Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service ("Agreement") between Review My Emails ("Processor," "we," "us") and the customer ("Controller," "you") and governs the processing of personal data in connection with our email list cleaning services.

This DPA incorporates the requirements of the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), and other applicable data protection laws.

Terms not defined herein have the meanings given in the GDPR or, where applicable, other Data Protection Laws.

• "Customer Data" means any personal data that we process on your behalf in connection with the Services.
• "Data Protection Laws" means the GDPR, UK GDPR, CCPA, and any other applicable data protection legislation.
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
• "Sub-processor" means any third party engaged by us to process Customer Data.
• "Data Subject" means the individual whose personal data is being processed.

2.1 Controller and Processor

For the purposes of this DPA:

• You act as the Controller of Customer Data
• We act as the Processor of Customer Data on your behalf

2.2 Processing Details

You represent and warrant that:

• You have obtained all necessary consents and legal bases for processing the Customer Data
• Customer Data was collected in compliance with applicable Data Protection Laws
• You have the right to transfer Customer Data to us for processing
• Your instructions comply with Data Protection Laws
• You will not upload sensitive personal data (Article 9 GDPR categories) unless we have explicitly agreed

We commit to:

• Lawful Processing: Process Customer Data only on your documented instructions, unless required by law
• Confidentiality: Ensure all personnel processing Customer Data are bound by confidentiality obligations
• Security: Implement appropriate technical and organizational measures to protect Customer Data
• Sub-processing: Not engage sub-processors without your prior authorization (see Section 6)
• Assistance: Assist you in responding to data subject requests and meeting your compliance obligations
• Deletion: Delete or return Customer Data upon termination of the Agreement, unless retention is required by law
• Audit: Make available information necessary to demonstrate compliance with this DPA

We implement the following security measures:

Technical Measures

• TLS 1.3 encryption for data in transit
• AES-256 encryption for data at rest
• Regular security assessments and penetration testing
• Access controls and authentication requirements
• Automated monitoring and intrusion detection
• Regular backups and disaster recovery procedures

Organizational Measures

• Employee background checks and confidentiality agreements
• Security awareness training
• Incident response procedures
• Vendor security assessments

You authorize us to engage the following sub-processors:

We will notify you of any intended changes to sub-processors at least 30 days in advance. You may object to a new sub-processor by terminating the Agreement.

When Customer Data is transferred outside the European Economic Area (EEA), UK, or Switzerland, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We incorporate the EU Commission's 2021 SCCs into agreements with sub-processors
• Data Privacy Framework: Where applicable, we rely on certifications under the EU-US Data Privacy Framework
• Adequacy Decisions: We may transfer data to countries with EU adequacy decisions

Upon request, we will provide copies of relevant data transfer mechanisms.

We will assist you in responding to data subject requests, including:

• Access requests
• Rectification requests
• Erasure requests ("right to be forgotten")
• Data portability requests
• Objection to processing
• Restriction of processing

If we receive a request directly from a data subject, we will promptly notify you unless prohibited by law.

In the event of a personal data breach affecting Customer Data, we will:

• Notify you without undue delay and within 72 hours of becoming aware of the breach
• Provide information about the nature of the breach, categories of data affected, and likely consequences
• Describe measures taken or proposed to address the breach
• Cooperate with you in investigating and mitigating the breach
• Assist you in meeting your notification obligations to supervisory authorities and data subjects

Upon request, we will provide reasonable assistance to help you conduct Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, where required by Data Protection Laws.

Upon reasonable notice, you may audit our compliance with this DPA. We will:

• Provide access to relevant documentation and records
• Allow audits or inspections by you or an independent auditor
• Cooperate with supervisory authority audits

Audits shall be conducted during business hours, with reasonable notice, and subject to confidentiality obligations.

This DPA remains in effect for the duration of the Agreement. Upon termination:

• We will delete Customer Data within 30 days, unless retention is required by law
• Upon request, we will certify deletion in writing
• Provisions that by their nature should survive will remain in effect

Liability under this DPA is subject to the limitations set forth in the Agreement. Each party is liable for damages caused by its breach of Data Protection Laws or this DPA.

For questions about this DPA or data protection matters:

• Legal Team: legal@reviewmyemails.com
• Privacy Inquiries: privacy@reviewmyemails.com