We offer a data processing agreement for your organization’s data, making it easier to ensure you are using best practice contractual protections. Our data processing agreement clearly articulates our privacy commitments.

In the course of providing our service, InboxTarget may process personal data on your behalf. This document forms part of a contract of service with InboxTarget (as Data Processor) and our customers (Data Controllers). This DPA reflects the parties agreement with regard to the processing of personal data performed using our service.

Upon agreement of our DPA, you can use our full service.

How does this Agreement apply?

If the Data Controller is a paying customer of InboxTarget, this Agreement forms part of a contract of service with InboxTarget. If the Controller accepting this Agreement does not pay for InboxTarget services, this Agreement is not valid and is not legally binding.

If you need this agreement in print, please contact us to make it that way.

Definitions

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For our specific case, Controller is represented by our customers, who create an account on our service.

"Data Protection Law" means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time. The terms "process", "processes" and "processed" will be construed accordingly.

"Data Subject" means the individual to whom Personal Data relates.

"GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"Instruction" means the written, documented instruction, issued by Controller to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

"Personal Data" means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

"Processing" means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

"Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. In this case is us, InboxTarget

"Terms of service" means the legal agreement between the Controller as the user and the Processor, that governs the Controller's limited, non-exclusive and terminable right to the use of the InboxTarget site and services as defined in the Terms of Service.

Appointment

The Processor is appointed by the Controller to Process such Personal Data for and on behalf of the Controller. Services provided by InboxTarget make it necessary for this agreement to be in place, as personal data flows easily from Controller to the Processor.

The Controller shall process Personal Data in accordance with the requirements of the Applicable Laws. The Controller shall have sole responsability for the accuracy, quality and legality of all data and the means by which is acquires this Personal Data

Duration

This Agreement commence on the date Controller (InboxTarget's customer) creates or gets an account on our platform/website.

The Data Processing Agreement is valid until either:

• The Data Processing Agreement is terminated or revoked.
• The agreement(s) pertaining to the delivery of the Main Services ceases

Each Controller using InboxTarget service has full control of it's Personal Date and decides for how long it gets saved into the service. Old data that becomes inactive after specific periods of time will be automatically deleted from InboxTarget servers.

Data processing

The Processor will process Personal Data for the Purpose described in the Terms of Service, as entered into between the parties, on behalf of and under the direction of the Controller.

The data will be processed either within a state of the European Union or outside the are. The Processor, InboxTarget, reserves it's rights to transfer data to outside European Union territory in order to provide it's services.

Technical and organization measures

InboxTarget takes all reasonable technical and organizational measures to commit to confidentiality of your data including:

• Use of encryption
• Continual monitoring of the confidentiality, integrity, availability, and resilience of our systems
• Preparedness to restore availability of our services in the event of a physical or technical incident
• Regular risk assessments of all systems
• Commercially reasonable steps to ensure employees and those acting on InboxTarget's behalf maintain confidentiality of personal data
• Data agreements&privacy confirmations of all sub-processors engaged in providing services to InboxTarget
• Provide written responses to all reasonable requests for information made by customers
• Reasonably assist customers with data security audits, including inspections, conducted by the customer, auditors, or other supervisory authorities
• Provide notice to customers regarding personal data breaches

Rights on Data

Data Controllers and Subjects have the following rights on the Personal Data being processed by InboxTarget

Right to be informed: Controllers or their Subjects can ask about personal data, how it is used, and why it is being used at any time.

Right of access: As outlined in our Privacy Policy (Access to Personal Information).

Right of rectification: Controllers or their Subjects can update (or request updates to) personal information at any time.

Right of erasure: Controllers may cancel their accounts at any time and may additionally request that InboxTarget erase all Personal Data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Your Data Subjects may also request that Controllers do the same for their personal data. InboxTarget reserves the right to keep the minimum amount of information that helps us prevent fraud to keep your deliverability the highest it can be.

Right to restrict processing: Controllers are able to put your account on hold at any time which restricts the sending of email communications, text messages or push notifications. Your data will still be processed for other actions such as billing and by our sub-processors. Controllers may cancel their account to restrict all data processing of your data and reactivate it as long as we have not yet deleted your information according to our retention policies.

Right to data portability: Controllers may export any of your lists, or selected information within any list, at any time while your account is active.

Subprocessors

The Data Processor may use third parties for the processing of personal data for the Data Controller to the extent that this is stated in:

• Appendix 3 of this Data Processing Agreement, or
• Instructions from the Data Processor.

The Third Party Data Processor must provide the same data protection obligations as the Data Processor (including those under the Data Processing Agreement).

The Third Party Data Processor only acts specifically in line with, and in relation to, the Instructions agreed with the Data Controller. Unless otherwise specifically agreed, all communications with the Third Party Data Processor are handled by the Data Processor. Any changes or clarifications to the Instructions from the Data Controller shall be immediately passed onto by the Data Processor to the Third Party Data Processor.

The Data Processor is directly responsible for ensuring the Third Party Data Processor’s processing of personal data in the same manner as if it were processed by the Data Processor itself.

Appendix 1 - Main Services

By the current addendum, the Beneficiary empowers the Data Processor (Service Provider) to: Identify, Collect, Aggregate, Process and host personal data, mentioned in this Agreement, received directly from the Controller through technical systems integrations of the codes provided by the Controller (InboxTarget) or manual import through Controller Platform or using API's provided by the Controller and use this data with the purpose of analyzing Controller's users (Data Subjects) behaviour and delivery of the services.

Delivery of services include but are not limited to communicate in the name of Data Controller with his users, according to the rules setup by the Controller

• Sending of emails or text messages on mobile numbers
• Sending of personal push notification to Subject device
• Personalize website content according to each Subject profile
• Collect data using surveys and polls
• Delivery of personalized ads via Facebook, Instagram, Google and Bing ad networks

Appendix 2 - Data Types and Categories

Data that is being processed by Data Processor can be one of the following but not limited to:

• Email address, first & last name of Subjects or addresses
• Phone numbers
• Browser Push notifications Tokens
• Device IP address (stored in anonymized format)
• Device screen resolution, operating system, browser type
• Geographic location
• Pages visited, orders
• Referring URL's and domains

Appendix 3 - Subprocessors

The following list might be updated in the future if other sub-processors are used. if you object to any sub-processor addition when added, you may cancel your account within 5 days of the notification provided that such objection is based on reasonable grounds relating to data protection.

DigitalOcean	Sparkpost	Amazon	Paypal	Google	Drift
Microsoft	Braintree	SalesForce	Kissmetrics	Cloudflare	Twilio
Litmus	Hubspot	Intercom