Plateforme
Des solutions
MessagingGrowLoyaltyActivate
Secteurs
Financial ServicesMedia & PublishingQSRRetailTravel & Hospitality
Pourquoi Marigold
Notre différenceDes servicesPARTENAIRES
Resources
Content HubMarigold AcademyHelp Center
L'entreprise
À proposLeadershipEventsCARRIÈRESPresse et actualités
Français
English
Français
Commencez

EU Data Processing Agreement

Last Updated:
September 8, 2025
Data Processing Agreement (DPA)

Data Processing Agreement

NOTE REGARDING NEW SUB-PROCESSORS & OTHER PRIVACY UPDATES: Please sign up here to receive notices of new Sub-processor, Processing locations, or material changes to the Privacy Notice (“Privacy Updates”) after executing this DPA.

If you sign up for Privacy Updates, we will notify you (via email) at least 30 days prior to onboarding any new Sub-processor. From the date of notification, you will have 10 days to object to having any Personal Data of your Data Subjects Processed by that Sub-processor in accordance with Paragraph 11 of this DPA.

This Data Processing Agreement (the “DPA“, as updated from time to time) is a legal agreement between You (“Customer”, “You”, “Your”) and Company (each a “party” and collectively the “parties”) and defines the terms and conditions under which Personal Data will be processed by Company.

1. Definitions

For the purposes of this DPA, any terms defined by Applicable Privacy Laws (including any capitalized terms herein) shall have the same meaning as in the Applicable Privacy Laws. If Applicable Privacy Laws do not define such terms then definitions given in Applicable Privacy Laws for functionally similar terms will apply. References to “Paragraphs” in this DPA are to paragraphs of this DPA, excluding the EU SCCs and UK Addendum. References to “Clauses” in this DPA will be to clauses of the Standard Contractual Clauses. References to “Sections” in this DPA are to sections of the UK Addendum. All other capitalized terms used herein, but not otherwise defined, shall have the meanings assigned to them in the Agreement.

AffiliateAny entity that directly or indirectly controls, is controlled by, or is under common control of a party. “Control” means direct or indirect ownership or control of >50% of voting interests or the right to receive >50% of profits or earnings.
Applicable Privacy Law(s)All worldwide data protection and privacy laws applicable to the Personal Data Processed by Company in connection with the Agreement, including EU Data Protection Law, UK GDPR, FADP, and US Data Protection Laws.
Authorized PersonsAny person or entity who provides services on Company’s behalf, including Company’s employees, officers, partners, principals, contractors and Sub-processors.
Company DataData related to operation, performance, support, provisioning, and/or use of the Services (e.g., billing, usage, contract management).
Customer / Customer AffiliateCustomer is the party to the Ordering Document that signed this DPA. A Customer Affiliate is an Affiliate of Customer that is a Controller of Customer Data for the Services, subject to data protection laws, and a signing party to an Ordering Document.
Customer DataAny Personal Data that Company Processes as a Processor on behalf of Customer in providing the Services under an Ordering Document.
EU Data Protection LawGDPR, the e-Privacy Directive, and national implementations (as amended, superseded, or replaced).
EU SCCsStandard Contractual Clauses adopted by the European Commission on 4 June 2021 (as amended/superseded).
Ordering DocumentAny form provided by Company (including electronic form or SOW), executed by the Parties or agreed by Customer via the Site, setting the commercial terms for the Services.
Sensitive InformationPHI under HIPAA; “nonpublic personal information” under GLBA; COPPA-covered minor data; PCI cardholder data; GDPR Art. 9 special categories; government IDs, financial accounts, medical/employment/criminal/insurance numbers, passport numbers, or other highly sensitive data.
ServicesProducts, services, applications, tools and other resources provided or made available by Company to Customer per the Ordering Document.
Sub-processorAny third party (including Company Affiliates) engaged directly or indirectly by Company to Process Personal Data related to this DPA/Agreement.
Tracking TechnologiesCookies, tags, web beacons, pixels, and similar technologies.
Trust CenterSecurity information provided by Company at trust.meetmarigold.com.
UK AddendumInternational Data Transfer Addendum to the EU SCCs issued by the UK ICO for Restricted Transfers under the UK Data Protection Act 2018.
US Data Protection LawsU.S. state privacy laws including CCPA/CPRA, VCDPA, CPA, UCPA, and CTDPA.

2. International Data Transfers

Transfer Mechanisms

Company may Process Customer Data protected by Applicable Privacy Laws that require measures ensuring adequate protection for transfers to third countries. Where Customer is located outside the EEA or an adequate third country, the Parties agree to enter into Module Four of the EU SCCs and the UK Addendum as implemented within Attachment 1 (each a “Transfer Mechanism”). For FADP-subject transfers, the EU SCCs will be interpreted by replacing “GDPR” with “FADP,” and the FDPIC will be the competent supervisory authority. For the Transfer Mechanisms, Company is the data exporter and Customer is the data importer. Execution of an Ordering Document or use of the Services subject to this DPA constitutes both parties’ accession to the Transfer Mechanisms.

Location(s) of Processing

A list of current Processing locations applicable to the Services is available at meetmarigold.com/sub-processors-privacy/ and, as applicable, within the Processing Details Attachment.

International Transfers

Company and/or its Authorized Persons shall not Process or transfer Personal Data outside the territory in which it was first collected unless it implements measures necessary to comply with Applicable Privacy Laws. Transfers to Company Affiliates in adequate countries (EEA/UK decisions) will follow applicable adequacy decisions. Subject to Customer signing up for Privacy Updates, Company will inform Customer in advance of new international transfers and assist Customer in assessing compliance obligations.

3. Customer Affiliates

  • Contractual Relationship. By executing this DPA, Customer does so on behalf of itself and its Customer Affiliates, establishing a separate DPA between Company and each such Affiliate; references to “Customer” or “data exporter” shall mean “Customer Affiliate.”
  • Communication. The contracting Customer coordinates all communications and may act on behalf of its Customer Affiliates.
  • Rights of Customer Affiliates. Where required by law, a Customer Affiliate may exercise rights and seek remedies under this DPA; otherwise, the contracting Customer exercises rights on an aggregate basis for itself and its Affiliates.

4. Role and Scope of Processing

  • Roles of the Parties. Customer is the Controller; Company Processes Customer Data as Processor.
  • Company Data. Company acts as Controller for Company Data and will not retain it beyond the term unless required to fulfill the Processing purpose.
  • Processing Instructions. Customer instructs Company to Process Customer Data to: (i) perform the Services; (ii) perform steps necessary to perform the Agreement/DPA; (iii) perform Processing initiated by Users; and (iv) follow reasonable Customer instructions consistent with the Agreement/DPA. Company will inform Customer if an instruction infringes Applicable Privacy Laws or if Company can no longer comply.
  • Details of the Processing. Summarized in the Processing Details Attachment.
  • Customer’s Processing of Personal Data. Customer (and Users) must comply with Controller obligations, including accuracy, quality, legality, consents, third-party processor usage, and email/content practices. If Company becomes aware Personal Data is inaccurate or outdated, Company will inform Customer without undue delay and cooperate to erase/rectify.

5. Company’s Processing of Personal Data

  • Processing Principles. Company Processes Personal Data (i) in compliance with Processor obligations; (ii) per applicable Transfer Mechanisms; (iii) according to Customer instructions; and (iv) under Agreement confidentiality provisions.
  • No Rights as a Controller. Except for Company Data, Company has no right, title, or interest in Personal Data and will not sell, rent, or lease such data. Nothing constitutes cross-context behavioral advertising “sharing” or “selling” between the parties.

6. Data Subject Requests

Company shall, to the extent legally permitted and where Customer can be identified as Controller, promptly notify Customer if it receives a Data Subject request (access, rectification, restriction, erasure, portability, objection, or automated decision-making). Taking into account the nature of Processing, Company will assist Customer by appropriate technical and organizational measures. Where Customer lacks ability within the Services to address a request, Company will provide reasonable cooperation upon written request; Customer is responsible for any costs. Company will not respond directly without Customer’s prior authorization unless legally required (in which case Company will promptly notify Customer unless prohibited by law).

7. Return/Deletion of Data Upon Termination

Return or deletion of Personal Data under applicable Transfer Mechanisms or Applicable Privacy Laws will be initiated by Company only after Customer’s written request. Absent a specific written deletion request, Customer Data will be deleted per Company’s data retention policies.

8. Security of Processing

Customer acknowledges that Company’s Security Measures, as specified in the Trust Center and summarized in Attachment 3, may evolve with technical progress, provided overall security is not degraded. Customer remains responsible for secure use of the Services (e.g., credentials, in-transit protection to/from the Services, password hygiene, backups).

Company will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach, provide information/assistance as it becomes known or is reasonably requested, and use reasonable efforts to mitigate and remedy. Where required, Company will document facts, effects, and remediation. Any notification assistance beyond 8 hours of effort or the average monthly fees paid by Customer (whichever applies per the DPA) will be at Customer’s expense.

9. Sensitive Data

Customer agrees not to (and not to permit Users to) transmit, request, provide access to, submit, store, or include any Sensitive Information through the Services. Company may immediately terminate the Agreement, without refund, for violation of this paragraph.

10. Audits

Upon request, Company will provide audit report summaries/certifications and reasonably complete questionnaires to verify compliance (“Audit Information”). For Transfer Mechanism compliance, Customer agrees to leverage existing documentation where sufficient. If reasonably necessary to demonstrate GDPR compliance, Company shall allow and contribute to audits/inspections by Customer or its mandated auditor during normal hours, at Customer’s expense, and subject to obligations herein.

11. Sub-Processing

  • Company Affiliates. Customer consents to Processing by Company Affiliates listed in the Processing Details Attachment (and any additional Affiliate Processors if Customer purchases additional Services).
  • Sub-processors. Customer consents to Sub-processors listed at meetmarigold.com/sub-processors-privacy/. Company may add Sub-processors in accordance with applicable Transfer Mechanisms or Applicable Privacy Laws. Sign up for Privacy Updates to receive advance notices.
  • Objection. Customer may object on reasonable data-protection grounds within 10 days of notice. Parties will discuss alternatives in good faith for 30 days; failing resolution, Company will not appoint/replace the Sub-processor, or Customer may terminate (in whole or part) on written notice within 10 days after the resolution period.
  • Sub-processor DPAs. Company will maintain written DPAs with Sub-processors with measures no less protective than this DPA and remains fully liable for their performance. Redacted copies can be provided upon written request.

12. Redress

Any cooperation/assistance by Company to address or resolve disputes caused by Customer’s acts/omissions under Transfer Mechanisms or Applicable Privacy Laws shall be at Customer’s expense.

13. DPIAs & TIAs

Where required by Applicable Privacy Laws or Transfer Mechanisms, Company will assist Customer with DPIAs/TIAs and, where legally required, consultations with data protection authorities for high-risk Processing.

14. Liability

All claims/remedies arising under this DPA (including fines, law breaches, or Transfer Mechanism obligations) are subject to the Agreement’s limitations/exclusions of liability and aggregate caps. Customer’s maximum recovery for Sub-processor-caused losses is limited to Company’s recovery from that Sub-processor where lower than the Agreement cap. Aggregate caps apply across the Agreement and all DPAs. No party limits liability with respect to any individual’s data protection rights.

15. General

  • Termination. This DPA and Transfer Mechanisms terminate with the Agreement; Company will continue to ensure Transfer Mechanism compliance for retained Customer Data until deletion is requested.
  • Modifications & Severability. Parties will negotiate amendments in good faith to maintain compliance when laws change; if not agreed, Company may terminate the Agreement and applicable Ordering Documents. Any unenforceable part does not affect the remainder.
  • Order of Precedence. For privacy matters: (1) applicable Transfer Mechanism(s); (2) body of this DPA; (3) the Agreement. For all other contractual matters, the Agreement controls.
  • Entire Agreement. This DPA and the Agreement constitute the entire understanding regarding its subject matter and may be executed in counterparts, including electronically.

Attachment 1

Application of Transfer Mechanism(s) — Annex I

Details of the Parties
CustomerCompany
1.1 Organization Details
As specified under the applicable ordering document(s).
1.1 Organization Details
As specified under the applicable ordering document(s).
1.2 Key Contact (data protection)
As specified under the applicable ordering document(s), unless otherwise specified in writing between the parties.
1.2 Key Contact
Full Name: Art Quanstrom
Job Title: VP of Global Data Privacy
Email: privacy@meetmarigold.com
1.3 Role in the Processing
Controller
1.3 Role in the Processing
Processor
Details of the Processing
2.1 Categories of Data SubjectsAs described in Attachment 2.
2.2 Categories of Personal DataAs described in Attachment 2.
2.3 Special Category DataN/A. The Agreement does not allow processing of GDPR Art. 9 special categories.
2.4 Transfer FrequencyAs described in Attachment 2.
2.5 Categories of Processing OperationsAs described in Attachment 2.
2.6 Purpose(s) of transfer and further ProcessingAs described in Attachment 2.
2.7 Data Retention PeriodFor the duration of the Agreement, unless/until Customer requests deletion (including by actions within the Services).
2.8 Transfers to Sub-processorsFor the duration of the Agreement, unless/until Customer requests deletion (including by actions within the Services).
Transfer Mechanisms
3.1 Roles of the PartiesFor EU SCCs, Company is “data exporter”; Customer (and/or Authorized Affiliates) is “data importer.”
3.2 Applicable EU SCC ModulesModule 1 — No;  Module 2 — No;  Module 3 — No;  Module 4 — Yes.
3.3 Use of Sub-processorsGeneral Written Authorization per Paragraph 11.
3.4 Docking ClauseClause 11 optional language does not apply.
3.5 Competent Supervisory AuthorityEU SCCs: Belgium. UK Addendum: UK ICO.
3.6 Jurisdiction and ForumClauses 17 & 18: Belgium.
3.7 Processing AppendicesAppendices I–III (Module 4) are included in this Attachment.
3.8 Combination of Personal Data (UK Table 2)No.
3.9 Ending this Addendum (UK Table 4)Which Parties may end as set out in Section 19: Importer / Exporter — neither Party.

Attachment 2 — Processing Details Attachment

ProductCompany AffiliateData Subjects Processing Operations (Purpose & Nature)Categories of Personal Data Frequency of TransferProcessing Locations
Marigold Grow Marketing Technology Partners UK Ltd (Northern And Shell Building, 10 Lower Thames Street, London, United Kingdom, EC3R 6EN) Customer Contacts Collection, recording, organization, structuring, and storage to provide online experiences through which Customers engage with their own customers and other individuals. As determined by Customer, but typically name, email, other directory information, and IP address. Continuous United States, United Kingdom, Belgium, India, Costa Rica, Malaysia
Marigold Loyalty Marigold USA Inc. (11 Lea Avenue, Nashville, TN 37210) Customer Contacts Collection, recording, organization, structuring, and storage of personal data for the purpose of providing customer loyalty programs. As determined by the Customer, but typically name, IP address, unique identifier, and other elements relevant to Customer’s loyalty program. Continuous United States, Germany, Japan, Australia, India, Philippines, Costa Rica, Malaysia
Liveclicker Liveclicker Inc. (11 Lea Avenue, Nashville, TN 37210) Customer Contacts Collection, recording, and storage of personal data to enable customers to dynamically choose email campaign assets based on email recipient attributes. Unique identifier (usually email address), IP address, device attributes, and other information as determined by Customer. Continuous United States

Attachment 3 — Marigold Security Measures

Security Measures Selligent Marigold Grow Marigold Loyalty Marigold Liveclicker
Measures of pseudonymisation and encryption of personal dataXXXX
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and servicesXXXX
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incidentXXXX
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processingXXXX
Measures for user identification and authorisationXXXX
Measures for the protection of data during transmissionXXXX
Measures for the protection of data during storageXXXX
Measures for ensuring physical security of locations at which personal data are processedXXXX
Measures for ensuring events loggingXXXX
Measures for ensuring system configuration, including default configurationXXXX
Measures for internal IT and IT security governance and managementXXXX
Measures for certification/assurance of processes and products
Measures for ensuring data minimisationXXXX
Measures for ensuring data quality
Measures for ensuring limited data retentionXXXX
Measures for ensuring accountabilityXXXX
Measures for allowing data portability and ensuring erasureXXXX

Last Updated: May 22, 2025

‍

Platform
Marigold Marketing Platform
Solutions
MessagingLoyaltyActivateGrow
Industries
Financial ServicesMedia & PublishingQSRRetailTravel & Hospitality
Why Marigold
Our DifferenceServicesPartners
Resources
Content hubBlogsCase studiesResearchWebinarsMarigold AcademyHelp center
Commercial
Campaign MonitorEmmaVuture
Company
AboutLeadershipCareersEvents
Legal & Compliance
Trust CenterPrivacy NoticesAcceptable Use PolicyAnti-Spam PolicyServices AgreementsDo Not Sell or Share My Personal InformationModern Slavery StatementTransparency In Coverage
© All rights reserved.
Login