Data Processing Agreement

1. Parties and Scope

This DPA is entered into between:

• Data Controller (“Controller”): The entity or individual that has agreed to the BorakDesk Terms of Service and uses the Platform to process personal data (“Customer” or “you”).
• Data Processor (“Processor”): Borak Solutions LLC, operating the BorakDesk AI Marketing Suite, with registered address in Milwaukee, WI, USA (“we”, “us”, or “our”).

This DPA applies to all processing of personal data that the Processor carries out on behalf of the Controller in connection with the provision of the BorakDesk Platform, including email marketing, CRM, AI-powered campaign management, analytics, and all related services.

2. Definitions

In this DPA, the following terms have the meanings set out below:

• “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• “Processing” means any operation or set of operations performed on Personal Data, as defined in Article 4(2) of the GDPR, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
• “Sub-Processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• “Customer Data” means all data, including Personal Data, that the Controller uploads, creates, or processes using the Platform.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, as defined in Article 4(12) of the GDPR.

3. Subject Matter and Duration

3.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller for the purpose of providing the BorakDesk Platform services, including:

• Storing and managing contact lists and CRM records
• Processing and delivering email marketing campaigns
• Generating AI-powered marketing content and analytics
• Processing campaign performance data and engagement metrics
• Providing data analytics, reporting, and predictive insights

3.2 Categories of Data

The Personal Data processed under this DPA may include:

• Contact information (names, email addresses, phone numbers, postal addresses)
• Professional information (job titles, company names, industry)
• Engagement data (email opens, clicks, conversions, browsing behaviour)
• Technical data (IP addresses, device information, browser type)
• Any other Personal Data the Controller uploads to or creates within the Platform

3.3 Categories of Data Subjects

Data Subjects may include the Controller's customers, prospects, leads, employees, contractors, partners, subscribers, and other individuals whose data is processed through the Platform.

3.4 Duration

This DPA shall remain in effect for the duration of the Controller's subscription to the Platform, plus the 90-day post-cancellation grace period and the additional 30-day backup deletion window as described in our Privacy Policy.

4. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
• Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Section 8 of this DPA.
• Not engage another processor (Sub-Processor) without prior specific or general written authorisation of the Controller, as detailed in Section 6 of this DPA.
• Assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights.
• Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and the information available to the Processor.
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Obligations of the Controller

The Controller shall:

• Ensure that it has a valid legal basis for the processing of Personal Data, including obtaining any necessary consents from Data Subjects.
• Provide documented processing instructions to the Processor and ensure that the processing instructions comply with applicable data protection laws.
• Be responsible for the accuracy, quality, and legality of the Personal Data and the means by which it was obtained.
• Ensure compliance with applicable anti-spam legislation (CAN-SPAM, GDPR, CASL, and other applicable laws) when using the Platform for email marketing.
• Notify the Processor without undue delay if it becomes aware of any Data Breach affecting Personal Data processed through the Platform.

6. Sub-Processors

The Controller provides general authorisation for the Processor to engage Sub-Processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller the opportunity to object to such changes within 30 days of notification.

The current list of Sub-Processors is:

The Processor shall impose on each Sub-Processor, by way of contract, data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

7. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure that adequate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Standard Contractual Clauses (SCCs): We rely on the European Commission's Standard Contractual Clauses (2021/914) for transfers of Personal Data to Sub-Processors located outside the EEA.
• Adequacy Decisions: Where available, we rely on adequacy decisions issued by the European Commission.
• Supplementary Measures: We implement additional technical measures, including encryption in transit (TLS 1.3) and at rest (AES-256), access controls, and pseudonymisation where appropriate, to ensure that transferred data is protected to a standard essentially equivalent to that guaranteed within the EEA.

EU customers who select the European Union data region can be assured that their primary Customer Data is stored and processed exclusively within the EU (Azure North Europe, Ireland). AI processing requests may be routed to Sub-Processors in the United States under the safeguards described above — only the prompt and response content is transmitted, and no Customer Data is retained by the AI Sub-Processor.

8. Security Measures

The Processor implements and maintains the following technical and organisational security measures to protect Personal Data:

8.1 Technical Measures

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and least-privilege access principles are enforced for all personnel with access to Personal Data.
• Network Security: Firewalls, intrusion detection systems (IDS), DDoS protection, and network segmentation isolate production environments.
• Database Security: Row-Level Security (RLS) ensures complete tenant isolation in shared database infrastructure. Each customer's data is logically separated and inaccessible to other tenants.
• Monitoring: 24/7 security monitoring, automated threat detection, and logging of all access to Personal Data.
• Vulnerability Management: Regular vulnerability scanning, penetration testing, and timely application of security patches.

8.2 Organisational Measures

• Personnel: All employees and contractors with access to Personal Data undergo background checks and receive data protection training.
• Confidentiality: All personnel are bound by confidentiality obligations.
• Incident Response: A documented incident response plan is maintained and tested regularly.
• Business Continuity: Regular backups, disaster recovery planning, and tested failover procedures.
• Certifications: The Platform is designed to comply with SOC 2 Type II, HIPAA, and ISO 27001 standards.

9. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed on behalf of the Controller, the Processor shall:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the Data Breach, in accordance with Article 33(2) of the GDPR.
• Provide the Controller with the following information (to the extent available): the nature of the Data Breach, the categories and approximate number of Data Subjects and Personal Data records affected, the likely consequences of the Data Breach, and the measures taken or proposed to be taken to address the Data Breach and mitigate its effects.
• Cooperate with the Controller and provide all reasonable assistance in investigating and remediating the Data Breach.
• Maintain a record of all Data Breaches, including the facts relating to the breach, its effects, and the remedial actions taken.

Breach notifications will be sent to the email address registered with the Controller's account and to any additional contacts designated by the Controller for security notifications.

10. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under the GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

If the Processor receives a request directly from a Data Subject, the Processor shall promptly forward the request to the Controller and shall not respond to the Data Subject directly unless instructed to do so by the Controller.

The Platform provides self-service tools that enable the Controller to access, export, rectify, and delete Personal Data. The Processor shall respond to Controller requests for assistance with Data Subject rights within 10 business days.

11. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall:

• Make available all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the GDPR.
• Allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller, subject to reasonable advance notice (at least 30 days) and during normal business hours.
• Provide the Controller with copies of relevant certifications, audit reports (such as SOC 2 Type II reports), and security assessments upon request.

Audits shall be conducted at the Controller's expense, unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall bear the reasonable costs of the audit. The Controller may conduct no more than one audit per calendar year, unless required by a supervisory authority or following a Data Breach.

12. Termination and Data Return

Upon termination or expiry of the Controller's subscription:

• Grace period: The Controller has 90 days to access and export all Customer Data, including Personal Data, through the Platform's standard export tools (CSV, JSON formats).
• Deletion: After the 90-day grace period, the Processor shall permanently and irreversibly delete all Customer Data from production systems. All backup copies shall be deleted within an additional 30 days.
• Certification: Upon request, the Processor shall provide the Controller with written certification confirming that all Personal Data has been deleted in accordance with this DPA.
• Legal holds: The Processor may retain specific Personal Data beyond the standard deletion timeline if required by applicable law. The Processor shall inform the Controller of any such legal requirement, unless prohibited by law.

This DPA shall survive the termination of the Controller's subscription until all Personal Data has been deleted or returned in accordance with this section.

Contact

For questions about this Data Processing Agreement or to exercise your rights under this DPA, please contact:

• Data Protection Contact: legal@borakdesk.com
• Company: Borak Solutions LLC
• Address: Milwaukee, WI, USA