or rectification).
 ● Ensure compliance with data breach notification requirements.


 5. Responsibilities to Data Controllers


 5.1 Data Subject Rights


 Moonflow assists the data controller in respecting the rights of data subjects, including:
 ● Access: Delivering tools to access payment or account details.
 ● Rectification: Updating incorrect data promptly.
 ● Erasure: Removing data as instructed by the data controller.
 ● Restriction of Processing: Applying restrictions where necessary.
 ● Portability: Providing data in a structured, commonly used format.


 5.2 Data Breach Notifications


 In the event of a data breach:
 ● Moonflow will notify the data controller immediately, including details of the breach and
 steps taken to mitigate it.
 ● Adetailed report will be provided within 24 hours to assist with regulatory obligations.


 5.3 Record of Processing Activities


 Moonflow maintains logs of processing activities, including:
 ● Data categories.
 ● Processing purposes.
 ● Subprocessors involved.
 ● Security measures applied.


 5.4 Data Processing Agreements (DPAs)


 All agreements with customers (data controllers) include explicit terms for GDPR compliance.


 6. Data Security Measures


6.1 Technical and Organizational Measures


 ● Encryption: Sensitive data is encrypted in transit and at rest.
 ● Access Controls: Role-based access ensures only authorized personnel handle
 sensitive data.
 ● Monitoring: Continuous monitoring and anomaly detection systems safeguard against
 unauthorized access.


 6.2 Regular Audits


 We conduct internal and third-party security audits to identify and address vulnerabilities.


 6.3 Incident Response Plan


 Moonflow has a documented incident response plan to ensure rapid containment and resolution
 of data breaches.


 7. Subprocessor Management


 7.1 Approval and Transparency


 Moonflow engages only those subprocessors that comply with GDPR. A complete list of
 subprocessors can be found in our Privacy Policy.


 7.2 Contracts and Compliance


 Subprocessors are bound by DPAs and are subject to regular compliance checks to ensure
 adherence to GDPR.


 8. Legal Basis for Processing


 Moonflow processes data only as instructed by the data controller and based on one or more of
 the following legal bases:
 ● Consent from the data subject.
 ● Performance of a contract.
 ● Legitimate interests pursued by the data controller.


9. Monitoring and Compliance


 9.1 Internal Audits


 We conduct regular audits to ensure:
 ● Processing aligns with GDPR.
 ● Security measures are effective and up-to-date.


 9.2 Client Reporting


 Clients receive regular reports on processing activities and security measures.


 10. Amendments


 This document is reviewed annually and updated to reflect changes in GDPR, business
 practices, or client needs.


 11. Contact Information


 For questions or concerns regarding this policy, please contact:

 Data Protection Officer (DPO)
 Moonflow
 Email: jr@moonflow.com