Effective July 15, 2026

Data Processing Addendum

This addendum applies where marketer.sh processes personal data on behalf of a business customer (the controller). It forms part of the Terms of Service for those customers and reflects Article 28 of the GDPR.

1. Roles

For data you upload or that your end users provide, you are the controller and we are the processor. For account and billing data about you, we are the controller under our Privacy Policy.

2. Scope and instructions

We process personal data only to provide the service and on your documented instructions, including as configured through the product and API. We will tell you if an instruction appears to infringe applicable law.

3. Confidentiality

Personnel authorized to process personal data are bound by confidentiality and access it on a least-privilege basis.

4. Security

We maintain technical and organizational measures appropriate to the risk, including encryption in transit and at rest, role-based access control, and an append-only audit log of privileged actions.

5. Subprocessors

You authorize the use of the subprocessors listed on our Subprocessors page. We impose data protection terms on each and remain responsible for their performance. We will give notice before adding a subprocessor that materially affects your data, so you may object on reasonable grounds.

6. Data subject rights

We provide self-service export and deletion, and will otherwise assist you in responding to data-subject requests taking into account the nature of the processing.

7. Breach notification

We will notify you without undue delay after becoming aware of a personal-data breach affecting your data, with the information you need to meet your own obligations.

8. International transfers

Where we transfer personal data internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses.

9. Deletion and return

On termination, we delete or return personal data at your choice, subject to limited retention required by law. Account deletion in-product cascades across your records.

10. Audits

We will make available information reasonably necessary to demonstrate compliance with this addendum. To request a copy of this DPA for signature, email legal@marketer.sh.

Questions about this document? Email legal@marketer.sh.