Data processing agreement

This Data Processing Agreement ("DPA") is entered into between Buttondown ("Data Processor") and the Customer ("Data Controller") and forms part of the Agreement for the provision of services.

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Data Subject" means the individual to whom Personal Data relates.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.

2.1 This DPA applies to all Processing of Personal Data by the Data Processor on behalf of the Data Controller in connection with the services provided.

2.2 The Data Processor shall Process Personal Data only for the purpose of providing the agreed services and in accordance with the Data Controller's documented instructions.

The Data Processor shall:

3.1 Process Personal Data only on documented instructions from the Data Controller.

3.2 Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.

3.3 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

3.4 Not engage another processor without prior specific or general written authorization of the Data Controller.

3.5 Assist the Data Controller in responding to requests for exercising Data Subject rights.

3.6 Delete or return all Personal Data to the Data Controller after the end of the provision of services.

3.7 Make available to the Data Controller all information necessary to demonstrate compliance with obligations.

4.1 The Data Processor shall implement and maintain appropriate technical and organizational measures including:

• Encryption of Personal Data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Regular backups and disaster recovery procedures
• Employee training on data protection

5.1 The Data Controller provides general authorization for the Data Processor to engage sub-processors.

5.2 The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors.

5.3 The Data Processor shall ensure sub-processors are bound by data protection obligations no less protective than those in this DPA.

6.1 The Data Processor shall assist the Data Controller in fulfilling its obligations to respond to Data Subject requests including:

• Access to Personal Data
• Rectification or erasure of Personal Data
• Restriction of Processing
• Data portability
• Objection to Processing

7.1 The Data Processor shall notify the Data Controller without undue delay after becoming aware of a Personal Data breach.

7.2 The notification shall include:

• Nature of the breach
• Categories and approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8.1 The Data Processor shall not transfer Personal Data outside the EEA without appropriate safeguards in place.

8.2 Any international transfers shall comply with Chapter V of the GDPR.

9.1 The Data Processor shall make available all information necessary to demonstrate compliance.

9.2 The Data Controller may conduct audits, including inspections, with reasonable notice.

10.1 Each party shall be liable for its own compliance with data protection laws.

10.2 The Data Processor shall indemnify the Data Controller for damages arising from the Data Processor's breach of this DPA.

11.1 This DPA shall remain in effect for the duration of the Agreement.

11.2 Upon termination, the Data Processor shall, at the Data Controller's option, delete or return all Personal Data.

This DPA shall be governed by the laws of the United States and subject to the exclusive jurisdiction of the courts of the United States.