Back to Home
ActiveConversion

Data Processing Agreement

Effective Date: September 8, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ActiveConversion LLC ("Processor") and the Customer ("Controller") for the provision of email services.

1. Definitions

  • "Personal Data": Any information relating to an identified or identifiable natural person
  • "Processing": Any operation performed on Personal Data
  • "Controller": The entity that determines the purposes and means of Processing
  • "Processor": The entity that processes Personal Data on behalf of the Controller
  • "Sub-processor": Any third party engaged by Processor to process Personal Data
  • "Data Subject": The individual to whom Personal Data relates
  • "Services": The email delivery services provided by ActiveConversion

2. Scope and Roles

2.1 Scope: This DPA applies to all Personal Data processed by Processor on behalf of Controller in connection with the Services.

2.2 Roles: The parties acknowledge that with regard to the Processing of Personal Data, Controller is the data controller and Processor is the data processor.

2.3 Controller Instructions: Processor shall process Personal Data only on documented instructions from Controller, unless required by applicable law.

3. Details of Processing

Nature and Purpose

Processing of email data for the purpose of sending transactional emails on behalf of Controller, including delivery, tracking, and analytics.

Categories of Data Subjects

  • Controller's customers and users
  • Email recipients designated by Controller
  • Controller's employees and contractors

Types of Personal Data

  • Email addresses
  • Names (if provided)
  • Email content and metadata
  • IP addresses and device information
  • Engagement data (opens, clicks)

Duration of Processing

For the duration of the Services agreement, plus any retention period required by law or as specified in the Terms of Service.

4. Processor Obligations

Processor shall:

  • Process Personal Data only in accordance with Controller's documented instructions
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Not engage Sub-processors without Controller's prior written consent
  • Assist Controller in responding to data subject requests
  • Assist Controller in ensuring compliance with security and breach notification obligations
  • Delete or return all Personal Data at the end of the Services
  • Make available all information necessary to demonstrate compliance
  • Allow for and contribute to audits and inspections

5. Security Measures

Technical Measures

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Firewalls and intrusion detection systems
  • Regular security patches and updates
  • Access logging and monitoring
  • Regular vulnerability assessments

Organizational Measures

  • Access control and authentication procedures
  • Employee training on data protection
  • Confidentiality agreements with all personnel
  • Regular security awareness training
  • Incident response procedures

6. Sub-processors

6.1 Authorized Sub-processors: Controller agrees to the use of the following Sub-processors:

Sub-processorPurposeLocation
Amazon Web ServicesCloud InfrastructureUnited States, EU
CloudflareContent DeliveryGlobal
StripePayment ProcessingUnited States

6.2 New Sub-processors: Processor shall notify Controller of any intended changes concerning the addition or replacement of Sub-processors, giving Controller the opportunity to object to such changes.

7. International Transfers

Where Personal Data is transferred outside the EEA, Processor shall ensure appropriate safeguards:

  • Standard Contractual Clauses (Module 2: Controller to Processor)
  • Adequacy decisions where applicable
  • Additional security measures for high-risk transfers
  • Compliance with Schrems II requirements

8. Data Subject Rights

Processor shall assist Controller in fulfilling its obligations to respond to data subject requests:

  • Access to Personal Data
  • Rectification of Personal Data
  • Erasure of Personal Data ("right to be forgotten")
  • Restriction of Processing
  • Data portability
  • Objection to Processing
  • Not to be subject to automated decision-making

Processor shall notify Controller promptly of any data subject request received directly.

9. Personal Data Breach

Breach Notification Timeline:

  • Processor shall notify Controller without undue delay and within 48 hours of becoming aware
  • Notification shall include nature of breach, categories of data, and estimated number affected
  • Processor shall cooperate fully in investigation and remediation
  • Documentation of all breaches shall be maintained

10. Audit Rights

Controller has the right to audit Processor's compliance with this DPA:

  • Annual audits permitted with 30 days written notice
  • Processor shall provide relevant documentation and access
  • Audits conducted during business hours with minimal disruption
  • Controller bears costs unless material non-compliance is found
  • Third-party auditors must sign confidentiality agreements

11. Data Retention and Deletion

11.1 Retention: Personal Data shall be retained only for the period necessary to provide the Services or as required by law.

11.2 Deletion: Upon termination of Services, Processor shall, at Controller's choice, delete or return all Personal Data and delete existing copies unless legally required to retain.

11.3 Certification: Processor shall provide written certification of deletion upon request.

12. Liability and Indemnification

12.1 Each party's liability under this DPA shall be subject to the limitations set forth in the Terms of Service.

12.2 Each party shall indemnify the other against claims arising from its breach of data protection obligations.

13. Term and Termination

This DPA shall remain in effect for the duration of the Services agreement. Obligations regarding confidentiality, security, and data deletion shall survive termination.

14. Governing Law

This DPA shall be governed by the laws of Wyoming, United States, without regard to conflict of law principles. For GDPR-related matters, the relevant EU member state laws shall apply as appropriate.

15. Contact Information

Data Protection Officer
ActiveConversion LLC
30 N Gould St, Suite 100
Sheridan, WY 82801
United States

Email: dpo@activeconversion.net
Phone: +1 (650) 209-0879

Appendix 1: Standard Contractual Clauses

The Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission are incorporated by reference and form an integral part of this DPA for transfers of Personal Data from the EEA to countries without an adequacy decision.