LoginGet started

Data Processing Agreement

Last updated: March 23, 2025

This Data Processing Agreement ("DPA") forms part of the agreement between you (or the entity you represent) ("Customer") and Artmail ("Processor") governing Processor's processing of personal data on behalf of Customer when Customer uses the Services as a controller (or processor on behalf of its own customers, as applicable). If you sign a separate DPA with Artmail, that document controls to the extent of any conflict.

1. Definitions

"Personal data," "controller," "processor," "processing," and "data subject" have the meanings in applicable data protection law (including GDPR). "Services" means Artmail's subscription services and APIs ordered by Customer.

2. Scope and roles

Customer determines the purposes and means of processing personal data it uploads to the Services (e.g., contact records). Artmail processes such data only on documented instructions from Customer—via the Services configuration, this DPA, and the Terms—unless otherwise required by law.

3. Details of processing

Subject matter: provision of the Services. Duration: for the term of the agreement plus deletion periods described in documentation. Nature: hosting, storage, transmission of email, analytics needed to operate the Services. Categories of data subjects: Customer's end users and contacts as uploaded by Customer. Types of data: identifiers (e.g., email, name), engagement data, and content Customer stores in the Services.

4. Processor obligations

Artmail will:

  • Process personal data only on Customer's instructions unless law requires otherwise;
  • Ensure persons authorized to process data are bound by confidentiality;
  • Implement appropriate technical and organizational measures as described in our Trust materials;
  • Assist Customer with data subject requests and impact assessments, considering the nature of processing;
  • Delete or return data at Customer's choice after the end of the Services, subject to law;
  • Make available information necessary to demonstrate compliance and allow audits as described below.

5. Subprocessors

Customer authorizes Artmail to engage subprocessors listed on our Subprocessors page. We remain responsible for subprocessors' performance. We will notify Customer of changes to subprocessors as described on that page or in the Services.

6. International transfers

Where personal data originating from the EEA, UK, or Switzerland is transferred to countries without an adequacy decision, we will use appropriate safeguards such as the EU Standard Contractual Clauses (including the UK Addendum where applicable), unless another valid mechanism applies.

7. Security incidents

We will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer data, where required by law, and provide information reasonably necessary for Customer to meet its obligations.

8. Audit

Customer may request completion of reasonable security questionnaires. Onsite audits may be agreed where required by law, subject to confidentiality and scheduling.

9. Contact

For DPA-related requests: Contact us.