CommsOK

Data Processing Agreement

Effective Date: May 30, 2025
Version: 1.0 (May 2025)

This Data Processing Agreement ("DPA") forms part of, and is subject to, the Terms of Service ("ToS") between CommsOK, Inc., a Delaware corporation doing business in Washington State ("Processor" or "CommsOK"), and the entity identified in the applicable order, quote, or online sign‑up that references the ToS ("Controller" or "Customer").

A. Context & Approach

  1. CommsOK is an early‑stage B2B SaaS provider whose initial customer base and processing operations are located primarily in the United States.
  2. Certain clauses in this DPA derive from laws such as the European Union General Data Protection Regulation 2016/679 ("GDPR") and the United Kingdom GDPR. Those clauses apply only where and to the extent such legislation governs the Processing of Customer Personal Data.
  3. CommsOK intends to expand its compliance posture as its operations grow and does not hereby represent that it is presently subject to the full scope of the GDPR.

1. Definitions

Unless otherwise defined in the ToS, capitalised terms have the meanings below:

  • "Applicable Data Protection Law" means all data‑protection and privacy laws and regulations that apply to the Processing of Customer Personal Data under the Agreement, which may include, where relevant to the specific Processing, the GDPR, the UK GDPR, the California Consumer Privacy Rights Act (CPRA), and any implementing or supplemental legislation.
  • "Customer Personal Data" means any Personal Data of Data Subjects processed by CommsOK on behalf of Customer under the Agreement.
  • "Standard Contractual Clauses" or "SCCs" means, where required for a given transfer, the clauses adopted by the European Commission under Decision (EU) 2021/914 (module 2, Controller → Processor) and/or the UK International Data Transfer Addendum.
  • "Technical and Organisational Measures" or "TOMs" means the security measures described in Annex II.

Terms such as Processing, Personal Data, and Data Subject have the meanings given in Applicable Data Protection Law.

2. Subject‑Matter & Duration

Subject‑Matter. Processing of email engagement metrics and related data to provide CommsOK's email‑hygiene analytics platform.

Duration. This DPA applies for the Subscription Term set out in the ToS and for any additional retention period specified by Customer or required by Applicable Data Protection Law, until deletion or return of the data under §11.

3. Nature & Purpose of Processing

CommsOK will Process Customer Personal Data solely to:

  • ingest, analyse, and report on email delivery and engagement;
  • provide, maintain, and secure the Services;
  • act on documented instructions from Customer; and
  • comply with Applicable Data Protection Law.

Processing operations include collection, recording, organisation, storage, retrieval, analysis, aggregation, pseudonymisation, deletion, and destruction.

4. Data Categories

TypeDetails
Personal‑Data Categories· email addresses
· engagement events (opens, clicks, bounces, complaints, unsubscribes)
· sender identifiers & metadata (IP address, domain)
· usage telemetry tied to the foregoing
Data‑Subject Categories· end‑recipients of Customer emails (prospects, customers, subscribers)
· Customer personnel whose business email addresses are processed

CommsOK does not intentionally collect special categories of data.

5. Processor Obligations

CommsOK shall:

  1. Process on Instructions. Process Customer Personal Data solely on Controller's documented instructions, including the ToS and this DPA.
  2. Confidentiality. Ensure authorised personnel are subject to confidentiality obligations.
  3. Security. Implement and maintain the TOMs in Annex II.
  4. Sub‑Processors. Engage sub‑processors only under §6.
  5. Data‑Subject Rights. To the extent required by Applicable Data Protection Law (e.g., where GDPR Ch. III applies), assist Controller with Data‑Subject requests using appropriate technical and organisational measures.
  6. Privacy Impact Assessments. Provide reasonable assistance with data‑protection impact assessments or consultations where legally required.
  7. Incidents. Notify Controller without undue delay after becoming aware of a Personal‑Data Breach and, where Applicable Data Protection Law prescribes a specific deadline (e.g., 72 hours under GDPR), comply with that requirement.
  8. Records & Compliance. Maintain records of Processing activities as required by Applicable Data Protection Law and make them available on request.

6. Sub‑Processors & On‑Boarding

  1. Authorised Sub‑Processors (as of the Effective Date):
    • Google Cloud Platform (us‑west‑2) – hosting & storage
    • Vercel – application hosting & CDN
    • Clerk – authentication & identity management
    • Stripe – billing
  2. Ongoing List. Current sub‑processors are listed at commsok.com/legal/sub‑processors.
  3. Changes. CommsOK will give at least 30 days' notice of new sub‑processors. Customer may object on reasonable privacy or security grounds; the parties will work in good faith to resolve objections.
  4. Flow‑Down. Each sub‑processor contract will impose data‑protection obligations substantially similar to this DPA.

7. International Transfers

Customer Personal Data is hosted in the United States. Where Customer Personal Data originates from the European Economic Area, Switzerland, or the United Kingdom and is transferred to a country without an adequacy decision, CommsOK will ensure the transfer is protected by:

  • the SCCs (module 2) and/or the UK Addendum if and to the extent legally required; and
  • the supplementary measures described in Annex II.

8. Audit & Inspection

With at least 30 days' written notice, and no more than once every 12 months (unless a Supervisory Authority requires otherwise or following a breach), Customer may audit CommsOK's compliance with this DPA by:

  • reviewing third‑party certifications or audit reports (e.g., SOC 2 Type I); or
  • conducting a mutually agreed remote or on‑site review, subject to reasonable confidentiality and security controls.

9. Confidentiality

All Customer Personal Data and audit information are Confidential Information under the ToS. Each party shall protect such information with at least the same degree of care it uses for its own confidential information.

10. Assistance to Controller

CommsOK will provide reasonable assistance, commensurate with its role as Processor and taking into account the nature of the Processing, to help Controller comply with its obligations under Applicable Data Protection Law, including security, breach notifications, and, where required, data‑protection impact assessments.

11. Deletion or Return

Upon termination or expiry of the Services, Controller may elect to:

  1. Return then Delete. Receive Customer Personal Data in a commonly used format, after which CommsOK will delete all live copies within 30 days; or
  2. Direct Deletion. Instruct CommsOK to delete all Customer Personal Data within 30 days.

Where deletion is infeasible or prohibited by law, CommsOK will continue to protect the data under this DPA.

12. Liability

Each party's aggregate liability arising from this DPA is limited as set out in the ToS. No provision of this DPA limits liability where such limitation is prohibited by Applicable Data Protection Law.

13. Governing Law

Except as provided in Annex III (SCCs), this DPA is governed by the law and venue specified in the ToS. In the event of conflict between this DPA and the ToS on data‑protection matters, this DPA controls.

Annex I – Details of Processing

ItemDescription
ControllerCustomer identified in the Order Form, Quote, or online sign‑up
ProcessorCommsOK, Inc., 2265 116th Ave NE, Suite 110, Bellevue, WA 98004, USA
Subject‑MatterProcessing of email engagement metrics
DurationTerm of ToS + Customer‑selected retention or default 24 months
Nature & PurposeProvide email‑hygiene analytics; secure & improve the Services
Types of DataEmail addresses; engagement events; sender identifiers
Data‑Subject CategoriesEmail recipients; Customer personnel

Annex II – Technical & Organisational Measures

CommsOK maintains (and is continually enhancing) an information‑security programme aligned with recognised frameworks such as ISO 27001 and NIST CSF. Current key controls include:

  • Policies & Governance – documented security and acceptable‑use policies; roles and responsibilities defined; policy review at least annually.
  • Access Management – role‑based access, enforced multi‑factor authentication, and periodic (at least semi‑annual) access reviews.
  • Encryption – TLS 1.2+ for data in transit; encryption at rest (AES‑256 or provider‑managed equivalent) for primary data stores and backups.
  • Asset & Configuration Management – inventory of production assets; infrastructure as code for repeatable deployments; baseline hardening.
  • Vulnerability & Patch Management – monthly OS patching schedule; automated dependency scanning; external vulnerability scans at least quarterly.
  • Monitoring & Logging – centralised logging of security‑relevant events; alert thresholds for anomalous activity; incident response procedures.

CommsOK, Inc.
2265 116th Ave NE, Suite 110
Bellevue, WA 98004
USA

This Data Processing Agreement is version 1.0 (May 2025) and applies to all Customer Personal Data processed by CommsOK, Inc..

Related Documents: Terms of Service | Privacy Policy