Home › Data Processing Addendum
Legal

Data Processing Addendum

This Addendum sets out how Drop Privacy processes Personal Information on behalf of Customer when providing the Services. It supplements our Master Subscription Agreement.

Effective / Last updated: July 11, 2026

This Data Processing Addendum (the “DPA”) forms part of the Master Subscription Agreement (or other Customer Agreement) between Drop Privacy, LLC (“Processor,” “Drop Privacy,” “we,” or “us”) and the customer entity that accepts the Master Subscription Agreement or executes an Order Form (“Controller” or “Customer”). If there is a conflict between this DPA and the Master Subscription Agreement regarding the processing of Personal Information, this DPA controls.

1. Definitions

2. Roles of the Parties

2.1. Customer is Controller / Business. Customer determines the purposes and means of processing Personal Information relating to Customer’s consumers, leads, and business operations. Customer remains solely responsible for the lawfulness of its instructions and for compliance with the California Delete Act, DROP platform obligations, and all other Applicable Laws as set out in the Master Subscription Agreement.

2.2. Drop Privacy is Processor / Service Provider. Drop Privacy processes Personal Information only on documented instructions from Customer (including via configuration of the Services and the Master Subscription Agreement / Order Form), as a service provider / processor, and not as a controller of Customer’s underlying consumer databases, except for limited processing of Site/portal account data as an independent controller as described in the Privacy & Cookies notice.

2.3. No sale; limited purpose. Drop Privacy shall not sell Personal Information; shall not share Personal Information for cross-context behavioral advertising; and shall not retain, use, or disclose Personal Information for any purpose other than providing the Services, the business purposes specified in the Master Subscription Agreement, or as otherwise permitted for service providers under Applicable Data Protection Law (including security, debugging, and legal compliance).

2.4. Drop Privacy certifies that it understands the foregoing restrictions and will comply with them.

3. Scope, Nature, and Purpose of Processing

3.1. Subject matter. Provision of the Drop Privacy Services (currently focused on California Delete Act / DROP operational tooling, screening, suppression/registry support, audit/attestation aids, APIs, and related SaaS features; and any future privacy/compliance modules Customer elects to use).

3.2. Duration. For the subscription term and any post-termination retention period described in the Master Subscription Agreement, plus any longer period required by law or needed for dispute resolution / audit integrity.

3.3. Nature & purpose. Hosting, transmission, hashing/matching support, job orchestration, logging, audit chaining, notification delivery, API/agent operations, and related technical processing necessary to provide and secure the Services.

3.4. Types of Personal Information. Depending on Customer’s configuration and deployment model, may include: account user names and emails; authentication and audit metadata; hashed or tokenized consumer identifiers; work-item and queue metadata; IP addresses hashed or truncated for security; and similar operational data. Where Customer uses Model C / on-premises agent designs, identifiable consumer PII is intended to remain within Customer’s perimeter; Drop Privacy’s cloud control plane may receive hashes, status, and non-identifying metadata only.

3.5. Categories of data subjects. Customer’s authorized users; and, where applicable, consumers / leads whose identifiers Customer elects to process through the Services.

4. Customer Instructions & Responsibilities

4.1. Customer instructs Drop Privacy to process Personal Information as necessary to provide the Services and as Customer configures through the platform (including credentials, mappings, cycle actions, confirmations, and API calls).

4.2. Customer shall: (a) have a lawful basis / notice / authorization for processing; (b) not instruct Drop Privacy to process data in violation of Applicable Data Protection Law; (c) be responsible for accuracy of data submitted and for deletion/suppression decisions at Customer’s source systems; and (d) not treat Drop Privacy’s tooling as discharging Customer’s Delete Act / DROP duties.

4.3. If Drop Privacy reasonably believes an instruction violates Applicable Data Protection Law, it may notify Customer and suspend performance of that instruction until clarified.

5. Confidentiality & Personnel

Drop Privacy shall ensure that persons authorized to process Personal Information are bound by appropriate confidentiality obligations and receive relevant security/privacy awareness training.

6. Security

6.1. Drop Privacy shall implement and maintain technical and organizational measures appropriate to the risk, which may include encryption in transit, access controls, tenant isolation, hashing of identifiers where designed, audit logging, vulnerability management, and secure development practices. A summary of architecture is described on the Security page (informational; not a warranty expansion).

6.2. Customer is responsible for securing its own systems, credentials, agent hosts, and source databases, and for choosing an appropriate deployment model (cloud vs. on-prem agent) for its risk profile.

7. Subprocessors

7.1. Customer authorizes Drop Privacy to engage Subprocessors to support hosting, email delivery, analytics (where consented for the Site), error monitoring, and similar infrastructure services. Drop Privacy shall impose data-protection obligations on Subprocessors no less protective in substance than those in this DPA.

7.2. Drop Privacy remains responsible for Subprocessor performance to the extent required by Applicable Data Protection Law. Upon written request, Drop Privacy will provide a then-current list of material infrastructure Subprocessors. Customer may object to a new Subprocessor on reasonable data-protection grounds; the parties will discuss in good faith, and if unresolved Customer may terminate the affected Services as its sole remedy.

8. Assistance; Data Subject Requests

8.1. Taking into account the nature of processing, Drop Privacy shall provide reasonable assistance to Customer in responding to data-subject or consumer requests under Applicable Data Protection Law, insofar as Customer cannot fulfill them solely through the Services’ self-service features.

8.2. If Drop Privacy receives a request directly relating to Customer Personal Information, it will (unless prohibited by law) redirect the requester to Customer or notify Customer, without responding substantively on Customer’s behalf except as legally required.

8.3. Drop Privacy shall provide reasonable assistance with Customer’s data-protection impact assessments and consultations with regulators, to the extent related to Drop Privacy’s processing and required by Applicable Data Protection Law, at Customer’s expense if the assistance is material.

9. Security Incidents

Upon becoming aware of a Security Incident affecting Personal Information processed under this DPA, Drop Privacy shall notify Customer without undue delay and provide information reasonably available to assist Customer in meeting its notification obligations. Drop Privacy’s notification is not an admission of fault or liability.

10. Return & Deletion

Upon termination of the Services, Drop Privacy shall, at Customer’s election where commercially practicable, return or delete Personal Information in Drop Privacy’s possession (subject to the Master Subscription Agreement’s export window), except for copies retained as required by law, for hash-chained audit integrity, in encrypted backups pending rotation, or as otherwise permitted for service providers under Applicable Data Protection Law.

11. Audits

Upon reasonable written request (no more than once per twelve (12) months, unless required by a regulator or following a Security Incident), Drop Privacy shall make available information reasonably necessary to demonstrate compliance with this DPA, which may include security summaries or third-party reports where available. On-site audits, if required by Applicable Data Protection Law and not reasonably satisfied by documentation, shall be scheduled on mutual agreement, during business hours, without unreasonably disrupting operations, and at Customer’s expense unless a material breach of this DPA is confirmed.

12. International Transfers

The Services are primarily hosted in the United States. Where Personal Information is transferred internationally and Applicable Data Protection Law requires a transfer mechanism, the parties will cooperate in good faith to implement an appropriate mechanism (such as standard contractual clauses) or Customer may choose a deployment architecture that keeps identifiable data within its chosen region/perimeter.

13. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions in the Master Subscription Agreement, except to the extent such limitations are prohibited by Applicable Data Protection Law with respect to a party’s own obligations.

14. Term

This DPA is effective as of the Effective Date above (or the date Customer first uses the Services, if later) and continues for as long as Drop Privacy processes Personal Information on behalf of Customer.

15. Contact

Privacy and DPA inquiries: privacy@dropprivacy.com · Legal: legal@dropprivacy.com

Related: Acceptable Use Policy · Privacy & Cookies · Security · Website Terms of Use

This DPA is a standard form. Enterprise customers may request a negotiated DPA or SCC package via sales.