Data Processing Addendum

1. Definitions

"Customer Data" means personal data contained in the lists, subscriber, and recipient information you submit to or generate through the Services. "Controller," "processor," "data subject," "personal data," and "processing" have the meanings given in applicable data-protection law. "Sub-processor" means a third party engaged by us to process Customer Data. "Applicable Data Protection Law" means privacy and data-protection laws applicable to the processing under this DPA.

2. Roles of the parties

For Customer Data, you are the controller (or processor acting on behalf of another controller) and BlacklistGuard is the processor. We process Customer Data only to provide the Services and on your documented instructions, including as set out in the Terms, this DPA, and your use of the Services. We will inform you if, in our opinion, an instruction infringes Applicable Data Protection Law.

Separately, BlacklistGuard acts as an independent controller for limited data it determines the purposes of — such as account and billing data, and operational, security, and abuse-prevention data — as described in our Privacy Policy.

3. Your obligations as controller

You are responsible for the lawfulness of Customer Data and of your instructions. You represent and warrant that you have provided all required notices and obtained all consents and lawful bases necessary for us to process Customer Data to provide the Services, including the recipient consents required under our Acceptable Use Policy.

4. Details of processing

• Subject matter: provision of the Services.
• Duration: for the term of your use of the Services, subject to the deletion terms below.
• Nature and purpose: hosting, processing, and transmitting messages and related data to deliver, secure, and support the Services.
• Types of personal data: as determined by you — typically email addresses, names, and engagement events (such as delivery, opens, clicks, bounces, and complaints), and any other data you choose to include.
• Categories of data subjects: your subscribers, recipients, contacts, and other individuals whose data you submit.

5. Sub-processors

You authorize us to engage sub-processors to help provide the Services. We impose data-protection obligations on our sub-processors that are no less protective than those in this DPA, and we remain responsible for their performance. We will make available, on request to privacy@blacklistguard.com, information about the categories of sub-processors we use, and we will give you a reasonable opportunity to object to a new sub-processor on reasonable data-protection grounds. If we cannot resolve a reasonable objection, you may stop using the relevant feature or terminate.

6. Security

We implement reasonable technical and organizational measures designed to protect Customer Data against unauthorized access, loss, alteration, and disclosure. These include encryption of data in transit, access controls limiting who can access Customer Data, and obligations of confidentiality on our personnel. We may update our measures over time provided we do not materially reduce their protection.

7. Security incidents

If we become aware of a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Customer Data, we will notify you without undue delay and provide information reasonably available to us to help you meet your notification obligations.

8. Data-subject requests

Taking into account the nature of the processing, we will provide reasonable assistance, including self-service tools in the Services, to help you respond to requests from data subjects to exercise their rights. If we receive such a request directly relating to Customer Data, we will forward it to you and will not respond on your behalf except as legally required or as you instruct.

9. Records and assistance

We will make available, on your reasonable written request and no more than once per year (unless required by a supervisory authority), information reasonably necessary to demonstrate our compliance with this DPA. We do not provide third-party audit reports or on-site audits.

10. International transfers

We process and store Customer Data in the United States. If your use of the Services requires a specific cross-border transfer mechanism for personal data originating in another jurisdiction, contact us to discuss appropriate safeguards. You are responsible for determining whether the transfer of Customer Data to the United States is permitted under the laws applicable to you.

11. Return and deletion of data

On termination of the Services, or on your written request, we will delete or return Customer Data and delete existing copies within 90 days, purging it from routine backups in the ordinary course, except to the extent we are required by law to retain it. You may also delete Customer Data using the Services during the term.

12. Regulated data

The Services are not designed for protected health information (PHI) or other data requiring a specialized agreement such as a Business Associate Agreement under HIPAA, and we do not enter into Business Associate Agreements. You must not submit such data to the Services.

13. U.S. state privacy terms

Where the California Consumer Privacy Act (as amended) or a similar U.S. state law applies, we act as your "service provider" (or processor). We will not sell or share Customer Data, will not retain, use, or disclose it except as necessary to provide the Services or as permitted by law, and will not combine it with data from other sources except as permitted. We certify that we understand and will comply with these restrictions.

14. Liability and precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service. In the event of a conflict between this DPA and the Terms regarding the processing of Customer Data, this DPA controls.