Data processing agreement

This Data Processing Agreement ("DPA") is entered into between Buttondown ("Data Processor") and the Customer ("Data Controller") and forms part of the Agreement for the provision of services.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Data Subject" means the individual to whom Personal Data relates.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.

2. Scope and Purpose

2.1 This DPA applies to all Processing of Personal Data by the Data Processor on behalf of the Data Controller in connection with the services provided.

2.2 The Data Processor shall Process Personal Data only for the purpose of providing the agreed services and in accordance with the Data Controller's documented instructions.

3. Data Processor Obligations

The Data Processor shall:

3.1 Process Personal Data only on documented instructions from the Data Controller.

3.2 Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.

3.3 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

3.4 Not engage another processor without prior specific or general written authorization of the Data Controller.

3.5 Assist the Data Controller in responding to requests for exercising Data Subject rights.

3.6 Delete or return all Personal Data to the Data Controller after the end of the provision of services.

3.7 Make available to the Data Controller all information necessary to demonstrate compliance with obligations.

4. Security Measures

4.1 The Data Processor shall implement and maintain appropriate technical and organizational measures including:

• Encryption of Personal Data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Regular backups and disaster recovery procedures
• Employee training on data protection

5. Sub-processors

5.1 The Data Controller provides general authorization for the Data Processor to engage sub-processors.

5.2 The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors.

5.3 The Data Processor shall ensure sub-processors are bound by data protection obligations no less protective than those in this DPA.

5.4 A current list of sub-processors is maintained at buttondown.com/legal/subprocessors.

6. Data Subject Rights

6.1 The Data Processor shall assist the Data Controller in fulfilling its obligations to respond to Data Subject requests including:

• Access to Personal Data
• Rectification or erasure of Personal Data
• Restriction of Processing
• Data portability
• Objection to Processing

7. Data Breach Notification

7.1 The Data Processor shall notify the Data Controller without undue delay after becoming aware of a Personal Data breach.

7.2 The notification shall include:

• Nature of the breach
• Categories and approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8. International Transfers

8.1 The Data Controller acknowledges that the Data Processor is based in the United States and that Personal Data will be transferred to and processed in the United States in connection with the provision of the services.

8.2 The Data Processor shall ensure that any such transfers are supported by appropriate safeguards as required by Chapter V of the GDPR, including the EU Standard Contractual Clauses where applicable.

8.3 The Data Processor shall not transfer Personal Data to any other country outside the EEA without ensuring appropriate safeguards are in place.

9. Audit and Inspection

9.1 The Data Processor shall make available all information necessary to demonstrate compliance.

9.2 The Data Controller may conduct audits, including inspections, with reasonable notice.

10. Liability and Indemnification

10.1 Each party shall be liable for its own compliance with data protection laws.

10.2 The Data Processor shall indemnify the Data Controller for damages arising from the Data Processor's breach of this DPA.

11. Term and Termination

11.1 This DPA shall remain in effect for the duration of the Agreement.

11.2 Upon termination, the Data Processor shall, at the Data Controller's option, delete or return all Personal Data.

12. Governing Law

12.1 This DPA shall be governed by the laws of the United States and subject to the exclusive jurisdiction of the courts of the United States.

12.2 To the extent that the GDPR or other applicable data protection laws of the European Economic Area, the United Kingdom, or Switzerland impose obligations on the Processing of Personal Data under this DPA, those obligations shall take precedence over any conflicting provision of this DPA or the governing law specified above.

Annex 1: Processing Details

The following details describe the Processing activities carried out under this DPA, as required by Article 28(3) of the GDPR.