Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller ("Controller", "Customer", "you"): The entity that has agreed to ADSMedia's Terms of Service
• Data Processor ("Processor", "ADSMedia", "we", "us"): ADSMedia SIA, a company registered in Latvia

This DPA is incorporated into and forms part of the Terms of Service ("Agreement") between the parties.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion
• "Data Subject" means the individual to whom Personal Data relates
• "Sub-processor" means any third party engaged by the Processor to process Personal Data
• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "SCCs" means the Standard Contractual Clauses approved by the European Commission

3. Scope and Purpose of Processing

3.1 Subject Matter

The Processor shall process Personal Data on behalf of the Controller for the purpose of providing email delivery services as described in the Agreement.

3.2 Duration

Processing shall continue for the duration of the Agreement plus any retention periods specified in our Data Retention Policy.

3.3 Nature and Purpose

The nature and purpose of processing includes:

• Sending emails on behalf of the Controller
• Tracking email delivery, opens, and clicks
• Processing bounces and complaints
• Maintaining suppression lists
• Generating analytics and reports

3.4 Types of Personal Data

The following categories of Personal Data may be processed:

• Email addresses
• Names (if provided by Controller)
• IP addresses (for tracking)
• Email engagement data (opens, clicks, timestamps)
• Device and browser information (for analytics)

3.5 Categories of Data Subjects

Data Subjects include:

• Recipients of emails sent by the Controller
• Subscribers to the Controller's mailing lists
• Customers or contacts of the Controller

4. Obligations of the Processor

The Processor agrees to:

4.1 Lawful Processing

• Process Personal Data only on documented instructions from the Controller
• Not process Personal Data for any purpose other than as specified in this DPA
• Inform the Controller if an instruction infringes applicable data protection law

4.2 Confidentiality

• Ensure that persons authorized to process Personal Data have committed to confidentiality
• Not disclose Personal Data to third parties except as permitted by this DPA

4.3 Security Measures

Implement appropriate technical and organizational measures including:

• Encryption of Personal Data in transit (TLS 1.2+)
• Encryption of sensitive data at rest
• Container isolation between customers
• Access controls and authentication
• Regular security assessments
• DANE and MTA-STS for secure email transport
• Hashing of email addresses in suppression lists

4.4 Sub-processors

• Not engage another processor without prior authorization from the Controller
• Maintain a list of approved sub-processors (see Section 9)
• Impose the same data protection obligations on sub-processors
• Remain liable for the acts and omissions of sub-processors

4.5 Data Subject Rights

• Assist the Controller in responding to Data Subject requests
• Provide tools for data export and deletion
• Not respond directly to Data Subject requests unless authorized

4.6 Data Breach Notification

• Notify the Controller without undue delay (within 72 hours) upon becoming aware of a Personal Data breach
• Provide information about the nature of the breach, categories of data affected, and remedial measures
• Assist the Controller in meeting its breach notification obligations

4.7 Data Protection Impact Assessments

• Assist the Controller with data protection impact assessments where required
• Provide information necessary for demonstrating compliance

4.8 Audit Rights

• Make available information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits conducted by the Controller or an authorized auditor
• Audits shall be conducted with reasonable notice and during normal business hours

4.9 Data Deletion

• Upon termination of services, delete or return all Personal Data as instructed by the Controller
• Delete existing copies unless storage is required by applicable law
• Hashed data in suppression lists may be retained to prevent future deliverability issues

5. Obligations of the Controller

The Controller agrees to:

• Ensure a lawful basis exists for processing (e.g., consent, legitimate interest)
• Provide clear instructions for processing in writing
• Ensure compliance with applicable data protection laws
• Maintain records of processing activities
• Respond to Data Subject requests concerning their data
• Notify Data Subjects about processing in accordance with GDPR requirements

6. International Data Transfers

Personal Data is primarily processed within the European Economic Area (EEA). Our infrastructure is located in France (EU).

Where Personal Data is transferred outside the EEA, we ensure appropriate safeguards through:

• EU Commission adequacy decisions
• Standard Contractual Clauses (SCCs) as approved by the European Commission
• Supplementary measures where required

By entering into this DPA, the parties agree to be bound by the SCCs for any transfers of Personal Data outside the EEA to countries not subject to an adequacy decision.

7. Data Retention

Personal Data is retained in accordance with our Data Retention Policy. Key retention periods:

Data Type	Retention Period
SMTP Logs	24 hours
Campaign Data	90 days
Email Content	30 days
Bounce Lists (hashed)	24 months
Engagement Statistics	90 days

8. Technical and Organizational Measures

The Processor implements the following security measures:

8.1 Access Control

• Role-based access control
• Strong authentication requirements
• Audit logging of administrative access

8.2 Encryption

• TLS 1.2+ for all data in transit
• DANE/TLSA for email transport security
• MTA-STS in enforce mode
• Encrypted storage for sensitive credentials

8.3 Isolation

• Customer data isolated in separate containers
• Dedicated IP addresses per customer
• No shared sending infrastructure

8.4 Availability

• High availability infrastructure
• Automated failover
• Regular backups

8.5 Data Minimization

• Email addresses in bounce lists stored as salted hashes
• Automated deletion per retention schedule
• Aggregation of statistics after retention period

9. Approved Sub-processors

The Controller authorizes the use of the following sub-processors:

Sub-processor	Location	Purpose
OVH SAS	France (EU)	Infrastructure hosting
Cloudflare, Inc.	EU data processing	CDN and DDoS protection

The Processor will notify the Controller of any intended changes to sub-processors at least 30 days in advance. The Controller may object to such changes within 14 days.

10. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.

The Processor shall be liable for damages caused by processing only where it has not complied with GDPR obligations specifically directed at processors, or where it has acted outside of or contrary to the Controller's lawful instructions.

11. Term and Termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination:

• The Processor shall cease processing Personal Data
• Personal Data shall be deleted or returned per Section 4.9
• The Processor shall certify deletion upon request

12. Governing Law

This DPA shall be governed by the laws of the Republic of Latvia, without regard to conflict of law principles. For matters related to GDPR compliance, the provisions of GDPR shall take precedence.

13. Amendments

This DPA may be amended by the Processor to reflect changes in data protection law or guidance. Material changes will be communicated to the Controller at least 30 days in advance.

14. Contact

For questions about this DPA or to request a signed copy:

ADSMedia SIA
Legal Department
Riga, Latvia
Email: [email protected]