This Data Processing Addendum ("DPA") forms part of the Master Service Agreement or Terms of Service (the "Agreement") between ER-Media LTD (trading as "Gro") ("Gro") and the entity agreeing to these terms ("Customer" or "Merchant").
1. Definitions
"Data Protection Laws" means all applicable laws relating to data protection and privacy, including the EU GDPR, the UK GDPR, and the CCPA/CPRA.
"Personal Data" means any information relating to an identified or identifiable natural person processed by Gro on behalf of the Customer.
"Controller" refers to the Customer/Merchant.
"Processor" refers to Gro (ER-Media LTD).
2. Scope and Role
2.1 Roles: The parties acknowledge that for the purposes of the Services, Customer is the Controller and Gro is the Processor of Customer Personal Data.
2.2 Instructions: Gro shall process Personal Data only on the documented instructions of the Customer, including with regard to transfers of personal data to a third country, unless required to do so by law.
3. Gro's Obligations
3.1 Confidentiality: Gro ensures that persons authorized to process the personal data have committed themselves to confidentiality.
3.2 Security: Gro shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption and access controls.
3.3 Data Subject Rights: Gro shall assist the Customer, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the data subject's rights (e.g., access or deletion requests).
3.4 Personal Data Breach: Gro shall notify the Customer without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach.
4. Sub-processors
4.1 General Authorization: Customer provides a general authorization for Gro to engage sub-processors. Gro's current sub-processors are listed in Schedule 3.
4.2 Notification: Gro shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object.
4.3 Sub-processor Agreements: Where Gro engages a sub-processor, Gro shall impose data protection terms on the sub-processor that provide at least the same level of protection for Personal Data as those in this DPA.
5. International Transfers
Gro shall not transfer Personal Data outside of the EEA/UK unless adequate safeguards are in place (e.g., Standard Contractual Clauses) as required by Data Protection Laws.
6. Audits
Gro shall make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer.
7. Term and Termination
7.1 This DPA shall remain in effect for as long as Gro processes Personal Data on behalf of the Customer.
7.2 Upon termination of the Agreement, Gro shall, at the choice of the Customer, delete or return all Personal Data to the Customer, and delete existing copies unless storage is required by law.
Schedule 1: Details of Processing
Subject Matter: Provision of email marketing and subscription management services.
Duration: For the term of the Agreement.
Nature and Purpose: To send marketing communications, manage subscriptions, and analyze engagement on behalf of the Customer.
Type of Personal Data: Contact information (email, name), purchase history, browsing behavior, subscription details.
Categories of Data Subjects: End-customers of the Merchant.
Schedule 2: Security Measures
- Encryption of data in transit and at rest.
- Access controls and authentication mechanisms.
- Regular security testing and vulnerability assessments.
- Incident response procedures.
Schedule 3: Sub-processors
Current sub-processors include:
Cloud Hosting: Amazon Web Services (AWS) — EU/US regions
Email Delivery: Amazon Web Services (AWS) / SendGrid
Payment Processing: Stripe EU
An updated list of sub-processors may be requested at any time by contacting privacy@usegro.co