Data Processing Agreement

Last modified: May 28, 2024

1. Definitions

Capitalized terms that are not specifically defined in this DPA have the same meanings as set forth in the Agreement. Unless the context otherwise requires, the use of the term “Agreement” alone shall be interpreted to include the Agreement, the Order, and this DPA, as well as any other agreement between the parties made part of or pursuant to the Agreement. The following definitions shall apply:

“Applicable Data Protection Law” means any applicable data privacy, data protection, and data security law or regulation governing the collection, use, and processing of Personal Information, including but not limited to Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"), the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”), the California Consumer Protection Act of 2018 (the “CCPA”) and the California Privacy Rights Act (the “CPRA”);

“Authorized Persons” means Chill Subs’s employees, contractors, and agents who have a need to know or otherwise access Personal Information to enable Chill Subs to perform its obligations under this Agreement, and who are bound by confidentiality and other obligations sufficient to protect Personal Information in accordance with the terms and conditions of this Agreement.

“Contracted Business Purpose” means the Services described in the Agreement.

“Data Breach” means any unauthorized access to or disclosure or acquisition of Personal Information as defined under Applicable Data Protection Law.

“Personal Information” means information that Customer provides or for which Customer provides access to Chill Subs or information which Chill Subs creates or obtains on behalf of Customer, in accordance with this Agreement that: (i) directly or indirectly identifies an individual (including, for example, names, email addresses, other personal info); or (ii) can be used to identify or authenticate an individual (like user identification and account access credentials or passwords).

2. Chill Subs’s Obligations

2.1 Chill Subs will comply with the terms and conditions set forth in this Agreement.

2.2 Chill Subs will only collect, use, retain, or disclose Personal Information in furtherance of the Contracted Business Purposes. 

2.3 Chill Subs will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.

2.4 Chill Subs will not disclose Personal Information to any person other than its Authorized Persons without Customer’s prior written consent unless required by Applicable Data Protection Law, in which case, Chill Subs will use reasonable efforts to notify Customer before such disclosure or as soon thereafter as reasonably possible, consistent with the requirements of Applicable Data Protection Law.

2.5 Chill Subs will reasonably comply with any Customer request or instruction to Chill Subs to provide, amend, transfer, or delete personal information, or to stop, mitigate, or remedy any unauthorized processing of Personal Information. Further, Chill Subs will provide reasonable assistance to Customer in responding to data privacy-related inquiries, including responding to verifiable consumer requests, taking into account the nature of the Chill Subs’s processing and the information available to Chill Subs.

2.6 If a Contracted Business Purpose requires the direct or indirect collection of personal information from individuals on the Customer’s behalf, Chill Subs will provide a compliant notice under Applicable Data Protection Law at the time of collection.

2.7 Chill Subs will employ reasonable security measures to protect Personal Information in accordance with accepted industry standards.

3. Customer’s Obligations.

3.1 Customer will comply with the terms and conditions set forth in this Agreement.

3.2 Customer is responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, or disclosure of Personal Information that is under its control or in its possession.

3.3 Customer will comply with Applicable Data Protection Law and use only secure methods, according to accepted industry standards, when transferring or otherwise making Personal Information available to Chill Subs.

3.4 Customer will ensure that only Personal Information that is reasonably necessary and proportionate to achieve the Contracted Business Purposes is provided to Chill Subs by Customer or its Authorized Persons.

3.5 Customer will provide written notice to Chill Subs if any information Customer directly provides to Chill Subs under this Agreement contains Personal Information of end consumers of Customer’s products or services. Chill Subs will not be responsible for determining on its own that any such information that Customer directly provides to Chill Subs qualifies as Personal Information.

4. Subcontractors.

Chill Subs may use subcontractors in connection with the provision of the Contracted Business Purpose, provided that where appropriate, Chill Subs contractually obligates each subcontractor to terms at least as protective as those in this Agreement with respect to the processing of Personal Information. Notwithstanding the use of any subcontractor, Chill Subs shall remain fully liable to Customer for any failure by any of its subcontractors to fulfill its obligations under this Agreement in relation to the processing of Personal Information. For each subcontractor used, Chill Subs will provide Customer an up-to-date list disclosing the subcontractor name, contact information and type of service provided. If no objection is received within ten (10) business days of providing such updated list, Chill Subs will deem the subcontractor approved. 

Below is a list of our subprocessors, the services they provide, and links to their respective privacy policies and data processing agreements:

1. MongoDB Atlas (MongoDB, Inc.):

• Service Provided: Cloud-based database platform enabling efficient storage, management, and access to data.

• Company Location: New York, NY, US

• Processing Location: US

• Privacy Policy: https://www.mongodb.com/legal/privacy-policy

• Data Processing Agreement: https://www.mongodb.com/legal/data-processing-agreement

2. Mailgun (Mailgun Technologies, Inc.):

• Service Provided: Transactional email APIs for sending automated emails, including customer notifications and personalized messages.

• Company Location: San Antonio, TX, US

• Processing Location: US

• Privacy Policy: https://www.mailgun.com/legal/privacy-policy/ 

• Data Processing Agreement: https://www.mailgun.com/legal/dpa/ 

3. Stripe (Stripe, Inc.):

• Service Provided: Payment processing and invoicing, including recurring payments.

• Company Location: San Francisco, CA, US

• Processing Location: US

• Privacy Policy: https://stripe.com/privacy

• Data Processing Agreement: https://stripe.com/legal/dpa 

4. AWS (Amazon Web Services, Inc.):

• Service Provided: Cloud computing services for system infrastructure.

• Company Location: Seattle, WA, US

• Processing Location: US

• Privacy Policy: https://aws.amazon.com/privacy/

• Data Processing Agreement: https://aws.amazon.com/compliance/gdpr-center/

5. Clerk (Clerk, Inc.):

• Service Provided: User management platform.

• Company Location: San Francisco, CA, US

• Processing Location: US

• Privacy Policy: https://clerk.com/legal/privacy 

• Data Processing Agreement: https://clerk.com/legal/dpa 

6. Google Analytics (Google LLC):

• Service Provided: Analytical reports for website and service performance.

• Company Location: Mountain View, CA, US

• Processing Location: US

• Privacy Policy: https://policies.google.com/privacy?hl=en-US 

• Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum 

7. PostHog (PostHog, Inc.):

• Service Provided: Analytical reports for website and service performance.

• Company Location: San Francisco, CA, US

• Processing Location: EU

• Privacy Policy: https://posthog.com/privacy 

• Data Processing Agreement: https://posthog.com/dpa 

8. Shopify (Shopify Inc.):

• Service Provided: E-commerce platform services.

• Company Location: Ottawa, Ontario, Canada

• Processing Location: Canada

• Privacy Policy: https://www.shopify.com/legal/privacy 

• Data Processing Agreement: https://www.shopify.com/legal/dpa 

9. Substack (Substack Inc.):

• Service Provided: Newsletter distribution.

• Company Location: San Francisco, CA, US

• Processing Location: US

• Privacy Policy: https://substack.com/privacy 

• Data Processing Agreement: https://substack.com/pa 

10. MailerLite (MailerLite, Inc.):

• Service Provided: Email marketing and automation services.

• Company Location: San Francisco, CA, US

• Processing Location: US

• Privacy Policy: https://www.mailerlite.com/legal/privacy-policy 

• Data Processing Agreement: https://www.mailerlite.com/legal/data-processing-agreement 

5. Data Breach Procedures.

5.1 Chill Subs will notify Customer of a Data Breach involving Customer’s Personal Information as soon as reasonably practicable after Chill Subs becomes aware of it.

5.2 Immediately following Chill Subs’s notification to Customer of a Data Breach, the parties will coordinate with each other, as necessary, to investigate the Data Breach. 

5.3 Chill Subs agrees that it will not inform any third party of any Data Breach without Customer’s prior consent, other than to inform a complainant that the matter has been forwarded to Customer’s attention unless otherwise required by Applicable Data Protection Law.