Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the agreement between HTMLVault (“HTMLVault,” “we,” “Processor”) and the customer identified in the applicable order or account (“Customer,” “Controller,” “you”) for use of the HTMLVault service (the “Service”) (the “Agreement”). It governs HTMLVault’s processing of Personal Data on Customer’s behalf in connection with the Service. If you require a signed copy for your records, request one at [email protected]. By accepting the Agreement and using the Service to process Personal Data of third parties, you agree to this DPA. In the event of a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA controls.

1. Definitions

• “Applicable Data Protection Laws” means all privacy and data protection laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended (CCPA/CPRA).
• “Personal Data,” “Controller,” “Processor,” “Data Subject,” “Processing,” and “Personal Data Breach” have the meanings given in Applicable Data Protection Laws.
• “Customer Personal Data”means Personal Data that HTMLVault processes on Customer’s behalf in providing the Service — for example, personal data contained in the HTML content Customer publishes and the analytics generated about visitors to Customer’s links.
• “Subprocessor” means any third party engaged by HTMLVault to process Customer Personal Data.
• “Standard Contractual Clauses” (SCCs) means the clauses approved by the European Commission for the transfer of Personal Data to third countries, and the UK International Data Transfer Addendum where applicable.

2. Roles and scope

The parties acknowledge that, for Customer Personal Data, Customer is the Controller (or a Processor acting on behalf of a third-party controller) and HTMLVault is the Processor. HTMLVault processes Customer Personal Data only to provide the Service and only on Customer’s documented instructions, including as set out in this DPA and the Agreement. HTMLVault remains an independent Controller for the limited account, billing, and Service-operation data described in our Privacy Policy; that processing is governed by the Privacy Policy, not this DPA. The details of the processing (subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects) are set out in Annex 1.

3. Customer instructions and responsibilities

HTMLVault will process Customer Personal Data only in accordance with Customer’s documented instructions, unless required by law (in which case HTMLVault will inform Customer where legally permitted). Customer’s use of the Service constitutes its documented instructions. Customer represents and warrants that it has a lawful basis to collect and process the Customer Personal Data, that it has provided all required notices and obtained all required consents from Data Subjects, and that its instructions comply with Applicable Data Protection Laws. Customer is responsible for the accuracy, quality, and legality of the Customer Personal Data and the means by which it acquired it — including any personal data it chooses to include in published content, reports, or lead lists.

4. Confidentiality

HTMLVault will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as necessary to provide the Service.

5. Security

HTMLVault will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in Annex 2 and may be updated provided the level of protection is not materially reduced.

6. Subprocessors

Customer provides general authorization for HTMLVault to engage Subprocessors to process Customer Personal Data. HTMLVault maintains a current list of Subprocessors at /legal/subprocessors. HTMLVault will impose data protection obligations on each Subprocessor that are substantially similar to those in this DPA and remains responsible for its Subprocessors’ processing of Customer Personal Data. HTMLVault will provide notice of any intended addition or replacement of a Subprocessor (by updating the Subprocessors page and, on request, by notifying Customer). Customer may object on reasonable, data-protection-related grounds within thirty (30) days; the parties will work in good faith to resolve the objection, and if they cannot, Customer may terminate the affected portion of the Service.

7. Data subject rights

Taking into account the nature of the processing, HTMLVault will assist Customer, by appropriate technical and organizational measures and insofar as reasonably possible, in fulfilling Customer’s obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws. If HTMLVault receives such a request directly relating to Customer Personal Data, it will, where permitted, direct the Data Subject to Customer rather than responding itself.

8. Personal data breach

HTMLVault will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to assist Customer in meeting its breach-notification obligations. HTMLVault will take reasonable steps to mitigate and remediate the breach.

9. Data protection impact assessments

HTMLVault will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out, to the extent such assistance relates to HTMLVault’s processing and is reasonably available to HTMLVault.

10. International transfers

Where HTMLVault’s processing of Customer Personal Data involves a transfer from the European Economic Area, United Kingdom, or Switzerland to a country without an adequacy decision, the parties agree that the applicable Standard Contractual Clauses (and the UK Addendum where relevant) are incorporated into this DPA by reference and apply to that transfer. Customer acts as data exporter and HTMLVault as data importer.

11. Return and deletion

Upon termination or expiry of the Agreement, HTMLVault will, at Customer’s choice, delete or return Customer Personal Data, and delete existing copies, except to the extent retention is required by law or for the limited periods described in our retention practices. Deletion is subject to the inactivity and retention windows applicable to Customer’s plan.

12. Audits

HTMLVault will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Where Customer reasonably requires further information to satisfy an audit obligation under Applicable Data Protection Laws, the parties will agree in advance on the scope, timing, and cost of any audit, conducted no more than once per year (absent a regulatory requirement or a Personal Data Breach), during business hours, and subject to confidentiality, so as not to disrupt the Service or other customers.

13. CCPA terms

To the extent the CCPA/CPRA applies, HTMLVault acts as a “service provider.” HTMLVault will not sell or share Customer Personal Data, will not retain, use, or disclose it for any purpose other than providing the Service (or as otherwise permitted by the CCPA), and will not combine it with personal information from other sources except as permitted by the CCPA. HTMLVault certifies it understands and will comply with these restrictions.

14. Liability and term

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA takes effect when the Agreement does and continues for as long as HTMLVault processes Customer Personal Data.

Annex 1 — Details of processing

• Subject matter:HTMLVault’s provision of the Service to Customer.
• Duration: For the term of the Agreement and any applicable retention period thereafter.
• Nature and purpose: Hosting, storing, serving, scanning, and generating analytics for the HTML content and links Customer creates, as configured by Customer.
• Types of Personal Data: Any Personal Data Customer chooses to include in its content, links, reports, or lead lists; and visitor analytics data such as IP-derived approximate location, device and browser information, and interaction metrics.
• Categories of Data Subjects:Customer’s own contacts, leads, recipients, and the visitors who view Customer’s links — as determined by Customer.
• Special category data: Not intended; Customer should not submit special-category data unless it has a lawful basis and notifies HTMLVault.

Annex 2 — Technical and organizational measures

• Encryption of Personal Data in transit (TLS).
• Encryption of stored credentials and customer-provided AI provider keys.
• Access controls and least-privilege access to production systems.
• Authentication via a dedicated identity provider; no stored passwords.
• Malicious-URL and PII scanning safeguards.
• Secret scanning in the development pipeline and change-control via version control and CI.
• Logical separation of customer data and application-enforced authorization.

Annex 3 — Approved Subprocessors

The current list of Subprocessors is maintained at /legal/subprocessors and incorporated by reference.

Contact

HTMLVault, 704 13th St East, Suite 600, Whitefish, MT 59937. [email protected]