Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Collaborative Marketing ("Processor") and the subscribing entity ("Controller"). It applies when we process personal data on your behalf in connection with our services, particularly for Agency plan customers who process their clients' data through the platform.
Key point: As a Processor, we handle your data according to your instructions only. If you're on the Agency plan, you're the Controller for your clients' data, and we process it on your documented instructions with all standard GDPR protections in place.
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Collaborative Marketing ("Processor") and the subscribing entity ("Controller"). It applies when we process personal data on your behalf in connection with our services.
The relationship between you and Collaborative Marketing is that of Controller and Processor as defined under the General Data Protection Regulation (GDPR). This agreement ensures compliance with applicable data protection laws including GDPR, CCPA, and other regulatory frameworks.
For Agency plan customers: Your agency is the Controller for your clients' personal data, and Collaborative Marketing is the Processor. This DPA governs how we handle that data.
2. Definitions
The following terms have the meanings set forth below, consistent with GDPR Article 4:
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, erasure, or destruction.
- Data Subject: The individual to whom Personal Data relates.
- Controller: The entity which, alone or jointly with others, determines the purposes and means of Processing. In most cases, this is you (the subscribing entity).
- Processor: The entity which processes Personal Data on behalf of the Controller. In this relationship, this is Collaborative Marketing.
- Sub-processor: Any entity engaged by the Processor (or another Sub-processor) to process Personal Data on behalf of the Controller.
- Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
3. Scope & Roles
Role of Controller: You, as the Controller, determine the purposes and means of Processing. You decide what data to process, why you need it, and how it should be used in connection with our services.
Role of Processor: Collaborative Marketing, as the Processor, processes Personal Data only on documented instructions from the Controller. We do not determine why or how your data is processed — you do. We follow your instructions and provide the technical and organizational infrastructure to facilitate that Processing.
For Agency Plan Subscribers: As an Agency plan customer, you are the Controller for your clients' personal data. Your clients' names, emails, contact information, and other identifiers are your data, and you decide how they're used in marketing campaigns. Collaborative Marketing is your Processor. When your clients' data passes through our platform (whether via upload, integration, or manual entry), we process it on your documented instructions, and this DPA applies to that relationship.
4. Data Processing Details
Types of Personal Data Processed:
- Contact names and email addresses
- Business information and website details
- Marketing content and campaign data
- Analytics data and campaign performance metrics
- Any data submitted by Controller for campaign creation and management
Categories of Data Subjects:
- Your customers and clients
- Leads and prospects you're targeting
- Website visitors and subscribers
- Employees and team members (if applicable to your campaigns)
Purpose of Processing:
- Provision of AI-powered marketing content generation
- Campaign management and execution
- Analytics and performance reporting
- Email and SMS delivery (through Sub-processors)
- Advertising campaign setup (through Sub-processors like Google Ads, Meta Ads)
Duration of Processing: Processing continues for the term of the Controller's subscription. Upon termination, we will delete all Personal Data within 30 days, except where retention is required by law.
5. Processor Obligations
Collaborative Marketing commits to the following obligations:
- Follow Instructions Only: We will process Personal Data only on documented, lawful instructions from the Controller. If we receive instructions we believe are illegal or violate this DPA, we will inform the Controller immediately.
- Confidentiality: Any persons authorized to process Personal Data on our behalf are bound by confidentiality obligations. Access to Personal Data is restricted to individuals who need it to provide the services.
- Security Measures: We implement appropriate technical and organizational security measures (detailed in Section 7) to protect against unauthorized or unlawful Processing.
- Data Subject Rights: We will assist the Controller in responding to Data Subject requests for access, rectification, erasure, restriction, portability, and objection (detailed in Section 10).
- Deletion Upon Termination: Upon termination of the Controller's subscription, we will delete all Personal Data within 30 days (or return it, as instructed by the Controller).
- Compliance Assistance: We will make available all information necessary to demonstrate compliance with this DPA and applicable data protection laws. We will allow for and contribute to audits, including inspections, by the Controller or its auditors.
- Sub-processor Engagement: We will not engage any Sub-processors without prior written authorization from the Controller (see Section 6).
6. Sub-processors
Authorized Sub-processors: Collaborative Marketing currently engages the following Sub-processors to process Personal Data on the Controller's behalf:
- Stripe Inc. (USA) — Payment processing and billing. We share basic business information (company name, email, subscription plan) to process payments. Stripe does not retain Personal Data of your customers or leads.
- OpenAI / Anthropic (USA) — AI content generation. When you use our Brand DNA Scanner or AI content generation features, input data is processed by these services in real-time to generate marketing content. Data is processed transiently and not stored by these providers or shared beyond what's necessary for content generation.
- SendGrid (USA) — Email delivery. Email addresses of campaign recipients are transmitted to SendGrid to deliver marketing emails on your behalf.
- Twilio (USA) — SMS delivery. Phone numbers of campaign recipients are transmitted to Twilio to deliver SMS messages on your behalf.
- Google (USA) — Analytics, advertising APIs. If you use the Outreach, Autopilot, or Agency plan, we integrate with Google Ads and Google Analytics to create and manage advertising campaigns and track performance. Business information and campaign objectives are shared with Google.
- Meta Platforms, Inc. (USA) — Advertising. If you use the Outreach, Autopilot, or Agency plan, we integrate with Meta Ads Manager to create and manage campaigns. Business information and campaign objectives are shared with Meta.
Adding New Sub-processors: Before engaging any new Sub-processor, we will notify the Controller and provide at least 14 days' notice. The Controller may object to the engagement of any new Sub-processor on reasonable grounds by providing written notice to us. If we cannot resolve the objection, the Controller may terminate the affected services.
7. Security Measures
Collaborative Marketing implements the following technical and organizational security measures to protect Personal Data:
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at Rest: Sensitive data stored in our databases is encrypted at rest using AES-256 encryption.
- Access Controls: Access to Personal Data is restricted to authorized personnel who need it to provide the services. Role-based access control (RBAC) ensures users can only access the data relevant to their functions.
- Authentication: Multi-factor authentication (MFA) is available and recommended for all user accounts. Passwords are hashed using bcrypt, which means we cannot view or recover your actual password.
- Regular Security Reviews: We conduct regular security assessments and penetration testing to identify and address vulnerabilities.
- Incident Response Procedures: We maintain documented incident response procedures to respond to Data Breaches quickly and effectively.
- CSRF Protection: Cross-Site Request Forgery (CSRF) tokens protect against unauthorized actions.
- Rate Limiting: API rate limiting and brute-force protections prevent unauthorized access attempts.
While we implement reasonable security measures, no system is perfectly secure. The Controller should implement additional security measures as appropriate for their specific use case (e.g., restricting access to campaign data to authorized employees).
8. Data Breach Notification
In the event of a Personal Data Breach, Collaborative Marketing will:
- Notification Timeline: Notify the Controller without undue delay and, where required by law (such as GDPR), within 72 hours of becoming aware of the Breach.
- Breach Information: The notification will include: (a) the nature of the Breach; (b) the categories and approximate number of Data Subjects affected; (c) the likely consequences of the Breach; (d) measures taken to address the Breach and mitigate harm.
- Further Assistance: We will assist the Controller in fulfilling any notification obligations to Data Subjects and regulatory authorities, and will cooperate in any investigation or remediation efforts.
9. International Transfers
Collaborative Marketing and its Sub-processors are based in the United States. Where Personal Data is transferred outside the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision 2021/914) to provide adequate legal safeguards.
By agreeing to this DPA and our Terms of Service, the Controller consents to the transfer of their Personal Data to the United States for Processing as described in this DPA. The Controller is responsible for ensuring that any required Data Transfer Impact Assessments are conducted and that appropriate supplementary measures are in place.
10. Data Subject Rights
Collaborative Marketing will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including:
- Right of Access: Data Subjects may request a copy of their Personal Data. We will assist in providing this information in a structured, commonly-used, machine-readable format.
- Right to Rectification: Data Subjects may request correction of inaccurate Personal Data. We will assist the Controller in facilitating this through account settings or data update requests.
- Right to Erasure: Data Subjects may request deletion of their Personal Data. We will facilitate deletion from our systems, subject to any legal retention obligations.
- Right to Restrict Processing: Data Subjects may request that we restrict Processing under certain conditions. We will comply with documented restrictions.
- Right to Data Portability: Data Subjects may request their data in a portable format. We will provide this upon request from the Controller.
- Right to Object: Data Subjects may object to Processing under certain circumstances. We will assist the Controller in evaluating and responding to such objections.
The Controller is responsible for responding to Data Subject requests. We will respond to reasonable requests from the Controller to facilitate these rights within 10 business days of receiving a documented request.
11. Term & Termination
Effective Term: This DPA is effective from the date the Controller subscribes to our services and continues for the duration of the subscription.
Termination: Upon termination of the Controller's subscription:
- The Controller may request deletion or return of all Personal Data.
- We will delete all Personal Data within 30 days of termination, unless the Controller requests return of the data or retention is required by law.
- Basic account information (name, email, billing history) may be retained for up to 7 years as required by financial regulations, but all campaign data, customer lists, and business information will be deleted.
Survival: Sections 2 (Definitions), 7 (Security Measures), 8 (Data Breach Notification), and 9 (International Transfers) will survive termination of this DPA.
12. Contact
For questions or requests related to this Data Processing Agreement, please contact our Data Protection Officer:
We will respond to all DPA-related inquiries within 10 business days.