This Data Processing Agreement ("DPA") is entered into between Buttondown, LLC ("Data Processor") and the Customer ("Data Controller") and forms part of the Agreement for the provision of services.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
- "Data Subject" means the individual to whom Personal Data relates.
- "Agreement" means the terms of service or other agreement between the parties under which the Data Processor provides services to the Data Controller.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope and Purpose
2.1 This DPA applies to all Processing of Personal Data by the Data Processor on behalf of the Data Controller in connection with the services provided.
2.2 The Data Processor shall Process Personal Data only for the purpose of providing the agreed services and in accordance with the Data Controller's documented instructions.
3. Data Processor Obligations
The Data Processor shall:
3.1 Process Personal Data only on documented instructions from the Data Controller.
3.2 Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
3.3 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
3.4 Not engage another processor without prior specific or general written authorization of the Data Controller.
3.5 Assist the Data Controller in responding to requests for exercising Data Subject rights.
3.6 Delete or return all Personal Data to the Data Controller after the end of the provision of services.
3.7 Make available to the Data Controller all information necessary to demonstrate compliance with obligations.
4. Security Measures
4.1 The Data Processor shall implement and maintain appropriate technical and organizational measures including:
- Encryption of Personal Data in transit and at rest
- Regular security assessments and penetration testing
- Access controls and authentication mechanisms
- Regular backups and disaster recovery procedures
- Employee training on data protection
5. Sub-processors
5.1 The Data Controller provides general authorization for the Data Processor to engage sub-processors.
5.2 The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors, providing at least 30 days' notice. The Data Controller may object to the change within that period. If the Data Controller objects on reasonable grounds relating to data protection, the parties shall discuss the concern in good faith; if no resolution is reached, the Data Controller may terminate the affected services without penalty.
5.3 The Data Processor shall ensure sub-processors are bound by data protection obligations no less protective than those in this DPA.
5.4 A current list of sub-processors is maintained at buttondown.com/legal/subprocessors.
6. Data Subject Rights
6.1 The Data Processor shall assist the Data Controller in fulfilling its obligations to respond to Data Subject requests including:
- Access to Personal Data
- Rectification or erasure of Personal Data
- Restriction of Processing
- Data portability
- Objection to Processing
7. Personal Data Breach Notification
7.1 The Data Processor shall notify the Data Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach.
7.2 The notification shall include:
- Nature of the breach
- Categories and approximate number of Data Subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8. International Transfers
8.1 The Data Controller acknowledges that the Data Processor is based in the United States and that Personal Data will be transferred to and processed in the United States in connection with the provision of the services.
8.2 To the extent that the Processing of Personal Data involves a transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, the parties agree that the transfer shall be governed by the Standard Contractual Clauses issued by the European Commission pursuant to Implementing Decision (EU) 2021/914 ("SCCs"), Module 2 (Controller to Processor). By entering into this DPA, the parties are deemed to have executed the SCCs, which are hereby incorporated by reference into this DPA.
8.3 The SCCs shall be completed as follows:
- Clause 7 (Docking clause): The optional docking clause shall apply, allowing additional parties to accede to the SCCs.
- Clause 9(a) (Use of sub-processors): Option 2 (General written authorization) shall apply. The notice and objection procedure is as set out in Section 5.2 of this DPA.
- Clause 11 (Redress): The optional clause on independent dispute resolution shall not apply.
- Clause 17 (Governing law): Option 1 shall apply, and the SCCs shall be governed by the law of the EU Member State in which the Data Controller is established.
- Clause 18(b) (Choice of forum): Disputes shall be resolved before the courts of the EU Member State in which the Data Controller is established.
8.4 The annexes to the SCCs are completed in Annex B of this DPA.
8.5 In the event of any conflict between the SCCs and this DPA, the SCCs shall prevail to the extent of the conflict.
8.6 For transfers from the United Kingdom, the SCCs shall apply as supplemented by the UK Addendum to the EU Standard Contractual Clauses (issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018). For transfers from Switzerland, the SCCs shall apply with the modifications required by the Swiss Federal Data Protection Act.
8.7 The Data Processor shall not transfer Personal Data to any other country outside the EEA without ensuring appropriate safeguards are in place.
9. Audit and Inspection
9.1 The Data Processor shall make available all information necessary to demonstrate compliance.
9.2 The Data Controller may conduct audits, including inspections, no more than once per calendar year, during normal business hours, and with at least 30 days' prior written notice. Audits shall be conducted at the Data Controller's expense and shall not unreasonably interfere with the Data Processor's operations.
10. Liability and Indemnification
10.1 Each party shall be liable for its own compliance with data protection laws.
10.2 The Data Processor shall indemnify the Data Controller for damages arising from the Data Processor's breach of this DPA.
11. Term and Termination
11.1 This DPA shall remain in effect for the duration of the Agreement.
11.2 Upon termination, the Data Processor shall, at the Data Controller's option, delete or return all Personal Data.
12. Governing Law
12.1 Except as provided in Section 8 (International Transfers), this DPA shall be governed by the laws of the United States and subject to the exclusive jurisdiction of the courts of the United States.
12.2 To the extent that the GDPR, the Standard Contractual Clauses incorporated under Section 8, or other applicable data protection laws of the European Economic Area, the United Kingdom, or Switzerland impose obligations on the Processing of Personal Data under this DPA, those obligations shall take precedence over any conflicting provision of this DPA or the governing law specified above.
Annex A: Processing Details
The following details describe the Processing activities carried out under this DPA, as required by Article 28(3) of the GDPR.
| Detail | Description |
|---|---|
| Subject matter | Processing of Personal Data in connection with the provision of Buttondown's email newsletter and subscription management services |
| Duration | For the duration of the service agreement between the Data Controller and the Data Processor |
| Nature and purpose of Processing | Newsletter delivery, subscription management, analytics on email engagement (opens, clicks), and payment processing for paid subscriptions |
| Types of Personal Data | Email addresses, IP addresses, referrer metadata, subscription timestamps, and (for paid subscriptions) billing contact name and billing address via Stripe |
| Categories of Data Subjects | Newsletter subscribers (including EU-based individuals), newsletter authors (Data Controller's authorized users) |
Annex B: Standard Contractual Clauses — Required Annexes
The following annexes complete the Standard Contractual Clauses incorporated under Section 8 of this DPA.
Annex I
A. List of Parties
Data Exporter (Controller): The Customer, as identified in the Agreement. Contact details, data protection officer, and activities relevant to the transfer are as specified in the Agreement or as otherwise communicated to the Data Processor.
Data Importer (Processor): Buttondown, LLC. Contact: support@buttondown.com. Activities relevant to the transfer: provision of email newsletter and subscription management services as described in this DPA.
B. Description of Transfer
The description of the transfer is as set out in Annex A (Processing Details) of this DPA, including the categories of data subjects, types of personal data, nature and purpose of processing, and duration of processing.
Sensitive data transferred: None, unless the Data Controller includes sensitive data in newsletter content, in which case the Data Controller is responsible for ensuring a lawful basis and applying appropriate restrictions.
Frequency of transfer: Continuous, for the duration of the Agreement.
C. Competent Supervisory Authority
The competent supervisory authority shall be the supervisory authority of the EU Member State in which the Data Controller is established, or, where the Data Controller is not established in the EU, the supervisory authority of the EU Member State where the Data Controller's EU representative is appointed pursuant to Article 27(1) of the GDPR.
Annex II: Technical and Organizational Measures
The Data Processor implements the following technical and organizational measures to ensure the security of Personal Data:
- Encryption: Personal Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Access controls: Role-based access control with the principle of least privilege. Administrative access requires multi-factor authentication.
- Infrastructure security: Services are hosted on Heroku (Salesforce) and Amazon Web Services, both of which maintain SOC 2 Type II and ISO 27001 certifications.
- Monitoring and logging: Security events are logged and monitored. Anomaly detection is in place for unauthorized access attempts.
- Incident response: A documented incident response plan is maintained, with breach notification procedures as described in Section 7 of this DPA.
- Data minimization: Only Personal Data necessary for the provision of services is collected and processed.
- Employee security: Personnel with access to Personal Data are subject to confidentiality obligations and receive data protection training.
- Backup and recovery: Regular automated backups with tested recovery procedures.
- Vendor security: Sub-processors are assessed for adequate security measures before engagement (see sub-processor list at buttondown.com/legal/subprocessors).
Annex III: List of Sub-processors
The current list of sub-processors is maintained at buttondown.com/legal/subprocessors and is incorporated here by reference.
| Metadata | |
|---|---|
| Last updated | 2026-03-17 |
| First published | 2025-07-05 |
| Contact Information | |
|---|---|
| Data Protection Officer | support@buttondown.com |
| Privacy Inquiries | support@buttondown.com |