Data Processing Agreement

Last updated: 26 November 2024

This Data Processing Agreement ("DPA") forms part of our Terms of Service and governs how we process personal data on your behalf as a data processor.

1. Definitions

  • "Controller" means you, the customer, who determines the purposes and means of processing personal data
  • "Processor" means Regen Outreach Ltd, processing data on behalf of the Controller
  • "Data Subject" means an identified or identifiable natural person
  • "Personal Data" means any information relating to a Data Subject
  • "Processing" means any operation performed on Personal Data
  • "Sub-processor" means a third party engaged by the Processor to process data

2. Scope and Roles

2.1 Your Role (Controller)

When you use our Service to send emails and manage contacts, you are the data controller. You determine:

  • What personal data to collect and upload
  • The purposes for which data is processed
  • Who receives your emails
  • How long data is retained

2.2 Our Role (Processor)

We act as your data processor when we:

  • Store your contact data
  • Send emails on your behalf
  • Track email engagement
  • Process unsubscribe requests

3. Processing Details

Subject Matter Email marketing services
Duration For the term of your subscription
Nature of Processing Storage, transmission, tracking, analysis
Purpose To provide email marketing services as described in our Terms
Categories of Data Contact information (names, email addresses), engagement data, custom fields
Data Subjects Your contacts/subscribers

4. Our Obligations

We will:

  • Process Personal Data only on your documented instructions
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Only engage Sub-processors with your authorisation and under written contracts
  • Assist you in responding to Data Subject requests
  • Assist with your obligations under Articles 32-36 of GDPR (security, breach notification, DPIAs)
  • Delete or return Personal Data upon termination (at your choice)
  • Provide information necessary to demonstrate compliance
  • Allow for and contribute to audits and inspections

5. Your Obligations

You warrant that:

  • You have a lawful basis to process Personal Data
  • You have obtained all necessary consents
  • Your instructions to us comply with applicable laws
  • You will maintain accurate records of processing activities
  • You will inform us if any of your instructions may violate data protection laws

6. Security Measures

We implement appropriate measures including:

6.1 Technical Measures

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Regular security assessments and penetration testing
  • Intrusion detection and prevention systems
  • Secure development practices
  • Regular backups with encryption
  • Network segmentation and firewalls

6.2 Organisational Measures

  • Role-based access control
  • Employee training on data protection
  • Background checks for personnel with data access
  • Incident response procedures
  • Vendor security assessments

7. Sub-processors

7.1 Authorised Sub-processors

You authorise us to engage the following categories of Sub-processors:

Category Purpose Location
Cloud Infrastructure Hosting and storage EU/UK
Email Delivery Sending emails (Postmark, SendGrid) US (with SCCs)
Payment Processing Handling payments US/EU (with SCCs)

7.2 Changes to Sub-processors

We will notify you of any intended changes to Sub-processors at least 30 days in advance. You may object to new Sub-processors by contacting us within 14 days.

8. Data Transfers

Where Personal Data is transferred outside the UK/EEA, we ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (IDTA) where required
  • Adequacy decisions where applicable

9. Data Subject Rights

We will assist you in fulfilling Data Subject requests for:

  • Access to their Personal Data
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Objection to processing

We will notify you promptly if we receive any request directly from a Data Subject.

10. Data Breach Notification

In the event of a Personal Data breach, we will:

  • Notify you without undue delay (within 48 hours of becoming aware)
  • Provide details of the breach, including categories and approximate number of Data Subjects affected
  • Describe likely consequences and measures taken or proposed
  • Cooperate with your investigation and regulatory notifications

11. Audits

We will:

  • Make available information necessary to demonstrate compliance
  • Allow for audits by you or an auditor mandated by you
  • Contribute to audits with reasonable notice (at least 30 days)

Audit costs are borne by you unless the audit reveals material non-compliance by us.

12. Term and Termination

This DPA remains in effect for the duration of your subscription. Upon termination:

  • We will, at your choice, delete or return all Personal Data within 30 days
  • We will delete existing copies unless required by law to retain them
  • We will provide certification of deletion upon request

13. Liability

The liability provisions in our Terms of Service apply to this DPA. Each party is liable for damages caused by its breach of data protection laws or this DPA.

14. Contact

For DPA-related queries: