Data Processing Agreement

1. Definitions

For the purposes of this Data Processing Agreement (the "DPA"), the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings ascribed to them in the MiN8T Terms of Service or, where applicable, the General Data Protection Regulation (EU) 2016/679 ("GDPR").

• 1.1 "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In the context of this DPA, the Controller is the Customer.
• 1.2 "Processor" means the natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. In the context of this DPA, the Processor is MiN8T Inc. ("MiN8T").
• 1.3 "Data Subject" means an identified or identifiable natural person whose Personal Data is processed. Data Subjects may include the Customer's employees, contacts, email subscribers, or other individuals whose data is uploaded to or processed through the Service.
• 1.4 "Personal Data" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• 1.5 "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• 1.6 "Sub-processor" means any third-party processor engaged by MiN8T to process Personal Data on behalf of the Controller. Sub-processors act under MiN8T's authority and are bound by contractual obligations that provide an equivalent level of data protection as this DPA.
• 1.7 "Supervisory Authority" means an independent public authority established by a Member State of the European Union pursuant to Article 51 of the GDPR, responsible for monitoring the application of data protection legislation within its jurisdiction. For the United Kingdom, the Supervisory Authority is the Information Commissioner's Office (ICO).
• 1.8 "Service" means the MiN8T email template editor platform, including all associated features, APIs, Plugin SDK, and related services as described in the MiN8T Terms of Service.
• 1.9 "Customer" means the entity or individual that has entered into a service agreement with MiN8T and is party to this DPA as the Controller of Personal Data.
• 1.10 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to processors established in third countries, as approved by the European Commission pursuant to Decision (EU) 2021/914.

2. Scope and Purpose

2.1 This DPA applies to the Processing of Personal Data by MiN8T on behalf of the Customer in connection with the provision of the Service. This DPA supplements and forms part of the service agreement between MiN8T and the Customer (the "Agreement").

2.2 In the context of this DPA, MiN8T acts as a Processor and the Customer acts as the Controller. The Customer determines the purposes and means of Processing Personal Data, while MiN8T processes Personal Data solely on behalf of and in accordance with the documented instructions of the Customer.

2.3 The types of Personal Data processed through the Service may include, but are not limited to:

• Email Addresses: Email addresses of the Customer's contacts and subscribers, uploaded for use in email templates, list cleaning, or ESP integrations.
• Subscriber Lists: Contact lists containing names, email addresses, and other subscriber attributes uploaded by the Customer for segmentation, personalization, or list hygiene purposes.
• Template Content: Email template content that may contain Personal Data if the Customer incorporates personalization fields, merge tags, or dynamic content referencing individual Data Subjects.
• Usage Data: Data generated through the Customer's use of the Service, including editor activity, feature usage, and session information, to the extent that such data constitutes Personal Data.
• Account Data: Personal Data provided by the Customer's authorized users during account registration and ongoing use of the Service, including names, email addresses, and professional roles.

2.4 The categories of Data Subjects whose Personal Data may be processed include:

• The Customer's employees and team members who have access to the Service.
• The Customer's email subscribers and contacts whose data is uploaded to or processed through the Service.
• Third parties whose Personal Data may be included in email template content created by the Customer.

2.5 MiN8T shall process Personal Data only for the purposes of providing the Service to the Customer as described in the Agreement, including template storage and rendering, asset hosting, ESP integrations, list cleaning, DMARC monitoring, AI-assisted content generation, and collaborative editing.

3. Processing Instructions

3.1 MiN8T shall process Personal Data only on the documented instructions of the Customer, unless required to do so by European Union or Member State law to which MiN8T is subject, in which case MiN8T shall inform the Customer of that legal requirement before Processing (unless such law prohibits such notification on important grounds of public interest).

3.2 The Customer's instructions for Processing are as set forth in this DPA and the Agreement. The Customer may issue additional reasonable instructions to MiN8T regarding the Processing of Personal Data, provided that such instructions are consistent with the terms of the Agreement and applicable law. Any additional instructions must be provided in writing.

3.3 If MiN8T reasonably believes that any instruction received from the Customer infringes the GDPR or other applicable data protection legislation, MiN8T shall promptly notify the Customer in writing without undue delay. MiN8T shall not be required to comply with any instruction that it reasonably believes to be unlawful, and it shall not be liable for any delay in Processing resulting from its notification to the Customer under this provision.

3.4 MiN8T shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. MiN8T shall ensure that access to Personal Data is limited to those personnel who require such access for the performance of the Service.

3.5 MiN8T shall not process Personal Data for any purpose other than as specified in this DPA and the Agreement, unless the Customer provides prior written consent for such additional Processing.

4. Data Security

4.1 MiN8T shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.

4.2 Such measures shall include, at a minimum, the following:

4a. Encryption

• Encryption at Rest: All Personal Data stored on MiN8T's servers is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys). Sensitive data fields, including integration tokens, webhook secrets, and API keys, are additionally encrypted using AES-256-GCM (Galois/Counter Mode) with unique initialization vectors per record.
• Encryption in Transit: All data transmitted between the Customer's browser and MiN8T's servers is encrypted using TLS 1.3 (Transport Layer Security). MiN8T enforces HTTPS across all endpoints and does not support unencrypted HTTP connections. Internal service-to-service communication within MiN8T's infrastructure is similarly encrypted.

4b. Access Controls

• Access to production systems and databases containing Personal Data is restricted to authorized MiN8T personnel on a strict need-to-know basis.
• Authentication to internal systems requires multi-factor authentication (MFA).
• Role-based access controls (RBAC) are enforced within the Service, with three permission levels (owner, editor, viewer) to ensure that Customer team members can only access and modify data appropriate to their assigned role.
• All access to production systems and Personal Data is logged and auditable.

4c. Incident Response

• MiN8T maintains a documented incident response plan for identifying, containing, and remediating security incidents.
• In the event of a Personal Data breach, MiN8T shall notify the Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, as further described in Section 8 of this DPA.
• MiN8T conducts regular security assessments, vulnerability scanning, and penetration testing of its infrastructure and application code.

4d. Infrastructure Security

• MiN8T's production infrastructure is hosted on enterprise-grade cloud platforms with industry-recognized security certifications (SOC 2, ISO 27001).
• Database backups are encrypted and stored in geographically separate locations to ensure data durability and disaster recovery capabilities.
• Rate limiting, intrusion detection, and DDoS protection are implemented across all public-facing endpoints to prevent unauthorized access and abuse.

4e. Password Security

• User passwords are hashed using bcrypt with an appropriate work factor before storage. Passwords are never stored, logged, or transmitted in plaintext.
• MiN8T enforces minimum password complexity requirements and implements account lockout mechanisms after repeated failed authentication attempts.

5. Sub-processors

5.1 The Customer acknowledges and agrees that MiN8T may engage Sub-processors to assist in providing the Service, subject to the conditions set forth in this Section.

5.2 MiN8T currently engages the following Sub-processors:

5.3 MiN8T shall notify the Customer in writing at least thirty (30) days prior to engaging any new Sub-processor or replacing an existing Sub-processor. Such notice shall include the identity of the proposed Sub-processor, the nature of the Processing to be performed, and the location of the Processing.

5.4 The Customer shall have the right to object to the appointment of a new Sub-processor by providing written notice to MiN8T within fifteen (15) days of receiving the notification described in Section 5.3. If the Customer objects, MiN8T shall use reasonable efforts to make available to the Customer a change in the Service or recommend a commercially reasonable alternative. If no alternative is available, either party may terminate the affected portion of the Service by providing written notice.

5.5 MiN8T shall impose data protection obligations on each Sub-processor by way of a written agreement that provides at least the same level of protection for Personal Data as is provided under this DPA. MiN8T shall remain fully liable to the Customer for the performance of each Sub-processor's obligations.

6. Data Subject Rights

6.1 MiN8T shall assist the Customer in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable data protection law, including but not limited to the rights of access, rectification, erasure, restriction of Processing, data portability, and objection to Processing.

6.2 If MiN8T receives a request directly from a Data Subject regarding Personal Data processed on behalf of the Customer, MiN8T shall promptly redirect the Data Subject to the Customer and notify the Customer of the request within five (5) business days. MiN8T shall not respond to the Data Subject's request directly unless authorized by the Customer or required by applicable law.

6.3 Upon receiving written instructions from the Customer, MiN8T shall provide reasonable assistance with the following Data Subject requests within ten (10) business days:

• Right of Access: MiN8T shall provide the Customer with a copy of the Personal Data processed on behalf of the Customer in a structured, commonly used, machine-readable format (JSON or CSV).
• Right to Rectification: MiN8T shall correct inaccurate Personal Data upon the Customer's written instruction. The Customer may also correct Personal Data directly through the Service's user interface where applicable.
• Right to Erasure: MiN8T shall delete specified Personal Data upon the Customer's written instruction, subject to any applicable legal retention obligations. Deletion shall be performed securely and irreversibly.
• Right to Data Portability: MiN8T shall provide the Customer with a complete export of Personal Data in a structured, commonly used, machine-readable format. The Service provides built-in export functionality for templates (HTML/JSON), contact lists (CSV), and account data.
• Right to Restriction: Upon the Customer's request, MiN8T shall restrict the Processing of specified Personal Data, limiting Processing to storage only until the restriction is lifted by the Customer.
• Right to Object: Where a Data Subject objects to Processing, the Customer shall instruct MiN8T on the appropriate course of action, and MiN8T shall comply with such instructions promptly.

6.4 MiN8T shall maintain the technical capability to fulfill Data Subject requests and shall not charge the Customer for reasonable assistance with such requests. For requests that are manifestly unfounded, excessive, or repetitive, MiN8T reserves the right to charge a reasonable fee based on administrative costs.

7. Data Transfers

7.1 MiN8T Inc. is based in the United States and its primary infrastructure is hosted in the United States. The Customer acknowledges that Personal Data processed through the Service will be transferred to and stored in the United States.

7.2 For transfers of Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, MiN8T relies on the European Commission-approved Standard Contractual Clauses (SCCs) as the lawful transfer mechanism. The applicable SCCs are incorporated by reference into this DPA and form an integral part hereof.

7.3 The following modules of the SCCs (Commission Implementing Decision (EU) 2021/914) apply:

• Module Two (Controller to Processor): For transfers where the Customer is the Controller and MiN8T is the Processor.
• Module Three (Processor to Sub-processor): For onward transfers from MiN8T to its Sub-processors as listed in Section 5.

7.4 MiN8T implements the following supplementary measures alongside the SCCs to ensure adequate protection of Personal Data during and after transfer:

• Encryption in transit using TLS 1.3 for all data communications.
• Encryption at rest using AES-256 for all stored Personal Data.
• Strict access controls with multi-factor authentication for production systems.
• Regular security assessments and vulnerability testing.
• Contractual obligations on all Sub-processors to maintain equivalent protections.

7.5 Data Residency Options: Enterprise customers may request data residency within specific geographic regions (e.g., EU-only hosting) where operationally feasible. Data residency options are subject to separate agreement and may involve additional infrastructure costs. Contact dpa@min8t.com for details on available data residency configurations.

7.6 If any transfer mechanism relied upon by MiN8T is invalidated by a court of competent jurisdiction or supervisory authority, MiN8T shall use reasonable efforts to implement an alternative lawful transfer mechanism and shall notify the Customer without undue delay. If no lawful transfer mechanism is available, the Customer may suspend the transfer of Personal Data until a valid mechanism is established.

8. Data Breach Notification

8.1 In the event that MiN8T becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed on behalf of the Customer (a "Personal Data Breach"), MiN8T shall:

• 8.1.1 Notify the Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of the Personal Data Breach, by email to the Customer's designated security contact and, if applicable, through the Service's administrative interface.
• 8.1.2 Take immediate steps to contain the breach and mitigate any potential harm to Data Subjects and the Customer.

8.2 The notification provided under Section 8.1.1 shall include, to the extent available at the time of notification:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records affected.
• The name and contact details of MiN8T's data protection point of contact from whom further information can be obtained.
• A description of the likely consequences of the Personal Data Breach.
• A description of the measures taken or proposed to be taken by MiN8T to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

8.3 If it is not possible to provide all information specified in Section 8.2 at the time of initial notification, MiN8T shall provide the information in phases without further undue delay as it becomes available.

8.4 Mitigation Steps: Upon becoming aware of a Personal Data Breach, MiN8T shall take the following mitigation steps:

• Isolate affected systems to prevent further unauthorized access.
• Preserve evidence and audit logs for forensic investigation.
• Assess the scope and severity of the breach, including which Personal Data and Data Subjects are affected.
• Implement remedial measures to address the root cause of the breach and prevent recurrence.
• Cooperate fully with the Customer and, where applicable, the relevant Supervisory Authority in investigating and resolving the breach.

8.5 MiN8T shall provide the Customer with a written post-incident report within thirty (30) days of the resolution of the Personal Data Breach. The report shall include a detailed description of the breach, its root cause, the Personal Data affected, the remedial actions taken, and recommendations for preventing similar incidents in the future.

8.6 MiN8T shall assist the Customer in complying with its obligations under Articles 33 and 34 of the GDPR (notification to supervisory authorities and communication to Data Subjects) to the extent that MiN8T's assistance is necessary for the Customer to fulfill those obligations.

9. Audit Rights

9.1 MiN8T shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

9.2 The Customer or its designated auditor may conduct an audit of MiN8T's data processing practices, security measures, and compliance with this DPA up to once per calendar year. The Customer shall provide MiN8T with at least thirty (30) days' prior written notice of any audit, including the proposed scope, duration, and start date.

9.3 Audits shall be conducted during MiN8T's normal business hours and in a manner that does not unreasonably disrupt MiN8T's operations. The Customer's auditor shall comply with MiN8T's reasonable security and confidentiality requirements, including executing a non-disclosure agreement if requested.

9.4 MiN8T shall cooperate with the audit by providing access to relevant documentation, records, systems, and personnel. MiN8T may redact or withhold information that relates to other customers' data, proprietary business information, or trade secrets, provided that such redaction does not prevent the Customer from verifying MiN8T's compliance with this DPA.

9.5 If the audit reveals any material non-compliance with this DPA, MiN8T shall promptly remediate the identified issues at its own expense and provide the Customer with a written remediation plan within fifteen (15) business days of receiving the audit findings. The Customer shall have the right to conduct a follow-up audit to verify the effectiveness of the remediation.

9.6 As an alternative to on-site audits, MiN8T may satisfy the Customer's audit rights by providing:

• Copies of relevant third-party audit reports or certifications (e.g., SOC 2 Type II, ISO 27001) conducted by independent auditors.
• Written responses to reasonable written inquiries from the Customer regarding MiN8T's data processing and security practices.
• Summary reports of penetration testing results and vulnerability assessments (with sensitive details appropriately redacted).

9.7 Each party shall bear its own costs in connection with audits, except that if an audit reveals material non-compliance by MiN8T, MiN8T shall bear the reasonable costs of the Customer's audit and any follow-up audit.

10. Term and Termination

10.1 This DPA shall become effective on the date it is executed by both parties (or, if incorporated by reference, on the date the Agreement becomes effective) and shall remain in force for the duration of the Agreement. This DPA shall automatically terminate upon the termination or expiration of the Agreement.

10.2 Upon termination or expiration of the Agreement, MiN8T shall, at the Customer's election:

• Return: Return all Personal Data to the Customer in a structured, commonly used, machine-readable format (JSON, CSV, or HTML as applicable) within thirty (30) days of receiving the Customer's written request. MiN8T shall provide the Customer with reasonable assistance in exporting its data through the Service's built-in export functionality.
• Delete: Permanently and irreversibly delete all Personal Data processed on behalf of the Customer within thirty (30) days of termination, unless applicable law requires further retention. Deletion shall extend to all copies, including backups and replicas, which shall be deleted within ninety (90) days of termination as backup rotation cycles complete.

10.3 If the Customer does not provide written instructions regarding the return or deletion of Personal Data within thirty (30) days of termination, MiN8T shall permanently delete all Personal Data in accordance with Section 10.2 above.

10.4 MiN8T shall provide written certification of the deletion of Personal Data upon the Customer's request.

10.5 Notwithstanding the foregoing, MiN8T may retain Personal Data to the extent required by applicable law (such as billing records for tax compliance) or to the extent necessary to establish, exercise, or defend legal claims. Any Personal Data retained pursuant to this Section shall continue to be protected in accordance with the terms of this DPA.

10.6 The obligations of MiN8T under Sections 4 (Data Security), 8 (Data Breach Notification), and 9 (Audit Rights) shall survive the termination of this DPA for so long as MiN8T retains any Personal Data processed on behalf of the Customer.

11. Contact

For questions, concerns, or requests related to this Data Processing Agreement, please contact MiN8T through the following channels:

• DPA Inquiries:dpa@min8t.com — For DPA execution requests, questions about data processing practices, Sub-processor notifications, audit scheduling, and data residency inquiries.
• Privacy Office:privacy@min8t.com — For general privacy inquiries, Data Subject rights requests, and privacy complaints.
• Data Protection Officer:CTO@min8t.com — MiN8T's Chief Technology Officer serves as Data Protection Officer (DPO) for GDPR purposes. EEA and UK customers may contact the DPO directly for data protection matters.
• Legal Department:legal@min8t.com — For legal questions, contract negotiations, and regulatory correspondence.

Mailing Address:

MiN8T Inc.
Attn: Data Processing Agreement
1209 Orange Street
Wilmington, DE 19801
United States

MiN8T shall respond to all DPA-related inquiries within fifteen (15) business days of receipt. For urgent matters related to data breaches or security incidents, MiN8T shall use commercially reasonable efforts to respond within twenty-four (24) hours.