Data Processing Agreement

1. Definitions

Terms used in this DPA have the meanings set forth in the GDPR. Specifically:

• "Personal Data" means any information relating to an identified or identifiable natural person processed via Ploncker
• "Data Controller" means the Customer who determines the purposes and means of processing Personal Data
• "Data Processor" means Ploncker, which processes Personal Data on behalf of the Data Controller
• "Sub-processor" means any third party engaged by Ploncker to process Personal Data
• "Data Subject" means the individuals whose Personal Data is processed (your contacts/subscribers)
• "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation)

2. Scope & Applicability

Hosted Service Only

This DPA applies ONLY to customers using Ploncker's hosted service (ploncker.com). Cloud hosted deployments are NOT covered by this DPA - you are solely responsible for GDPR compliance when our managed cloud.

Agreement Hierarchy

This DPA supplements the Ploncker Terms of Service and Privacy Policy. In case of conflict regarding data processing:

1. This DPA takes precedence
2. Then the Terms of Service
3. Then the Privacy Policy

Acceptance

By using Ploncker's hosted service, you acknowledge that you have read, understood, and agree to be bound by this DPA. This constitutes a legally binding agreement between Customer and Ploncker.

3. Processing Details

As required by GDPR Article 28(3), the following details describe the processing activities:

Subject Matter

Processing of Personal Data necessary to provide email automation, transactional email, marketing campaigns, and workflow automation services.

Duration

Processing occurs for the duration of your Ploncker subscription/account, plus 30 days for API logs (which are automatically deleted), and until you request account deletion.

Nature & Purpose

• Storing and managing contact databases
• Sending transactional, marketing, and workflow-triggered emails
• Tracking email delivery, opens, clicks, bounces, and complaints (per your settings)
• Managing email templates and automation workflows
• Processing email events and webhooks
• Providing analytics and reporting

Type of Personal Data

• Email addresses (required)
• Names and custom contact fields (optional, Customer-defined)
• Email content (subject lines, message bodies, attachments)
• Subscription status and preferences
• Email activity data (opens, clicks, bounces, complaints)
• Timestamps and metadata

Categories of Data Subjects

• Customer's email subscribers and contacts
• Recipients of transactional emails
• Marketing campaign recipients
• Workflow automation recipients

4. Data Processor Obligations

Ploncker commits to the following obligations as Data Processor:

Processing Instructions

• Process Personal Data only on documented instructions from Customer (via API, dashboard, etc.)
• Not process Personal Data for any other purpose without Customer's prior written consent
• Immediately inform Customer if instructions violate GDPR or other EU data protection laws

Confidentiality

• Ensure persons authorized to process Personal Data are bound by confidentiality obligations
• Maintain confidentiality of all Personal Data processed via Ploncker
• Not disclose Personal Data to third parties except as required by law or with Customer consent

Cooperation

• Assist Customer in responding to Data Subject rights requests (see Section 7)
• Assist Customer in ensuring compliance with GDPR security, breach notification, and impact assessment obligations
• Provide information necessary to demonstrate compliance with Article 28

5. Security Measures

As required by GDPR Article 32, Ploncker implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

Technical Safeguards

• Industry-standard password hashing (never stored in plaintext)
• HTTPS-only API access (TLS 1.2+)
• Database connections encrypted via TLS/SSL
• HttpOnly, secure cookies with appropriate SameSite settings
• Authentication tokens with limited expiration periods
• Rate limiting to prevent brute force attacks

Organizational Safeguards

• Access controls limiting personnel access to Personal Data
• Automated bounce and complaint rate monitoring
• Regular security updates and patching
• Data segregation by project (multi-tenancy with isolation)

Data Residency

• Primary data storage: EU/EEA (Hetzner infrastructure)
• Database and file storage remain within EU/EEA
• Email delivery may transit non-EU regions (see Section 9)

6. Sub-Processors

Customer authorizes Ploncker to engage the following sub-processors to process Personal Data:

Sub-Processor Obligations

• All sub-processors are bound by data protection obligations equivalent to this DPA
• Ploncker remains fully liable to Customer for sub-processor performance
• Sub-processors have executed Data Processing Agreements with Ploncker

Changes to Sub-Processors

• Ploncker will provide 30 days advance notice of new or replacement sub-processors via email
• Notice will be sent to the email address associated with your account
• If you object on reasonable grounds related to data protection, you may terminate your account within 30 days
• Updated sub-processor list will be maintained on this page (check "Last Updated" date)

7. Data Subject Rights

Ploncker will assist Customer in fulfilling Data Subject rights requests under GDPR Articles 15-22:

Self-Service via API

Customer can fulfill most Data Subject requests independently via API:

• Access (Art. 15): Retrieve contact data via GET /contacts/:id
• Rectification (Art. 16): Update contact data via PATCH /contacts/:id
• Erasure (Art. 17): Delete contact via DELETE /contacts/:id
• Restriction (Art. 18): Update subscription status to "unsubscribed"
• Portability (Art. 20): Use API to access data in JSON format

Assistance from Ploncker

If Customer cannot fulfill a request via API, contact legal@ploncker.com:

• Provide Data Subject's email address and nature of request
• Ploncker will respond within 10 business days with requested information or assistance
• Customer remains responsible for verifying Data Subject identity before disclosing information

Email Activity Data

• Email opens, clicks, bounces, and complaints are linked to contact records
• Deleting a contact will cascade delete associated email activity
• API logs (non-Personal Data) are automatically deleted after 30 days

8. Data Breach Notification

Notification Obligation

In the event of a Personal Data breach affecting Customer data, Ploncker will:

• Notify Customer without undue delay and within 72 hours of becoming aware of the breach (per GDPR Art. 33)
• Send notification to the primary email address associated with Customer's account
• Provide information to enable Customer to meet any GDPR breach reporting obligations

Breach Information

Notifications will include (to the extent known):

• Nature of the breach (what happened)
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate harm
• Contact point for more information (legal@ploncker.com)

Customer Responsibility

• Customer is responsible for notifying their supervisory authority if required by GDPR Art. 33
• Customer is responsible for notifying affected Data Subjects if required by GDPR Art. 34
• Ploncker's breach notification to Customer does NOT constitute legal or compliance advice

9. International Data Transfers

Primary Storage (EU/EEA)

• All contact data, templates, workflows, and account data stored in EU/EEA (Hetzner, Germany)
• No routine transfers of stored Personal Data outside EU/EEA

Data in Transit (Email Delivery)

When emails are sent to recipients, Personal Data may transit through non-EU regions:

• AWS SES processes emails globally for delivery purposes
• Data is in transit only (not stored long-term outside EU/EEA)
• Protected by AWS Data Processing Agreement and Standard Contractual Clauses (SCCs)

Payment Data (Stripe)

• Payment information (credit cards) processed by Stripe (USA-based)
• Stripe is PCI-DSS Level 1 certified
• Protected by Stripe's Data Processing Agreement and Standard Contractual Clauses
• Ploncker does NOT store credit card numbers (tokenized by Stripe)

Standard Contractual Clauses

All sub-processors that process Personal Data outside EU/EEA have executed Standard Contractual Clauses (SCCs) approved by the European Commission, providing appropriate safeguards for international transfers per GDPR Article 46.

10. Audits & Compliance

Information Provision

Ploncker will make available to Customer information necessary to demonstrate compliance with GDPR Article 28 obligations, including:

• This DPA (publicly available)
• Privacy Policy describing processing activities
• Sub-processor list (Section 6 above)
• Security measures documentation (available upon reasonable request)

Audit Rights

Customer may audit Ploncker's compliance with this DPA, subject to the following:

• Audits limited to once per year unless required by supervisory authority
• Request must be submitted in writing to legal@ploncker.com with 30 days notice
• Audits must be conducted by independent third-party auditors bound by confidentiality
• Audits conducted during business hours with minimal disruption to operations
• Customer bears all costs of audit
• Audit scope limited to GDPR compliance (not general security assessments)

Alternative to Audits

In lieu of conducting a full audit, Customer may request and review sub-processor certifications and compliance documentation (SOC 2, ISO 27001, etc.) where available.

11. Data Deletion & Return

Account Deletion

When Customer deletes their Ploncker account (via dashboard or by request):

• All Personal Data is immediately deleted from production systems
• No grace period or recovery window (deletion is permanent)
• Customer should access or backup data via API before deletion (Ploncker does NOT provide data export)
• Deletion includes: contacts, emails, templates, workflows, campaigns, and email activity

Backup Retention

• Deleted data may remain in encrypted backups for up to 30 days for disaster recovery purposes
• Backup data is not accessible or restorable after account deletion
• Backups are automatically overwritten after retention period

Legal Retention

Ploncker may retain certain data if required by law (e.g., accounting records, fraud prevention):

• Billing records: Retained per tax/accounting laws (typically 7 years)
• Fraud/abuse records: Retained for security purposes (email addresses of suspended accounts)
• Legal requests: Data subject to legal holds retained as required by law

No Data Return

Ploncker does NOT provide data export or return upon termination. Customer must retrieve data via API before deleting account. Once deleted, data cannot be recovered.

12. Liability & Indemnification

Customer Responsibilities

Customer (Data Controller) is responsible for:

• Ensuring lawful basis for processing under GDPR (consent, contract, legitimate interest, etc.)
• Obtaining necessary consents from Data Subjects before adding them to Ploncker
• Providing privacy notices to Data Subjects per GDPR Article 13/14
• Complying with anti-spam laws (CAN-SPAM, CASL, GDPR, etc.)
• Verifying Data Subject identity before fulfilling rights requests
• Notifying supervisory authorities and Data Subjects of breaches where required

Ploncker's Liability

• Ploncker is liable to Customer for compliance with this DPA and GDPR Article 28 obligations
• Ploncker is liable for sub-processor acts/omissions to the same extent as its own acts
• Liability limitations in Terms of Service apply, except where prohibited by GDPR (particularly Art. 82)

Indemnification

• Customer indemnifies Ploncker for claims arising from Customer's violation of GDPR or data protection laws
• Ploncker indemnifies Customer for claims arising solely from Ploncker's breach of this DPA or GDPR Article 28

GDPR Fines

Under GDPR Article 82(3), liability for damages is allocated between Controller and Processor based on fault. Each party is liable only for the damage caused by its own GDPR violation.

13. Term & Termination

Effective Date

This DPA is effective as of the date you first use Ploncker's hosted service and remains in effect for the duration of the Terms of Service.

Termination

This DPA terminates automatically when:

• Customer deletes their Ploncker account
• Terms of Service are terminated
• All Personal Data has been deleted per Section 11

Survival

Obligations regarding confidentiality, data deletion, and liability survive termination to the extent necessary to fulfill their purpose.

DPA Updates

• Ploncker may update this DPA to reflect changes in law, sub-processors, or processing activities
• Material changes will be notified via email 30 days in advance
• Continued use of Ploncker after changes constitutes acceptance
• Check "Last Updated" date at top of page for version tracking