Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between HMD Corp. ("Processor", "we", "us") and you ("Controller", "you") when you use Notify'n to process personal data.

This DPA reflects the parties' agreement regarding the processing of personal data in accordance with the requirements of applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Data Subject" means the individual to whom Personal Data relates.
• "Processing" means any operation performed on Personal Data.
• "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.

3. Scope of Processing

3.1 Subject Matter

The subject matter of processing is the provision of email marketing services through the Notify'n platform.

3.2 Duration

Processing will continue for the duration of the service agreement between the parties.

3.3 Nature and Purpose

We process Personal Data to provide email delivery services, analytics, and related features.

3.4 Types of Personal Data

• Contact information (email addresses, names)
• Custom field data you upload
• Email engagement data (opens, clicks)
• Technical identifiers (IP addresses, device information)

3.5 Categories of Data Subjects

• Your email subscribers and contacts
• Your employees and team members

4. Your Obligations

As the Controller, you are responsible for:

• Ensuring you have lawful basis to collect and share Personal Data with us
• Providing all required notices to Data Subjects
• Obtaining any required consents from Data Subjects
• Ensuring the accuracy of Personal Data you upload
• Responding to Data Subject requests with our assistance

5. Our Obligations

As the Processor, we will:

• Process Personal Data only on your documented instructions
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist you in responding to Data Subject requests
• Notify you of personal data breaches without undue delay
• Delete or return Personal Data upon termination of services
• Make available information to demonstrate compliance

6. Security Measures

We implement appropriate security measures including:

• Encryption of Personal Data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Employee training on data protection
• Incident response and disaster recovery procedures
• Physical security of data centers

See our Security page for more details.

7. Sub-processors

We use certain third-party sub-processors to help provide our services. You authorize us to engage sub-processors subject to the following:

• We maintain an up-to-date list of sub-processors
• We enter into written agreements with sub-processors imposing data protection obligations
• We notify you of any intended changes to sub-processors
• You may object to new sub-processors within 14 days of notification

8. International Transfers

Personal Data may be transferred to countries outside the EEA. We ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all sub-processors
• Supplementary measures where required

9. Data Subject Rights

We will assist you in responding to requests from Data Subjects to exercise their rights, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

10. Data Breach Notification

In the event of a personal data breach, we will:

• Notify you without undue delay (within 72 hours where feasible)
• Provide details of the breach including categories of data affected
• Describe measures taken or proposed to address the breach
• Cooperate with any investigation or regulatory inquiry

11. Audits

Upon reasonable request and subject to confidentiality obligations, we will:

• Provide relevant audit reports and certifications
• Allow for and contribute to audits conducted by you or an auditor
• Provide information necessary to demonstrate compliance

12. Term and Termination

This DPA remains in effect for the duration of your use of our services. Upon termination:

• We will delete your Personal Data within 30 days
• We may retain data as required by law
• You may request a copy of your data before deletion

13. Contact

For questions about this DPA or to exercise your rights, contact:

• Data Protection Officer: dpo@notifyn.com
• Legal: legal@notifyn.com