Data Processing Agreement
Effective date: 1 June 2026 · Version 1.0
1. Purpose
This Data Processing Agreement ("DPA") forms part of the agreement between [Company Legal Name] ("Processor") and the customer ("Controller") who has accepted the Terms of Service. It sets out the terms on which the Processor will process personal data on behalf of the Controller in connection with the NewslettersSuck.Email service.
This DPA supplements and is incorporated into the Terms of Service. In the event of a conflict, this DPA prevails in respect of data protection matters.
2. Definitions
In this DPA:
- "Controller" means the customer that determines the purposes and means of processing personal data.
- "Processor" means NewslettersSuck.Email, which processes personal data on behalf of the Controller.
- "Data Subject" means an identified or identifiable natural person to whom personal data relates (e.g. a newsletter subscriber).
- "Personal Data" means any information relating to a Data Subject, including email addresses, names and engagement metrics processed through the service.
- "Processing" has the meaning given in GDPR Article 4(2) and POPIA section 1.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on the Controller's behalf.
- "GDPR" means the EU General Data Protection Regulation 2016/679 and, where applicable, the UK GDPR.
- "POPIA" means the Protection of Personal Information Act 4 of 2013 (South Africa).
3. Subject matter and nature of processing
The Processor will process Personal Data as necessary to deliver the NewslettersSuck.Email service, including:
- Storing subscriber email addresses and send preferences on behalf of the Controller.
- Transmitting newsletter campaigns via the Controller's chosen Email Service Provider (ESP).
- Recording open, click and unsubscribe events reported by the ESP.
- Processing approval-workflow events (approver email addresses and reply content).
The Processor will not process Personal Data for any purpose other than performing the service or as required by law.
4. Controller obligations
The Controller warrants and undertakes that:
- It has a lawful basis for processing each category of Personal Data it instructs the Processor to handle.
- It has obtained all necessary consents and provided all required notices to Data Subjects before uploading or integrating their data into the service.
- The Controller's use of the service complies with all applicable data-protection and anti-spam laws, including CAN-SPAM, CASL, GDPR and POPIA.
- It will not upload special-category data (as defined in GDPR Article 9) without prior written agreement with the Processor.
5. Processor obligations
The Processor agrees to:
- Process Personal Data only on documented instructions from the Controller, except where required to do so by applicable law.
- Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organisational security measures in accordance with GDPR Article 32 and POPIA section 19.
- Not engage a Sub-processor without prior written authorisation from the Controller (general authorisation is granted for the Sub-processors listed in §6 below).
- Assist the Controller in meeting its obligations to respond to Data Subject rights requests to the extent technically possible.
- Notify the Controller without undue delay upon becoming aware of a Personal Data breach affecting Controller data, and in any event within 72 hours.
- Delete or return all Personal Data upon termination of the service, as directed by the Controller, subject to legal retention requirements.
- Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
6. Sub-processors
The Controller grants general authorisation to engage the following Sub-processors. The Processor will notify the Controller of any intended additions or replacements with at least 14 days' notice, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure (SQL, Storage, App Service) | Infrastructure hosting and data storage | South Africa North / EU (configurable) |
| SendGrid (Twilio) | Transactional email delivery (approval emails, system notifications) | United States |
| Customer's chosen ESP (e.g. Mailchimp, HubSpot, TouchBasePro) | Newsletter campaign delivery to subscribers | Varies by ESP |
| Stripe | Payment processing and subscription management | United States / Ireland |
| Azure OpenAI / Google Gemini | AI-assisted newsletter content generation (brand-kit data only; no subscriber PII) | Configurable region |
7. International transfers
Where Personal Data is transferred outside the European Economic Area, the United Kingdom or South Africa, the Processor will ensure that such transfers are made subject to appropriate safeguards, including Standard Contractual Clauses approved by the European Commission or equivalent mechanisms recognised under POPIA.
8. Data Subject rights
The Processor will, within five (5) business days of receiving a request, provide the Controller with the technical assistance reasonably needed to fulfil a Data Subject's rights under applicable law (access, rectification, erasure, portability, restriction, objection).
The Controller is responsible for responding to Data Subject requests. The Processor will not respond directly to Data Subjects without the Controller's prior authorisation, unless required by law.
9. Security
The Processor implements the following measures as a minimum:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
- Row-level security in the database, ensuring tenant data is strictly isolated.
- Access controls and audit logging for all administrative operations.
- Regular vulnerability scanning and dependency updates.
- Azure Key Vault for all secrets; no secrets in source code or configuration files.
10. Audit rights
The Controller may, upon 30 days' written notice and no more than once per calendar year, request an audit of the Processor's data-protection practices. Such audits will be conducted at the Controller's expense and must not unreasonably disrupt the Processor's operations. The Processor may satisfy audit requests by providing a current independent third-party audit report (e.g. SOC 2 Type II, ISO 27001 certificate) where available.
11. Duration and termination
This DPA remains in force for as long as the Processor processes Personal Data on behalf of the Controller under the Terms of Service. Upon termination, the Processor will delete all Personal Data within 90 days, except where retention is required by law or where the Controller has requested export (via the account data-export feature) within that period.
12. Governing law
This DPA is governed by the laws of the Republic of South Africa, with the courts of Johannesburg having non-exclusive jurisdiction, unless the Controller is established in a jurisdiction that mandates a different governing law for data processing agreements.
13. Contact
Questions about this DPA or data-protection matters should be directed to privacy@newsletterssuck.email.