Last updated: March 25, 2026
This Data Processing Agreement ("DPA") is entered into between the customer using Bungaflow ("Data Controller" or "Controller") and Redor AS, organization number [pending registration], operating the Bungaflow platform ("Data Processor" or "Processor").
This DPA governs the Processor's processing of personal data on behalf of the Controller in accordance with the General Data Protection Regulation (GDPR), in particular Article 28. The DPA forms an integral part of the service agreement between the parties and supplements the Privacy Policy and Terms of Use.
The Processor processes personal data on behalf of the Controller for the purpose of providing the Bungaflow platform, including but not limited to: booking management, expense splitting, task management, messaging, maintenance logging, document storage, guest portal, AI assistant, and related features.
The processing lasts for as long as the Controller maintains an active account on the Bungaflow platform. Upon termination or deletion of the account, processing ceases and data is deleted in accordance with Section 12 of this agreement.
The Processor processes the following categories of personal data on behalf of the Controller:
The processing concerns the following categories of data subjects:
The Processor shall:
The Controller provides general authorization for the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location | DPA |
|---|---|---|---|
| Supabase Inc. | Database & authentication | EU West (Ireland) | Standard DPA |
| Stripe Inc. | Payment processing | EU (Ireland) | Standard DPA |
| Vercel Inc. | Hosting & CDN | Global edge, EU origin | Standard DPA |
| Resend Inc. | Email delivery | US (Virginia) | Standard DPA |
| OpenAI Inc. | AI assistant | US | API DPA, zero data retention |
| Functional Software (Sentry) | Error monitoring | EU (Frankfurt) | Standard DPA |
| Cookiebot (Cybot A/S) | Consent management | EU (Germany) | Standard DPA |
The Processor shall inform the Controller of any intended changes regarding the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 14 days of notification.
Certain sub-processors (Resend, OpenAI, Vercel edge network) may process personal data outside the EU/EEA. Such transfers are safeguarded by the EU–US Data Privacy Framework and/or Standard Contractual Clauses (SCCs) adopted by the European Commission, in accordance with GDPR Chapter V.
The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach, in accordance with GDPR Article 33. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
The Controller has the right to audit, or have audited by an independent third party, the Processor's compliance with this DPA and applicable data protection legislation. The Processor shall make available all information necessary to demonstrate compliance and shall cooperate with such audits.
Each party is liable for damages caused by processing that infringes the GDPR in accordance with Article 82. The Processor's total aggregate liability under this DPA is limited to the total fees paid by the Controller to the Processor in the 12 months preceding the event giving rise to the claim.
This DPA enters into force when the Controller creates an account on the Bungaflow platform and remains in effect for as long as the Processor processes personal data on behalf of the Controller. Upon termination or deletion of the Controller's account, all personal data is deleted within 30 days. Deletion is carried out via cascade delete, which removes all associated unit data (bookings, expenses, members, messages, tasks, documents, etc.).
For questions regarding this Data Processing Agreement or the processing of personal data, please contact us at privacy@bungaflow.com.