Data Processing Addendum (DPA)

This Data Processing Addendum (DPA) applies when Toutmark processes personal data on behalf of a customer who is a data controller (or equivalent under applicable privacy laws). This DPA supplements the main Terms of Service and Privacy Policy.

1. Definitions

• Controller: The entity (you, the customer) that determines the purposes and means of personal data processing. You are the controller.
• Processor: Toutmark. We process personal data on your behalf, following your documented instructions.
• Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR, UK-GDPR, and CCPA.
• Processing: Any operation performed on personal data (collection, use, storage, analysis, transmission, deletion).
• Data Subject: The individual to whom personal data relates.

2. Scope

This DPA applies only to personal data that you provide to Toutmark as part of using the Service. It does NOT apply to data that Toutmark collects independently (e.g., website analytics, account sign-up data).

Data You Provide

You may provide Toutmark with:

• Website content and URLs (which may contain personal data about your customers, employees, or contacts)
• Brand materials and company information
• Prospect or customer lists (names, emails, companies)
• Login credentials for third-party platforms (e.g., WordPress, Shopify)
• Customer feedback, testimonials, or review data

3. Processing Instructions

Toutmark processes personal data only in accordance with your documented instructions, which are:

• Your online account settings and configuration
• Your selections and choices made in the dashboard
• The stated purpose of the Service (content optimization, review management, etc.)
• Any written instructions you provide to [email protected]

If you ask Toutmark to process personal data in a way that violates applicable law, we will inform you and decline to process it in that manner.

4. Duration & Retention

Toutmark processes personal data:

• During the subscription: While your account is active
• After cancellation: We delete your data within 30 days per our Privacy Policy, except where law requires retention (e.g., unsubscribe lists under CAN-SPAM)
• Retention windows: See Privacy Policy Section 4 for specific retention timelines by data category

5. Subprocessors

Toutmark engages subprocessors (third-party service providers) to process personal data on your behalf. The complete list is at toutmark.com/legal/subprocessors.

Notification: We will notify you at least 30 days before adding or removing a subprocessor and will provide you an opportunity to object.

Subprocessor Agreements: All subprocessors are bound by written agreements that require them to process personal data only as instructed and to maintain appropriate security measures.

6. International Data Transfers

Live Phase (US-only): All data processing occurs within the United States. No data is transferred outside the US in this phase.

Future Phases (EU/UK/Canada/Australia): When Toutmark expands internationally, we will implement appropriate transfer mechanisms, including:

• Standard Contractual Clauses (SCCs): For transfers to countries outside the EEA/UK with an adequacy decision
• Data Protection Framework (DPF): For transfers to the US (if Toutmark obtains DPF certification)
• Adequacy Decisions: Where a country has been deemed adequate by the EU Commission

7. Data Subject Rights Assistance

You have the right to request that we assist you in fulfilling data-subject requests (access, deletion, correction, portability, restriction) as required by GDPR, UK-GDPR, and CCPA. To exercise these rights on behalf of your data subjects:

Email: [email protected] with the subject "Data Subject Request"

Toutmark will respond within 30 days (or the legally required timeframe). We will assist you in fulfilling the request unless it is manifestly unfounded or excessive.

8. Data Breach Notification

If Toutmark becomes aware of a personal data breach affecting your data:

• We will notify you without unreasonable delay (as soon as practical, typically within 24–48 hours)
• Notification will include: nature of the breach, data affected, likely consequences, and remedial steps
• You remain responsible for notifying data subjects and supervisory authorities as required by law

Report a breach: [email protected]

9. Security Measures

Toutmark implements technical and organizational security measures, including:

• Encryption at rest: AES-256-GCM for OAuth tokens and sensitive credentials stored in Cloudflare KV
• Encryption in transit: TLS 1.2+ for all data transmission
• Access controls: Role-based access; only authorized personnel access customer data
• Audit logging: All data access and modifications are logged
• Secure deletion: Data is securely overwritten or deleted per retention schedules
• Third-party infrastructure: Cloudflare provides DDoS protection, bot management, and firewall services

Security measures are reviewed quarterly and updated as needed to address emerging threats.

10. Audit Rights

You may request an audit of Toutmark's compliance with this DPA:

• Frequency: Once per 12 months
• Notice Required: Reasonable notice (at least 14 days)
• Cost: Reasonable cost only; we do not charge for compliance-related audits if conducted by an independent auditor under NDA
• Scope: Limited to data handling practices relevant to the Service

Request an audit by emailing [email protected].

11. Signatures & Acceptance

Customer

Toutmark

12. Amendments

Toutmark may amend this DPA to comply with changes in law or to improve data protection practices. Material changes will be communicated to you at least 30 days in advance. Continued use of the Service constitutes acceptance of amendments.