Data Processing Addendum (DPA)

1. Parties and Relationship

This DPA forms part of the customer agreement for the service.

For customer personal data submitted through campaigns, contact uploads, and related workflow configuration, the customer is controller (or processor with onward authority) and we are processor.

For service account, billing, and security administration data, we may act as controller as described in the Privacy Policy.

2. Processing Instructions

We process customer personal data only on documented instructions from the customer, including as necessary to provide the service and maintain documented security controls.

Customer remains responsible for ensuring a valid legal basis for collection and use of recipient data, invitation content, and campaign targeting.

3. Subject Matter, Duration, and Data Types

• Subject matter: campaign management, calendar invitation automation, related account and compliance operations.
• Duration: for the term of the customer agreement and any post-termination retention window required for secure deletion, legal obligations, or dispute defense.
• Data subjects: customer users, invitation recipients/contacts, and other individuals whose data is provided by customer.
• Personal data categories: identity/contact data, campaign/event metadata, provider account metadata, and operational security logs.

4. Confidentiality and Security Measures

• Access controls and least-privilege principles for production systems.
• Encryption in transit and appropriate encryption or equivalent safeguards at rest.
• Logging and monitoring for abuse detection, incident response, and auditability.
• Administrative, technical, and organizational measures designed to protect against unauthorized access, disclosure, alteration, and destruction.

5. Subprocessors

Customer authorizes use of subprocessors required to operate the service, including infrastructure, data platform, provider integration, and payment vendors listed in the Privacy Policy.

We impose data protection obligations on subprocessors consistent with this DPA.

We remain responsible for subprocessor performance of the outsourced processing obligations to the extent required by applicable law.

6. International Data Transfers

Where customer personal data is transferred across borders and transfer safeguards are required, we will implement an appropriate transfer mechanism, such as the EU Standard Contractual Clauses (or lawful equivalent mechanism).

7. Assistance, Breach Notice, and Data Subject Requests

• We provide reasonable assistance so customer can respond to data subject requests and meet applicable data protection obligations.
• We notify customer without undue delay after becoming aware of a confirmed personal data breach affecting customer personal data, and provide available details necessary for customer response.
• We provide reasonable cooperation for impact assessments, regulator inquiries, and security reviews where legally required and proportionate.

8. Deletion or Return of Data

Upon termination or verified customer request, we will delete or return customer personal data in accordance with the service functionality and contractual terms, unless retention is required by law.

9. Audit and Information Rights

Upon reasonable written request, we provide information necessary to demonstrate compliance with this DPA, including summaries of relevant technical and organizational measures.

Where law or contract requires, parties may agree on a proportionate audit mechanism that protects platform security and other customers' confidentiality.

10. Conflicts and Updates

If this DPA conflicts with other terms for customer personal data processing, this DPA controls for that processing.

We may update this DPA where required by law, regulatory change, or operational necessity, with notice through normal customer communication channels.