1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Mail Buttons ("Processor," "we," "our," or "us") and you ("Controller," "you," or "your") and governs the processing of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other relevant privacy regulations.

This DPA is designed to comply with ISO/IEC 27001 standards for information security management and ensures that all personal data processing activities meet the highest standards of security and privacy protection.

2. Definitions

3. Scope and Purpose of Processing

3.1 Categories of Personal Data

The Processor may process the following categories of personal data on behalf of the Controller:

• Contact information (names, email addresses, phone numbers)
• Account and authentication data
• Email content and metadata
• Usage and analytics data
• Payment and billing information
• Communication preferences and settings
• Technical data (IP addresses, device information)

3.2 Categories of Data Subjects

• Controller's customers and end users
• Controller's employees and representatives
• Individuals whose email addresses are processed through the Service
• Website visitors and service users

3.3 Processing Activities

The Processor will process personal data for the following purposes:

• Providing AI email automation and routing services
• Processing and analyzing email content for automation purposes
• Managing user accounts and authentication
• Providing customer support and technical assistance
• Monitoring service performance and security
• Complying with legal and regulatory obligations
• Improving service functionality and user experience

4. Processor Obligations

4.1 Processing Instructions

The Processor shall:

• Process personal data only on documented instructions from the Controller
• Not process personal data for any purpose other than those specified in this DPA
• Immediately inform the Controller if any instruction violates applicable data protection laws
• Ensure that persons authorized to process personal data are bound by confidentiality obligations

4.2 Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and vulnerability testing
• Employee training on data protection and security
• Incident response and breach notification procedures
• Physical security measures for data centers and facilities
• Compliance with ISO/IEC 27001 information security standards

4.3 Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject rights requests, including:

• Access requests
• Rectification and erasure requests
• Data portability requests
• Restriction of processing requests
• Objection to processing requests

5. Sub-processors

5.1 Authorization

The Controller provides general authorization for the Processor to engage sub-processors, provided that:

• The Processor maintains a list of current sub-processors
• The Processor provides reasonable notice of any intended changes
• The Controller has the right to object to new sub-processors
• Sub-processors are bound by the same data protection obligations

5.2 Current Sub-processors

6. Data Transfers

The Processor may transfer personal data to countries outside the European Economic Area (EEA) or other jurisdictions with adequate protection. Such transfers shall be subject to appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Binding Corporate Rules
• Certification schemes and codes of conduct

7. Data Breach Notification

In the event of a personal data breach, the Processor shall:

• Notify the Controller without undue delay and within 24 hours of becoming aware
• Provide detailed information about the nature and scope of the breach
• Assist the Controller in meeting its breach notification obligations
• Take immediate steps to contain and remediate the breach
• Cooperate with any regulatory investigations

8. Data Retention and Deletion

The Processor shall:

• Retain personal data only for as long as necessary to fulfill the purposes specified in this DPA
• Delete or return personal data upon termination of the service agreement
• Provide certification of deletion upon request
• Comply with any specific retention requirements specified by the Controller

9. Audits and Compliance

The Processor shall:

• Maintain records of all processing activities
• Conduct regular security assessments and audits
• Provide audit reports and compliance certifications upon request
• Allow for reasonable audits by the Controller or its representatives
• Maintain ISO/IEC 27001 certification and other relevant compliance certifications

10. Liability and Indemnification

Each party shall be liable for any damages caused by its breach of this DPA. The Processor's liability for data protection violations shall be limited to direct damages, excluding indirect, consequential, or punitive damages.

The Controller shall indemnify the Processor against any claims arising from the Controller's violation of applicable data protection laws or breach of this DPA.

11. Term and Termination

This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller. Upon termination:

• The Processor shall cease all processing of personal data
• The Processor shall delete or return all personal data
• The Processor shall provide certification of deletion
• Confidentiality obligations shall survive termination

12. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of [Your Jurisdiction]. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of [Your Jurisdiction].

13. Contact Information

For any questions regarding this Data Processing Agreement, please contact us: