Data Processing Agreement

Parties and Roles

For personal data processed through the CampaignHQ service:

• Customer acts as the controller (or equivalent) of personal data it uploads, collects, or otherwise provides for processing through the service.
• CampaignHQ acts as a processor (or service provider) and processes personal data only on the Customer's instructions to provide the service, as described in this DPA, the Terms of Service, and applicable product documentation.

Scope of Processing

Customer Data processed under this DPA may include:

• Customer account users and authorized team members.
• Uploaded contacts, leads, and subscriber lists.
• Email addresses, phone numbers, names, and company details.
• Campaign lists, segments, tags, and audience attributes.
• Campaign activity, delivery events, and engagement data.
• Unsubscribe, opt-out, and suppression records.
• Logs, diagnostics, and operational metadata related to the service.

CampaignHQ processes this data for the following purposes:

• Providing CampaignHQ services and platform functionality.
• Campaign sending, automation, and message delivery.
• Analytics, reporting, and performance measurement.
• Customer support and service communications.
• Security, fraud prevention, and abuse detection.
• Compliance with applicable legal obligations.
• Service improvement, reliability, and maintenance.

Customer Responsibilities

Customer is responsible for its use of the service and for Customer Data. Customer must:

• Ensure a valid lawful basis or consent exists for processing and communicating with contacts.
• Provide required privacy notices to contacts and data subjects.
• Comply with GDPR, CAN-SPAM, Indian privacy and communication laws, and other applicable regulations.
• Ensure uploaded data is accurate, current, and not obtained through prohibited means.
• Not upload purchased, scraped, rented, harvested, or non-permission-based contact lists.
• Not upload illegal content or sensitive data without proper authorization and safeguards.

CampaignHQ Responsibilities

CampaignHQ will:

• Process personal data only to provide the service and in accordance with customer instructions as reflected in the agreement and applicable order forms.
• Implement reasonable technical and organizational security measures.
• Restrict access to authorized personnel who need access to perform their duties.
• Reasonably assist customers with data subject access, correction, deletion, export, restriction, or objection requests where applicable.
• Notify customers of personal data breaches involving Customer Data without undue delay after becoming aware of such a breach.
• Use sub-processors as needed to provide the service, subject to the terms below.

Security Measures

CampaignHQ maintains reasonable technical and organizational measures designed to protect Customer Data, including:

• Role-based access controls and least-privilege access.
• Encryption in transit for data transmitted over networks.
• Encryption at rest where supported by infrastructure and service providers.
• Secure credential and secrets handling.
• Monitoring, logging, and alerting for operational and security events.
• Backup and recovery procedures.
• An incident response process for security events.
• Personnel access limitations for production systems and customer data.

No security measure is perfect. CampaignHQ does not guarantee absolute security.

Sub-processors

CampaignHQ may use trusted third-party sub-processors to host, deliver, secure, monitor, and support the service. Our current sub-processors are listed at /sub-processors.

CampaignHQ remains responsible for sub-processors used to provide the service. Customers may contact support@campaignhq.co with questions or objections regarding sub-processors.

International Transfers

CampaignHQ is operated from India and may transfer Customer Data to service providers in other countries. If Customer Data subject to GDPR is transferred outside the EEA, UK, or Switzerland, CampaignHQ will rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) where required.

Where required, the applicable Standard Contractual Clauses are incorporated by reference or made available upon request at support@campaignhq.co.

Data Subject Requests

CampaignHQ will reasonably assist Customer with access, correction, deletion, export, restriction, or objection requests from data subjects, to the extent CampaignHQ can do so through the service or its support processes. Customer is responsible for responding to data subject requests as the controller and for determining the appropriate lawful basis for any response.

Deletion and Return of Data

Upon termination of the service or upon Customer's written request, Customer may export or delete Customer Data through available service features. CampaignHQ will delete or return Customer Data within a reasonable period, unless retention is required by law or permitted under the Terms of Service.

Deleted data may persist in backups until normal backup expiry. CampaignHQ may retain minimal suppression or unsubscribe records as needed for compliance, deliverability, and opt-out enforcement.

Breach Notification

CampaignHQ will notify affected customers without undue delay after becoming aware of a personal data breach involving Customer Data. Notifications will include information reasonably available to CampaignHQ to help the Customer meet its obligations, where applicable.

Liability and Conflict

This DPA applies only where privacy laws require a data processing agreement between controller and processor (or equivalent roles). If there is a conflict between the Terms of Service and this DPA regarding the processing of personal data, this DPA controls for personal data processing matters.

Liability limits and disclaimers in the Terms of Service apply to this DPA, except where prohibited by applicable law.

Contact Us

Questions about this DPA can be sent to support@campaignhq.co.

Related Documents

• Privacy Policy
• Terms of Service
• Sub-processors