Data Processing Agreement.
Version 2026-05-17 · Effective 17 May 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Axiomis OÜ trading as Winback, a company registered in Estonia under commercial registry number 17493372, with registered office at Sepapaja tn 6, 15551 Tallinn, Estonia (“Processor”), and the Winback customer (“Controller”). It reflects the parties’ agreement on the processing of personal data of the Controller’s subscribers (“Data Subjects”) — covering both failed-payment subscribers and deliberately-cancelled subscribers — in accordance with Article 28 of Regulation (EU) 2016/679 (the EU General Data Protection Regulation, “GDPR”).
1. Subject matter & duration
The subject matter is the provision of the Winback Service. Duration matches the duration of the main agreement.
2. Nature & purpose of processing
- Sending decline-code-aware payment-recovery emails to subscribers whose card payments have failed, with a one-tap link to update the payment method.
- Classifying cancellation reasons and clustering recurring themes across recent cancellations.
- Generating and sending personalised cancellation-winback emails on behalf of the Controller.
- Matching shipped product improvements (provided by the Controller) against past cancellation reasons and sending one targeted re-engagement email to matched subscribers.
- Recording inbound replies and one-click opt-outs, and reporting recoveries on the Controller’s dashboard.
3. Categories of data subjects and personal data
- Data subjects: the Controller’s paying subscribers whose subscriptions have either failed a payment or been voluntarily cancelled.
- Categories: email address, first name (optional), Stripe customer ID, subscription metadata (plan, MRR, tenure, status); for failed payments, the Stripe decline code and retry-attempt timestamps; for deliberate cancellations, the cancellation reason code and any free-text comment; and reply content if the subscriber responds to one of our emails.
- No special category data is intentionally processed.
4. Processor obligations
- Process personal data only on documented instructions from the Controller, including as set out in the Service configuration.
- Ensure that personnel with access are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures (see §8).
- Assist the Controller in responding to data subject requests (access, erasure, portability) within reasonable timeframes.
- Notify the Controller without undue delay (within 72 hours) of becoming aware of a personal data breach.
- At the Controller’s choice, delete or return all personal data at the end of the agreement, subject to legal retention obligations.
- Make available all information necessary to demonstrate compliance and allow for audits (with 30 days’ notice, no more than once per year, under NDA).
5. Subprocessors
The Controller provides general authorisation for the Processor to engage subprocessors listed at /subprocessors. The Processor will notify the Controller of additions or replacements at least 30 days before they take effect; the Controller may object on reasonable grounds. The Processor remains liable for its subprocessors’ acts.
6. International transfers
The Processor is established in the European Economic Area (Estonia). Where the Processor or one of its subprocessors transfers personal data outside the EEA, the parties rely on the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914), incorporated into this DPA by reference. Module Two (Controller-to-Processor) applies between Controller and Processor; Module Three (Processor-to-Processor) applies where a subprocessor acts as a further processor on behalf of the Processor. The Processor implements supplementary technical measures including TLS 1.2+ in transit, AES-128-GCM at rest for sensitive secrets, and role-based access controls (see §8).
7. Data subject rights
The Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures (including the unsubscribe mechanism, subscriber data export, and DSR tooling) to respond to requests under Chapter III of the GDPR. The Processor responds to forwarded data subject requests within the timeframes set out in Article 12 GDPR.
8. Security measures
- Encryption in transit (TLS 1.2+) and at rest.
- AES-128-GCM encryption of sensitive secrets (e.g. Stripe OAuth tokens).
- Role-based access control; production access restricted to founders.
- Hosted on audited providers (Vercel, Neon) with their own SOC 2 attestations.
- Secure software development: code review, automated tests, dependency scanning.
- Database backups managed by our managed-Postgres provider (Neon) per their standard backup-retention policy for our tier; older backups are rotated out automatically.
9. Liability
Liability under this DPA is subject to the limitation of liability in the main Terms. Nothing in this DPA excludes liability that cannot be excluded under applicable data protection law.
10. Order of precedence
In the event of conflict, the SCCs prevail over this DPA, and this DPA prevails over the main Terms with respect to personal data processing.
Appendix A — SCCs
The Standard Contractual Clauses (Implementing Decision (EU) 2021/914) are incorporated by reference. Annex I (parties and description of transfer) is populated with the parties identified in this DPA and the categories of data and data subjects in §3. Annex II (technical and organisational measures) is populated with the measures in §8. Annex III (list of subprocessors) is published at /subprocessors and updated in line with §5.