Note: The DPA previous to 14 November 2025 are found here.
Parties to this DPA
This Data Processing Agreement (“DPA”) is made by and between the parties to any Order Form or Terms incorporating this DPA by reference, and this DPA shall be in addition to any obligations set out in any Order Form or Terms.
The parties agree that in relation to Protected Data (as it may be applicable to the parties under Data Protection Laws), the Customer shall be the Data Controller and Dotdigital shall be the Data Processor.
This DPA outlines the obligations between the parties where Dotdigital acts as a data processor in providing Services to the Customer insofar as it relates to Customer contact personal data.
This DPA was last updated on 14 November 2025.
Definitions
All capitalised terms in this DPA shall have the meaning as prescribed by the Dotdigital Terms as located at https://www.dotdigital.com/terms or as otherwise agreed between the parties, unless otherwise specified below.
Applicable Law means as applicable and binding on the Controller, the Processor and/or the Services:
(a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided to or in respect of, as may be specified in Terms;
(b) the common law and laws of equity as applicable to the parties from time to time;
(c) any binding court order, judgment or decree; or
(d) any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;
Data Controller means the party determining the processing activities conducted in relation to Personal Data, as may be more described under applicable Data Protection Laws;
Data Processor means the party conducting processing activities at the instruction of the Data Controller in relation to Personal Data, as may be more described under applicable Data Protection Laws;
Data Protection Laws means as applicable and binding on the Controller, Processor and/or the Services:
(a) for Services supplied by Dotdigital EMEA Limited, the General Data Protection Regulation (EU) 2016/679 (the “GDPR”), the Data Protection Act 2018, the “UK GDPR” as defined in section 3(1) of the Data Protection Act 2018 (supplemented by section 205(4)), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and/or any corresponding or equivalent national laws or regulations;
(b) for Services supplied by Dotdigital B.V., the General Data Protection Regulation (EU) 2016/679 (and national implementing legislation of the same), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and/or any corresponding or equivalent national laws or regulations;
(c) for Services supplied by Dotdigital, Inc., all state and federal legislation applicable to the processing of Personal Data as contemplated under the Order Form, including but not limited to, the California Consumer Privacy Act of 2018 (the “CCPA”);
(d) for Services supplied by Dotdigital APAC Pty Ltd., all state and national legislation applicable to the processing of Personal Data as contemplated under the Order Form, including but not limited to, the Privacy Act 1988 and/or any corresponding or equivalent national laws or regulations;
(e) for Services supplied by Dotdigital SG Pte. Ltd., the Personal Data Protection Act (No 12 of 2012) and all regulations, notifications and other subordinate legislation in force from time to time;
(f) for Services supplied by Dotdigital Japan Limited, all state and national legislation applicable to the processing of Personal Data as contemplated under the Order Form, including but not limited to, the Act on the Protection of Personal Information 2003;
(g) specifically in relation to the Customer, all data protection and/or privacy laws in which recipient Data Subjects are contacted through the Services are located;
(h) any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time.
Data Protection Losses means:
(a) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; and/or
(b) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject;
Data Subject means the individual to whom Personal Data relates (as may be further defined by applicable Data Protection Laws, whether defined under the same term or as an equivalent term);
Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
International Recipient has the meaning given to that term in clause 6.2 and 6.5;
Personal Data has the meaning given to that term in Data Protection Laws, or, where that term is not identically defined in the applicable Data Protection Law, the meaning given to the equivalent defined term in that applicable Data Protection Law;
Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
Processing has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings);
Processing Instructions has the meaning given to that term in clause 3.2.1;
Protected Data means Personal Data received from or on behalf of the Customer in connection with the performance of the Processor’s obligations under this DPA;
EU SCCs means the standard contractual clauses for the transfer of personal data to third countries authorised by the Commission Decision of 4 June 2021 pursuant to Regulation (EU) 2016/679 (2010/87/EU), or such alternative clauses as may be approved by the European Commission from time to time;
Sensitive Data means any personal information, that due to its nature or context, requires enhanced protection under applicable data protection laws, privacy regulations, and any other relevant legal requirements;
Sub-Processor means another Data Processor engaged by Dotdigital or any Associated Company of Dotdigital for carrying out processing activities in respect of the Protected Data on behalf of the Customer;
Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;
UK SCCs means the Information Commissioner’s Office’s (“ICO”) International Data Transfer Agreement (“IDTA”) for the transfer of personal data from the UK and/or the ICO’s International Data Transfer Addendum to EU Commission Standard Contractual Clauses, or such alternative clauses as may be approved by the UK from time to time.
References to any Applicable Laws (including to the Data Protection Laws and each of them specifically, as the case may be) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable. A reference to a law includes all subordinate legislation made under that law.
1 Interaction with the Agreement
1.1 This DPA will take effect from the date on which the Customer accepts the terms of this DPA (or signs an Order Form incorporating the terms of this DPA) and shall continue until the end of the Processor’s provision of the Services (including any period of suspension, where relevant).
1.2 Except for the changes made by this DPA, the Terms and Order Form remain in full force and effect.
2 Data Processor and Data Controller
2.1 The Processor shall process Protected Data in compliance with:
2.1.1 the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations herein; and
2.1.2 the terms of this DPA, the Terms and the Order Form which sets out the Controller’s instructions in relation to such processing activities.
2.2 The Data Controller shall comply with:
2.2.1 all Data Protection Laws in connection with the processing of Protected Data, use of the Services and the exercise and performance of its respective rights and obligations under this DPA, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
2.2.2 the terms of this DPA.
2.3 The Controller warrants, represents and undertakes, that:
2.3.1 all data sourced by the Controller for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Controller providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; and
2.3.2 all instructions given by it to the Processor in respect of Personal Data shall at all times be in accordance with Data Protection Laws.
2.4 The Controller shall not unreasonably withhold, delay or condition its agreement to any change or amendment requested by Processor in order to ensure the Services and the Processor (and each Sub-Processor) can comply with Data Protection Laws.
3 Instructions and details of processing
3.1 By entering into this DPA, Controller instructs the Processor to process Customer Protected Data only in accordance with Applicable Law:
3.1.1 To provide the Services;
3.1.2 As further specified by Controller’s use of the Services or the Software;
3.1.3 As documented in the form of the terms and this DPA; and
3.1.4 As further documented in any other written instructions provided by the Controller and acknowledged by the Processor as being instructions for the purposes of this DPA.
3.2 Insofar as the Processor processes Protected Data on behalf of the Controller, the Processor:
3.2.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Controller’s documented instructions as set out in this clause, as updated from time to time as agreed between the parties (“Processing Instructions“);
3.2.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Controller of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
3.2.3 shall inform the Controller if the Processor becomes aware of a Processing Instruction that, in the Supplier’s opinion, infringes Data Protection Laws, provided that:
(a) this shall be without prejudice to clauses 3 and 2.4; and
(b) to the maximum extent permitted by mandatory law, the Processor shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Customer’s Processing Instructions following the Customer’s receipt of that information.
3.3 The subject matter and details of the processing of Protected Data to be carried out by the Processor under this DPA shall comprise the processing set out in Schedule 1 (Data Processing details), as may be updated from time to time as agreed between the parties.
3.4 The Processor confirms that it has appointed a data protection officer where such appointment is required by Data Protection Law. The appointed data protection officer may be contacted by email at Privacy@dotdigital.com.
3.5 Further to the above, the Processor acknowledges that its processing of Protected Data is limited to that as set out in this DPA in order to supply the Services to the Controller and in accordance with the Terms.
4 Technical and organisational measures
4.1 The Processor shall implement and maintain, at its cost and expense appropriate technical and organisational measures in relation to the processing of Protected Data by the Processor; taking into account the nature of the processing, to assist the Controller insofar as is possible in the fulfilment of the Controller’s obligations to respond to Data Subject Requests relating to Protected Data. These measures are outlined at https://dotdigital.com/trust-center/technical-and-organizational-security-measures/.
5 Using Sub-Processors
5.1 The Controller specifically authorises the engagement of Dotdigital’s existing and future Associated Companies as Sub-Processors and also authorises the appointment of any of the Sub-Processors listed at https://dotdigital.com/trust-center/ to process Protected Data. During the Term of this DPA, the Processor shall provide the Controller with 30 days’ prior notice of the appointment of any new third-party sub-processor, including details of the Processing to be undertaken by the Sub-Processor, via email.
5.3 The Controller may object (on reasonable grounds and only relating to data protection) to the use of a new or replacement Sub-Processor appointed per clause above within fourteen (14) days of the Processor’s notice; If the Controller notifies the Processor in writing of any objections to the proposed appointment: The Processor shall work with Controller in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-Processor; and where such a change cannot be made within fourteen (14) days of the Processor’s receipt of the Controller’s notice, the Controller may by written notice to the Processor with immediate effect terminate the Order Form to the extent that it relates to the Services which require the use of the proposed Sub-Processor. This termination right is Controller’s sole and exclusive remedy to Customer’s objection of any Sub-Processor appointed by the Processor during the Term.
5.4 The Processor shall ensure:
5.4.1 via a written contract that the Sub-Processor only accesses and processes Protected Data to perform the obligations subcontracted to it and does so in accordance with the measures contained in this DPA that is enforceable by the Processor; and
5.4.2 remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
5.5 The Controller agrees that the Processor and its Sub-processors may make Restricted Transfer of Personal Data for the purpose of providing the Services to the Controller in accordance with the Agreement. The Processor confirms that such Sub-Processors: (i) are located in a third country or territory recognised by the EU Commissioner a Supervisory Authority, as applicable, to have an adequate level of protection; or (ii) have entered into the applicable SCCs with the Processor, or (iii) have other recognised appropriate safeguards in place.
6 International data transfers
6.1 Australian Transfers Where the Processor receives Protected Data protected by Australian Data Protection Laws, the Controller acknowledges and agrees that the Processor may transfer such Personal Data to Sub-Processors located outside of Australia, as contemplated under this DPA subject to the Processor complying with this DPA and applicable Data Protection Laws.
6.2 European Transfers The Controller agrees that the Processor may transfer any Protected Data to Sub-Processors located in countries outside the European Economic Area (EEA) (an “EEA International Recipient“), provided all transfers by the Processor of Protected Data to an EEA International Recipient shall (to the extent required under Data Protection Laws) be subject to and in compliance with the EU SCCs and other requirements of Data Protection Laws including, but not limited to, data transfer impact assessments, third country assessments and agreeing additional safeguards as necessary.
6.3 Where there is a transfer of Protected Data to the Processor by a Controller established in the European Economic Area, and the location of the relevant Dotdigital entity is a third country under European Data Protection Laws, the Processor agrees to abide by and process Protected Data in compliance with the EU SCCs. Controllers may request to enter into EU SCCs directly with the Processor by contacting privacy@dotdigital.com.
6.4 Singapore Transfers Where the Processor receives Protected Data protected by Singaporean Data Protection Laws, the Controller acknowledges and agrees that the Processor may transfer such Protected Data to Sub-Processors located outside of Singapore (including but not limited to the physical storage of Protected Data within hosting facilities located in Australia), as contemplated under this DPA subject to the Processor complying with the DPA and applicable Data Protection Laws.
The Processor has taken appropriate steps to ascertain whether, and to ensure that, that any recipient of the Protected Data is bound by legally enforceable obligations to provide to the transferred Protected Data a standard of protection that is at least comparable to the protection under the PDPA.
6.5 UK Transfers The Controller agrees that the Processor may transfer any Protected Data to Sub-Processors located in countries outside the United Kingdom (UK) (a “UK International Recipient“), provided all transfers by the Processor of Protected Data to a UK International Recipient shall (to the extent required under Data Protection Laws) be subject to and in compliance with the UK SCCs and other requirements of Data Protection Laws including, but not limited to, data transfer impact assessments, third country assessments and agreeing additional safeguards as necessary.
6.6 Japan Transfers Where the Processor receives Protected Data protected by Japanese Data Protection Laws, the Controller acknowledges and agrees that the Processor may transfer such Protected Data to Sub-Processors located outside of Japan (including but not limited to the physical storage of Protected Data within hosting facilities located in Australia), as contemplated under this DPA subject to the Processor complying with the DPA and applicable Data Protection Laws.
7 Staff
7.1 The Processor shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case the Processor shall, where practicable and not prohibited by Applicable Law, notify the Controller of any such requirement before such disclosure).
8 Assistance with the Customer’s compliance and Data Subject rights
8.1 The Processor shall refer all Data Subject Requests it receives to the Controller within three Business Days of receipt of the request.
8.2 Further to the above and notwithstanding anything to the contrary in the Terms, the Processor reserves the right to disclose the identity of the Controller to any relevant Data Subject following any such request from a Data Subject.
8.3 The Processor shall provide such reasonable assistance as the Controller reasonably requires (taking into account the nature of processing and the information available to the Processor) to the Controller in ensuring compliance with the Controller’s obligations under Data Protection Laws with respect to:
8.3.1 security of processing;
8.3.2 data protection impact assessments (as such term is defined in Data Protection Laws);
8.3.3 prior consultation with a Supervisory Authority regarding high-risk processing; and
8.3.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Controller in response to any Personal Data Breach.
9 Records, information and audit
9.1 The Processor shall maintain, in accordance with Data Protection Laws binding on the Processor, written records of all categories of processing activities carried out on behalf of the Controller.
9.2 The Processor shall, in accordance with Data Protection Laws, make available to the Controller such information as is reasonably necessary to demonstrate the Processor’s compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits, including inspections, by the Controller(or another auditor mandated by the Controller) for this purpose, subject to the Controller:
9.2.1 giving the Processor reasonable prior notice of such information request, audit and/or inspection being required by the Controller;
9.2.2 ensuring that all information obtained or generated by the Controller or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);
9.2.3 ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to the Processor’s business and the business of other Customers of the Processor; and
9.2.4 paying the Processor’s reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits on-site, calculated on a time & materials basis.
10 Breach notification
10.1 In respect of any Personal Data Breach involving Protected Data, the Processor shall, without undue delay (but in any event within 24 hours) from when the Processor becomes aware of the same:
10.1.1 notify the Controller of the Personal Data Breach; and
10.1.2 provide the Controller, where possible, with details of the Personal Data Breach.
10.2 Notice of a Personal Data Breach as contemplated under 10.1.1 above shall include:
10.2.1 the nature of the Personal Data Breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
10.2.2 the likely consequences of the Personal Data Breach; and
10.2.3 the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and
10.2.4 such other information as may be required by Data Protection Law.
10.3 Unless otherwise requested, notifications will be sent to the email address associated with the account owner.
11 Deletion or return of Protected Data and copies
11.1 The Processor shall meet its obligation to delete or return Protected Data by providing facilities for the Controller to perform such actions. Upon written request from the Controller, any return of Protected Data shall be in such form as the Controller reasonably requests, within a reasonable time after the earlier of:
11.1.1 the end of the provision of the relevant Services related to processing; or
11.1.2 once processing by the Processor of any Protected Data is no longer required for the purpose of the Processor’s performance of its relevant obligations under the Order Form, and delete existing copies (unless storage of any data is required by Applicable Law and, if so, the Processor shall inform the Controller of any such requirement).
12 Liability
12.1 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set out in the Terms.
12.2 Notwithstanding the foregoing, the limitations specified in 12.1 above shall not apply to Data Protection Losses. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
12.3 Any Data Protection Losses incurred by one party arising from or in connection with the other’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall be considered a liability to the non-compliant party.
13 Cooperation
13.1 If a party receives a compensation claim from an individual or Supervisory Authority relating to processing of Protected Data, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
13.1.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
13.1.2 consult fully with the other party in relation to any such action.
14 Government Requests
14.1 The Processor does not, as a matter of course, voluntarily supply government authorities, agencies or law enforcement access to or information relating to the Processors Customer accounts or Protected Data. If the Processor receives a compulsory request (whether via court order, warrant, or other valid legal process) from any government authority, agency or law enforcement for access to or information relating to a Customer account (including Protected Data) belonging to a Controller (hereafter, a “Government Request”), the Processor shall take all such reasonable steps as necessary to confirm the validity of such a request.
14.2 In the event that the Processor satisfies itself that a Government Request is valid, the Processor shall:
14.2.1 inform the government authority, agency or law enforcement that Dotdigital is a processor of the Protected Data;
14.2.2 attempt to redirect the government authority, agency or law enforcement to request the data directly from the Controller; and
14.2.3 notify the Controller via email of the Government Request to allow Customer to seek their own appropriate remedy, whereby the Processor may provide the Controller’s contact information.
14.3 The Processor shall not be required to comply with the provisions of clauses 14.1 or 14.2 above if:
14.3.1 The Processor is legally prohibited from doing so; or
14.3.2 if the Processor has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, the safety of the public, or the Processor’s Services or property.
SCHEDULE 1: DATA PROCESSING DETAILS
1 Subject-matter of processing:
Protected Data relating to the Processor’s provision of the Services to the Controller.
2 Duration of the processing:
The term of any relevant Order Form until deletion of all Protected Data by the Processor in accordance with the DPA.
3 Nature and purpose of the processing:
The Processor will process Customer Protected Data for the purposes of providing the Services to the Controller in accordance with the DPA and the Terms and as initiated by the Customer in its use of the Services.
4 Type of Personal Data:
Types of Personal Data provided to the Processor via the provision of the Services by or at the direction of the Controller, including but not limited to contact data (such as email address, contact number, name or other contact details), marketing preferences, IP address and usage information (including online navigation data, location data and browser data).
5 Categories of Data Subjects:
Data subjects include the individuals about whom data is provided to the Processor via the Services by or at the direction of Controller or end-users of the Controller.
6 Sensitive Data (if applicable)
Dotdigital does not expect the Customer to upload or collect Sensitive Data in the Service. The Customer acknowledges and agrees that uploading Sensitive Data, including but not limited to special category data as defined under the GDPR and UK GDPR, health information, and financial information, may be prohibited, or require additional controls depending on the region the Customer operates in or the location of a Data Subject.
It is the sole responsibility of the Customer to ensure that they inform Dotdigital when any Sensitive Data is uploaded to the Service by sending an email to privacy@dotdigital.com and to comply with all applicable laws and regulations in the region the Customer operates in or the location of Data Subjects. This includes, but is not limited to, data protection laws, privacy regulations, and any other relevant legal requirements.
