Data Processing Agreement

Last updated: [DATE]

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Resonate Mail OÜ ("Processor", "we", "us") and you, the customer ("Controller", "you", "your"), and governs the processing of personal data by the Processor on behalf of the Controller in connection with the Resonate Reach service.

This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on Personal Data, as defined in Article 4(2) of the GDPR.
• "Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope and purpose

2.1. When you use Resonate Reach to send emails to your subscribers, you act as the Controller of your subscriber data, and Resonate Mail acts as the Processor.

2.2. The Processor shall process Personal Data solely for the purpose of providing the Resonate Reach service to the Controller, including storing subscriber lists, sending email campaigns, tracking campaign performance (opens, clicks, bounces, unsubscribes), and managing bounces and unsubscribes.

2.3. The categories of Personal Data processed include subscriber email addresses, subscriber names (where provided by the Controller), IP addresses of subscribers (for open and click tracking), and any other personal data the Controller includes in subscriber lists or email content.

2.4. The data subjects are the Controller's email subscribers.

2.5. The duration of processing is the term of the Controller's use of the Resonate Reach service.

3. Obligations of the Controller

3.1. The Controller warrants that it has a lawful basis under the GDPR for the processing of Personal Data, including the collection and transfer of Personal Data to the Processor.

3.2. The Controller is responsible for ensuring the accuracy and quality of the Personal Data provided to the Processor.

3.3. The Controller shall comply with all applicable data protection laws, including the GDPR, when using the Services.

4. Obligations of the Processor

4.1. The Processor shall process Personal Data only on the documented instructions of the Controller, including as set out in this DPA, the Terms of Service, and any subsequent written instructions. If the Processor is required by EU or member state law to process Personal Data other than on the Controller's instructions, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.

4.2. The Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.

4.4. The Processor shall not engage a Sub-processor without the prior general written authorisation of the Controller. The Processor shall maintain a list of Sub-processors and shall inform the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object.

4.5. Where the Processor engages a Sub-processor, it shall impose on the Sub-processor the same data protection obligations as set out in this DPA by way of a contract.

4.6. The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR.

4.7. The Processor shall assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR (security, breach notification, impact assessments, and prior consultation), taking into account the nature of processing and the information available to the Processor.

4.8. At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of Services, and shall delete existing copies unless EU or member state law requires storage of the Personal Data. The Processor shall complete deletion within 30 days of termination.

4.9. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and the obligations laid down in Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

5. Sub-processors

5.1. The Controller grants general authorisation for the Processor to engage Sub-processors, subject to the requirements of this Section.

5.2. A current list of Sub-processors is available at [URL or "available upon request at privacy@resonatemail.com"].

5.3. The Processor shall notify the Controller of any intended addition or replacement of Sub-processors at least 14 days before the engagement, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds, the parties shall discuss the matter in good faith. If no resolution is reached, the Controller may terminate the affected Services.

6. International transfers

6.1. The Processor shall not transfer Personal Data to a country outside the EEA unless appropriate safeguards are in place as required by Chapter V of the GDPR, such as Standard Contractual Clauses or an adequacy decision.

6.2. Where Sub-processors are located outside the EEA, the Processor shall ensure that appropriate transfer mechanisms are in place.

7. Data Breach notification

7.1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting the Controller's Personal Data.

7.2. The notification shall include, to the extent available, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

7.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any Data Breach.

8. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

9. Term and termination

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. It shall automatically terminate when the Terms of Service terminate, subject to the Processor's obligations regarding deletion or return of Personal Data.

10. Governing law

This DPA is governed by the laws of the Republic of Estonia, consistent with the Terms of Service.

11. Contact

For questions about this DPA, please contact:

Resonate Mail OÜ [YOUR ESTONIAN LEGAL ADDRESS] Email: [privacy@resonatemail.com]