Legal
Data Processing Addendum
Last updated
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer”) and Work Reactor Inc., operating as Unitpost (“Unitpost,” “we,” “us”), and applies whenever we process personal data on your behalf in the course of providing the Service.
By using the Service to process personal data subject to the GDPR, UK GDPR, or similar data-protection laws, you and Unitpost agree to this DPA. It is incorporated into the Terms automatically — no signature is required for it to apply. If you need a countersigned copy for your records, contact legal@unitpost.com.
01Scope & incorporation
This DPA applies to personal data that Unitpost processes as a processor on your behalf (“Customer Personal Data”) — most notably your recipients’ email addresses, names, contact attributes, and message content that you submit to the Service. It does not apply to data we process as an independent controller (such as your own account, billing, and website analytics data), which is governed by our Privacy Policy.
To the extent of any conflict between this DPA and the Terms with respect to the processing of Customer Personal Data, this DPA controls. Where the Standard Contractual Clauses apply (Section 8), they control over this DPA to the extent of any conflict.
02Definitions
“Data Protection Laws” means all laws applicable to the processing of Customer Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, and applicable U.S. state privacy laws (including the CCPA/CPRA). “processing,” “controller,” “processor,” “data subject,” and “personal data breach” have the meanings given in the GDPR. “SCCs” means the standard contractual clauses approved by the European Commission in decision 2021/914 for the transfer of personal data to third countries.
03Roles & processing details
For Customer Personal Data, you are the controller (or a processor acting for another controller) and Unitpost is your processor. For the purposes of the SCCs and Article 28(3) GDPR, the details of processing are:
- Subject matter & duration. Provision of the Service for the term of the agreement, plus the deletion period described in Section 10.
- Nature & purpose. Sending, delivering, and tracking email on your instruction; storing contacts, segments, templates, suppression lists, and related logs; receiving inbound email you direct to the Service; and providing analytics about your sending.
- Categories of data subjects. Your email recipients, contacts, and end users whose data you submit to the Service.
- Categories of personal data. Email addresses, names and contact attributes you supply, message content and metadata, delivery and engagement events (delivered, bounced, opened, clicked, complained, unsubscribed), and IP addresses / user-agent data collected by engagement tracking where you enable it.
- Special categories. None intended. The Terms prohibit submitting data subject to heightened regulatory requirements without our prior written agreement.
- Frequency. Continuous, for as long as you use the Service.
04Our obligations as processor
With respect to Customer Personal Data, Unitpost will:
- process it only on your documented instructions (including the Terms, this DPA, and your use of the Service’s settings and APIs), unless required otherwise by law — in which case we will inform you unless legally prohibited;
- ensure that persons authorized to process it are bound by confidentiality obligations;
- implement and maintain appropriate technical and organizational measures as described in our Privacy Policy (encryption in transit and at rest, access controls, workspace isolation, key management via a managed KMS, and audit logging), taking into account the state of the art and the risks of the processing;
- not sell Customer Personal Data, retain it except as needed to provide the Service, or use it for any purpose other than providing the Service (including for the purposes of the CCPA/CPRA, under which we act as a “service provider”);
- inform you if, in our opinion, an instruction infringes applicable Data Protection Laws.
05Subprocessors
You provide general authorization for the subprocessors listed in our Privacy Policy (Amazon Web Services (AWS), Supabase, Stripe, Google Cloud (Vertex AI), Intercom, Twilio, Upstash, PostHog, Google Analytics), each engaged under a written agreement imposing data-protection obligations no less protective than this DPA. We remain responsible for our subprocessors’ performance.
We will update the subprocessor list on that page before adding or replacing a subprocessor that processes Customer Personal Data. If you wish to receive advance email notice of such changes, request it at legal@unitpost.com. You may object on reasonable data-protection grounds within fifteen (15) days of notice; if we cannot offer a reasonable alternative, you may terminate the affected portion of the Service and receive a pro-rata refund of prepaid, unused fees.
06Assistance & data-subject rights
Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures — such as export APIs, contact deletion, and suppression tooling — in fulfilling your obligation to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection). If a data subject contacts us directly about data we process on your behalf, we will direct them to you and will not respond substantively except on your instruction or where required by law.
We will also provide reasonable assistance with your data protection impact assessments and prior consultations with supervisory authorities, to the extent the required information is available to us.
07Security incidents
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably required for you to meet your own breach-notification obligations — including the nature of the breach, the categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed. Our notification is not an acknowledgement of fault or liability.
08International transfers & SCCs
Customer Personal Data is processed in the United States. Where Data Protection Laws of the EEA, UK, or Switzerland apply to a transfer of Customer Personal Data to Unitpost in a country without an adequacy decision, the parties agree that:
- the SCCs (Module Two: controller-to-processor, or Module Three: processor-to-processor, as applicable) are incorporated into this DPA by reference, with you as data exporter and Unitpost as data importer;
- Clause 7 (docking) is included; Clause 9 option 2 (general authorization) applies with the notice period in Section 5; Clause 11 optional language is not included; Clause 17 is governed by Irish law; Clause 18 courts are the courts of Ireland;
- Annex I is completed with the details in Section 3 of this DPA, Annex II with the security measures referenced in Section 4, and Annex III with the subprocessor list in Section 5;
- for UK transfers, the UK International Data Transfer Addendum to the SCCs (as issued by the ICO) is incorporated and the tables are deemed completed with the same details; for Swiss transfers, the SCCs apply with the adaptations required by the Swiss Federal Data Protection and Information Commissioner.
If Unitpost adopts an alternative lawful transfer mechanism (such as an adequacy framework certification), that mechanism will apply instead to the extent it covers the transfer.
09Audits & information
On written request no more than once per twelve (12) months, we will make available information reasonably necessary to demonstrate compliance with this DPA — such as summaries of our security practices, penetration-test attestations, and subprocessor agreements’ data-protection terms. Where Data Protection Laws grant you a mandatory audit right that cannot be satisfied this way, an audit may be conducted at your expense, during business hours, on at least thirty (30) days’ notice, no more than once per year, under confidentiality obligations, and without access to other customers’ data or systems.
10Return & deletion
You can export and delete Customer Personal Data at any time during the term through the dashboard and API. Following termination of the agreement, we will delete Customer Personal Data in the ordinary course as described in our Privacy Policy, except where retention is required by law (in which case the data remains protected under this DPA and is deleted when the legal requirement ends). Residual copies in encrypted backups are purged on our standard backup rotation schedule.
11Liability & precedence
Each party’s liability arising out of or related to this DPA (including the SCCs) is subject to the limitations and exclusions of liability in the Terms, and references to an agreement’s liability cap mean the cap in the Terms. Nothing in this section limits either party’s liability to data subjects under the SCCs where such limitation is not permitted.
12Contact & signed copies
Questions about this DPA, requests for a countersigned copy, or requests for advance subprocessor-change notice can be sent to legal@unitpost.com.
Work Reactor Inc.
2055 Limestone Road STE 200-C
Wilmington, DE 19808, United States