Data Processing Agreement
If you sign up for Privacy Updates, we will notify you (via email) at least 30 days prior to onboarding any new Sub-processor. From the date of notification, you will have 10 days to object to having any Personal Data of your Data Subjects Processed by that Sub-processor in accordance with Paragraph 11 of this DPA.
This Data Processing Agreement (the “DPA“, as updated from time to time) is a legal agreement between You (“Customer”, “You”, “Your”) and Company (each a “party” and collectively the “parties”) and defines the terms and conditions under which Personal Data will be processed by Company.
1. Definitions
For the purposes of this DPA, any terms defined by Applicable Privacy Laws (including any capitalized terms herein) shall have the same meaning as in the Applicable Privacy Laws. If Applicable Privacy Laws do not define such terms then definitions given in Applicable Privacy Laws for functionally similar terms will apply. References to “Paragraphs” in this DPA are to paragraphs of this DPA, excluding the EU SCCs and UK Addendum. References to “Clauses” in this DPA will be to clauses of the Standard Contractual Clauses. References to “Sections” in this DPA are to sections of the UK Addendum. All other capitalized terms used herein, but not otherwise defined, shall have the meanings assigned to them in the Agreement.
| Affiliate | Any entity that directly or indirectly controls, is controlled by, or is under common control of a party. “Control” means direct or indirect ownership or control of >50% of voting interests or the right to receive >50% of profits or earnings. |
|---|---|
| Applicable Privacy Law(s) | All worldwide data protection and privacy laws applicable to the Personal Data Processed by Company in connection with the Agreement, including EU Data Protection Law, UK GDPR, FADP, and US Data Protection Laws. |
| Authorized Persons | Any person or entity who provides services on Company’s behalf, including Company’s employees, officers, partners, principals, contractors and Sub-processors. |
| Company Data | Data related to operation, performance, support, provisioning, and/or use of the Services (e.g., billing, usage, contract management). |
| Customer / Customer Affiliate | Customer is the party to the Ordering Document that signed this DPA. A Customer Affiliate is an Affiliate of Customer that is a Controller of Customer Data for the Services, subject to data protection laws, and a signing party to an Ordering Document. |
| Customer Data | Any Personal Data that Company Processes as a Processor on behalf of Customer in providing the Services under an Ordering Document. |
| EU Data Protection Law | GDPR, the e-Privacy Directive, and national implementations (as amended, superseded, or replaced). |
| EU SCCs | Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (as amended/superseded). |
| Ordering Document | Any form provided by Company (including electronic form or SOW), executed by the Parties or agreed by Customer via the Site, setting the commercial terms for the Services. |
| Sensitive Information | PHI under HIPAA; “nonpublic personal information” under GLBA; COPPA-covered minor data; PCI cardholder data; GDPR Art. 9 special categories; government IDs, financial accounts, medical/employment/criminal/insurance numbers, passport numbers, or other highly sensitive data. |
| Services | Products, services, applications, tools and other resources provided or made available by Company to Customer per the Ordering Document. |
| Sub-processor | Any third party (including Company Affiliates) engaged directly or indirectly by Company to Process Personal Data related to this DPA/Agreement. |
| Tracking Technologies | Cookies, tags, web beacons, pixels, and similar technologies. |
| Trust Center | Security information provided by Company at trust.meetmarigold.com. |
| UK Addendum | International Data Transfer Addendum to the EU SCCs issued by the UK ICO for Restricted Transfers under the UK Data Protection Act 2018. |
| US Data Protection Laws | U.S. state privacy laws including CCPA/CPRA, VCDPA, CPA, UCPA, and CTDPA. |
2. International Data Transfers
Transfer Mechanisms
Company may Process Customer Data protected by Applicable Privacy Laws that require measures ensuring adequate protection for transfers to third countries. Where Customer is located outside the EEA or an adequate third country, the Parties agree to enter into Module Four of the EU SCCs and the UK Addendum as implemented within Attachment 1 (each a “Transfer Mechanism”). For FADP-subject transfers, the EU SCCs will be interpreted by replacing “GDPR” with “FADP,” and the FDPIC will be the competent supervisory authority. For the Transfer Mechanisms, Company is the data exporter and Customer is the data importer. Execution of an Ordering Document or use of the Services subject to this DPA constitutes both parties’ accession to the Transfer Mechanisms.
Location(s) of Processing
A list of current Processing locations applicable to the Services is available at meetmarigold.com/sub-processors-privacy/ and, as applicable, within the Processing Details Attachment.
International Transfers
Company and/or its Authorized Persons shall not Process or transfer Personal Data outside the territory in which it was first collected unless it implements measures necessary to comply with Applicable Privacy Laws. Transfers to Company Affiliates in adequate countries (EEA/UK decisions) will follow applicable adequacy decisions. Subject to Customer signing up for Privacy Updates, Company will inform Customer in advance of new international transfers and assist Customer in assessing compliance obligations.
3. Customer Affiliates
- Contractual Relationship. By executing this DPA, Customer does so on behalf of itself and its Customer Affiliates, establishing a separate DPA between Company and each such Affiliate; references to “Customer” or “data exporter” shall mean “Customer Affiliate.”
- Communication. The contracting Customer coordinates all communications and may act on behalf of its Customer Affiliates.
- Rights of Customer Affiliates. Where required by law, a Customer Affiliate may exercise rights and seek remedies under this DPA; otherwise, the contracting Customer exercises rights on an aggregate basis for itself and its Affiliates.
4. Role and Scope of Processing
- Roles of the Parties. Customer is the Controller; Company Processes Customer Data as Processor.
- Company Data. Company acts as Controller for Company Data and will not retain it beyond the term unless required to fulfill the Processing purpose.
- Processing Instructions. Customer instructs Company to Process Customer Data to: (i) perform the Services; (ii) perform steps necessary to perform the Agreement/DPA; (iii) perform Processing initiated by Users; and (iv) follow reasonable Customer instructions consistent with the Agreement/DPA. Company will inform Customer if an instruction infringes Applicable Privacy Laws or if Company can no longer comply.
- Details of the Processing. Summarized in the Processing Details Attachment.
- Customer’s Processing of Personal Data. Customer (and Users) must comply with Controller obligations, including accuracy, quality, legality, consents, third-party processor usage, and email/content practices. If Company becomes aware Personal Data is inaccurate or outdated, Company will inform Customer without undue delay and cooperate to erase/rectify.
5. Company’s Processing of Personal Data
- Processing Principles. Company Processes Personal Data (i) in compliance with Processor obligations; (ii) per applicable Transfer Mechanisms; (iii) according to Customer instructions; and (iv) under Agreement confidentiality provisions.
- No Rights as a Controller. Except for Company Data, Company has no right, title, or interest in Personal Data and will not sell, rent, or lease such data. Nothing constitutes cross-context behavioral advertising “sharing” or “selling” between the parties.
6. Data Subject Requests
Company shall, to the extent legally permitted and where Customer can be identified as Controller, promptly notify Customer if it receives a Data Subject request (access, rectification, restriction, erasure, portability, objection, or automated decision-making). Taking into account the nature of Processing, Company will assist Customer by appropriate technical and organizational measures. Where Customer lacks ability within the Services to address a request, Company will provide reasonable cooperation upon written request; Customer is responsible for any costs. Company will not respond directly without Customer’s prior authorization unless legally required (in which case Company will promptly notify Customer unless prohibited by law).
7. Return/Deletion of Data Upon Termination
Return or deletion of Personal Data under applicable Transfer Mechanisms or Applicable Privacy Laws will be initiated by Company only after Customer’s written request. Absent a specific written deletion request, Customer Data will be deleted per Company’s data retention policies.
8. Security of Processing
Customer acknowledges that Company’s Security Measures, as specified in the Trust Center and summarized in Attachment 3, may evolve with technical progress, provided overall security is not degraded. Customer remains responsible for secure use of the Services (e.g., credentials, in-transit protection to/from the Services, password hygiene, backups).
Company will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach, provide information/assistance as it becomes known or is reasonably requested, and use reasonable efforts to mitigate and remedy. Where required, Company will document facts, effects, and remediation. Any notification assistance beyond 8 hours of effort or the average monthly fees paid by Customer (whichever applies per the DPA) will be at Customer’s expense.
9. Sensitive Data
Customer agrees not to (and not to permit Users to) transmit, request, provide access to, submit, store, or include any Sensitive Information through the Services. Company may immediately terminate the Agreement, without refund, for violation of this paragraph.
10. Audits
Upon request, Company will provide audit report summaries/certifications and reasonably complete questionnaires to verify compliance (“Audit Information”). For Transfer Mechanism compliance, Customer agrees to leverage existing documentation where sufficient. If reasonably necessary to demonstrate GDPR compliance, Company shall allow and contribute to audits/inspections by Customer or its mandated auditor during normal hours, at Customer’s expense, and subject to obligations herein.
11. Sub-Processing
- Company Affiliates. Customer consents to Processing by Company Affiliates listed in the Processing Details Attachment (and any additional Affiliate Processors if Customer purchases additional Services).
- Sub-processors. Customer consents to Sub-processors listed at meetmarigold.com/sub-processors-privacy/. Company may add Sub-processors in accordance with applicable Transfer Mechanisms or Applicable Privacy Laws. Sign up for Privacy Updates to receive advance notices.
- Objection. Customer may object on reasonable data-protection grounds within 10 days of notice. Parties will discuss alternatives in good faith for 30 days; failing resolution, Company will not appoint/replace the Sub-processor, or Customer may terminate (in whole or part) on written notice within 10 days after the resolution period.
- Sub-processor DPAs. Company will maintain written DPAs with Sub-processors with measures no less protective than this DPA and remains fully liable for their performance. Redacted copies can be provided upon written request.
12. Redress
Any cooperation/assistance by Company to address or resolve disputes caused by Customer’s acts/omissions under Transfer Mechanisms or Applicable Privacy Laws shall be at Customer’s expense.
13. DPIAs & TIAs
Where required by Applicable Privacy Laws or Transfer Mechanisms, Company will assist Customer with DPIAs/TIAs and, where legally required, consultations with data protection authorities for high-risk Processing.
14. Liability
All claims/remedies arising under this DPA (including fines, law breaches, or Transfer Mechanism obligations) are subject to the Agreement’s limitations/exclusions of liability and aggregate caps. Customer’s maximum recovery for Sub-processor-caused losses is limited to Company’s recovery from that Sub-processor where lower than the Agreement cap. Aggregate caps apply across the Agreement and all DPAs. No party limits liability with respect to any individual’s data protection rights.
15. General
- Termination. This DPA and Transfer Mechanisms terminate with the Agreement; Company will continue to ensure Transfer Mechanism compliance for retained Customer Data until deletion is requested.
- Modifications & Severability. Parties will negotiate amendments in good faith to maintain compliance when laws change; if not agreed, Company may terminate the Agreement and applicable Ordering Documents. Any unenforceable part does not affect the remainder.
- Order of Precedence. For privacy matters: (1) applicable Transfer Mechanism(s); (2) body of this DPA; (3) the Agreement. For all other contractual matters, the Agreement controls.
- Entire Agreement. This DPA and the Agreement constitute the entire understanding regarding its subject matter and may be executed in counterparts, including electronically.
Attachment 1
Application of Transfer Mechanism(s) — Annex I
| Details of the Parties | |
|---|---|
| Customer | Company |
| 1.1 Organization Details As specified under the applicable ordering document(s). |
1.1 Organization Details As specified under the applicable ordering document(s). |
| 1.2 Key Contact (data protection) As specified under the applicable ordering document(s), unless otherwise specified in writing between the parties. |
1.2 Key Contact Full Name: Art Quanstrom Job Title: VP of Global Data Privacy Email: privacy@meetmarigold.com |
| 1.3 Role in the Processing Controller |
1.3 Role in the Processing Processor |
| Details of the Processing | |
|---|---|
| 2.1 Categories of Data Subjects | As described in Attachment 2. |
| 2.2 Categories of Personal Data | As described in Attachment 2. |
| 2.3 Special Category Data | N/A. The Agreement does not allow processing of GDPR Art. 9 special categories. |
| 2.4 Transfer Frequency | As described in Attachment 2. |
| 2.5 Categories of Processing Operations | As described in Attachment 2. |
| 2.6 Purpose(s) of transfer and further Processing | As described in Attachment 2. |
| 2.7 Data Retention Period | For the duration of the Agreement, unless/until Customer requests deletion (including by actions within the Services). |
| 2.8 Transfers to Sub-processors | For the duration of the Agreement, unless/until Customer requests deletion (including by actions within the Services). |
| Transfer Mechanisms | |
|---|---|
| 3.1 Roles of the Parties | For EU SCCs, Company is “data exporter”; Customer (and/or Authorized Affiliates) is “data importer.” |
| 3.2 Applicable EU SCC Modules | Module 1 — No; Module 2 — No; Module 3 — No; Module 4 — Yes. |
| 3.3 Use of Sub-processors | General Written Authorization per Paragraph 11. |
| 3.4 Docking Clause | Clause 11 optional language does not apply. |
| 3.5 Competent Supervisory Authority | EU SCCs: Belgium. UK Addendum: UK ICO. |
| 3.6 Jurisdiction and Forum | Clauses 17 & 18: Belgium. |
| 3.7 Processing Appendices | Appendices I–III (Module 4) are included in this Attachment. |
| 3.8 Combination of Personal Data (UK Table 2) | No. |
| 3.9 Ending this Addendum (UK Table 4) | Which Parties may end as set out in Section 19: Importer / Exporter — neither Party. |
Attachment 2 — Processing Details Attachment
| Product | Company Affiliate | Data Subjects | Processing Operations (Purpose & Nature) | Categories of Personal Data | Frequency of Transfer | Processing Locations |
|---|---|---|---|---|---|---|
| Marigold Grow | Marketing Technology Partners UK Ltd (Northern And Shell Building, 10 Lower Thames Street, London, United Kingdom, EC3R 6EN) | Customer Contacts | Collection, recording, organization, structuring, and storage to provide online experiences through which Customers engage with their own customers and other individuals. | As determined by Customer, but typically name, email, other directory information, and IP address. | Continuous | United States, United Kingdom, Belgium, India, Costa Rica, Malaysia |
| Marigold Loyalty | Marigold USA Inc. (11 Lea Avenue, Nashville, TN 37210) | Customer Contacts | Collection, recording, organization, structuring, and storage of personal data for the purpose of providing customer loyalty programs. | As determined by the Customer, but typically name, IP address, unique identifier, and other elements relevant to Customer’s loyalty program. | Continuous | United States, Germany, Japan, Australia, India, Philippines, Costa Rica, Malaysia |
| Liveclicker | Liveclicker Inc. (11 Lea Avenue, Nashville, TN 37210) | Customer Contacts | Collection, recording, and storage of personal data to enable customers to dynamically choose email campaign assets based on email recipient attributes. | Unique identifier (usually email address), IP address, device attributes, and other information as determined by Customer. | Continuous | United States |
Attachment 3 — Marigold Security Measures
| Security Measures | Selligent | Marigold Grow | Marigold Loyalty | Marigold Liveclicker |
|---|---|---|---|---|
| Measures of pseudonymisation and encryption of personal data | X | X | X | X |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | X | X | X | X |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | X | X | X | X |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | X | X | X | X |
| Measures for user identification and authorisation | X | X | X | X |
| Measures for the protection of data during transmission | X | X | X | X |
| Measures for the protection of data during storage | X | X | X | X |
| Measures for ensuring physical security of locations at which personal data are processed | X | X | X | X |
| Measures for ensuring events logging | X | X | X | X |
| Measures for ensuring system configuration, including default configuration | X | X | X | X |
| Measures for internal IT and IT security governance and management | X | X | X | X |
| Measures for certification/assurance of processes and products | ||||
| Measures for ensuring data minimisation | X | X | X | X |
| Measures for ensuring data quality | ||||
| Measures for ensuring limited data retention | X | X | X | X |
| Measures for ensuring accountability | X | X | X | X |
| Measures for allowing data portability and ensuring erasure | X | X | X | X |
Last Updated: May 22, 2025