Legal
Data Processing Agreement (DPA)
Last updated: February 20, 2026
1. Parties and roles
This DPA applies when a customer uses RewindBack and personal data is processed on the customer's behalf. The customer is the Controller and RewindBack is the Processor.
2. Processing subject matter
RewindBack processes bookmark-related content and account metadata to provide synchronization, search, organization, and support functions described in the main service agreement.
3. Duration
Processing continues for the term of the customer's use of RewindBack, unless deletion or return is requested as permitted by law and contract.
4. Processor obligations
RewindBack will process personal data only on documented instructions, implement appropriate security controls, ensure confidentiality, assist with data subject requests where required, and support compliance obligations reasonably related to processing.
5. Subprocessors
RewindBack may use subprocessors for infrastructure and service operations. RewindBack remains responsible for subprocessors' performance of relevant data protection obligations.
6. Security measures
Security measures include access controls, encryption in transit, encrypted storage where applicable, logging, and incident response procedures aligned to service risk.
7. Incident notification
RewindBack will notify the customer without undue delay after becoming aware of a confirmed personal data breach affecting customer data, and provide available information needed for response.
8. International transfers
Where cross-border transfers apply, RewindBack will implement appropriate safeguards as required by applicable data protection law.
9. Return and deletion
Upon termination, customer data will be deleted or returned according to the service terms and legal requirements, subject to required retention obligations.
Enterprise customers can request a countersigned DPA through support.
Back to RewindBack