Data Processing Agreement

Last updated: January 17, 2026

Download DPA (PDF)

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between MSC Marketing Ltd ("Processor" or "we") and the customer ("Controller" or "you") for the provision of email marketing services.

This DPA reflects the parties' agreement with respect to the processing of personal data in accordance with the requirements of Data Protection Legislation, including the UK GDPR and EU GDPR.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.
  • "Data Protection Legislation" means UK GDPR, EU GDPR, and any applicable data protection laws.

3. Scope of Processing

3.1 Subject Matter

The Processor will process Personal Data to provide email marketing services as described in the main service agreement.

3.2 Nature and Purpose

  • Storing and managing contact lists
  • Sending email campaigns on behalf of the Controller
  • Tracking email engagement metrics
  • Providing analytics and reporting
  • Processing automation workflows

3.3 Types of Personal Data

  • Email addresses
  • Names and contact information
  • Engagement data (opens, clicks)
  • Custom fields defined by the Controller

3.4 Categories of Data Subjects

  • Email subscribers of the Controller
  • Customers of the Controller
  • Leads and prospects

4. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure persons authorized to process data are committed to confidentiality
  • Implement appropriate technical and organizational security measures
  • Engage Sub-processors only with prior authorization
  • Assist the Controller with Data Subject requests
  • Assist with security, breach notification, and impact assessments
  • Delete or return Personal Data upon termination
  • Provide information to demonstrate compliance

5. Security Measures

The Processor implements the following security measures:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Multi-factor authentication for system access
  • Regular security assessments and penetration testing
  • Access logging and monitoring
  • Employee background checks and training
  • Incident response procedures
  • Regular backups with secure storage
  • Physical security for data centers

6. Sub-processors

The Controller authorizes the use of Sub-processors listed below. The Processor will notify the Controller of any changes to Sub-processors:

Sub-processorPurposeLocation
Amazon Web ServicesCloud hostingEU (Ireland)
Google CloudAI processingEU (Belgium)
StripePayment processingUSA (with SCCs)
SendGridEmail deliveryUSA (with SCCs)

7. International Transfers

For transfers of Personal Data outside the EEA/UK, the Processor will ensure appropriate safeguards through:

  • Standard Contractual Clauses (Module 2: Controller to Processor)
  • Supplementary measures where required
  • Transfer Impact Assessments

8. Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests, including:

  • Access requests
  • Rectification requests
  • Erasure requests
  • Portability requests
  • Objection to processing
  • Restriction of processing

9. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

  • Notify the Controller without undue delay (within 48 hours)
  • Provide details of the breach and affected data
  • Describe measures taken or proposed to address the breach
  • Assist the Controller in meeting notification obligations

10. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance and allow for audits conducted by the Controller or an authorized auditor.

11. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination:

  • The Controller may request return or deletion of Personal Data
  • The Processor shall delete all Personal Data within 90 days
  • Backup copies will be deleted according to retention schedules

12. Contact

For questions about this DPA:

  • Email: dpo@mscmarketing.com
  • Address: MSC Marketing Ltd, 123 Marketing Street, London, EC1A 1BB, United Kingdom