EngageBay
Sign InGet Started
DPA

Data Processing Agreement

Agreement governing the processing of personal data according to applicable privacy laws.

Last updated: February 1, 2026

1. Subject matter and term

This Data Processing Agreement (DPA) governs the processing of personal data by EngageBay GmbH (Processor) on behalf of the Customer (Controller) in connection with the use of the EngageBay platform.

The term of the data processing corresponds to the duration of the main agreement (Terms of Service). Upon termination of the main agreement, this DPA also terminates.

2. Nature and purpose of processing

Processing includes: storage and management of email addresses and related contact data (subscribers), sending email campaigns and transactional messages, processing engagement data (opens, clicks, bounces), providing analytics and reports, and operating automation workflows.

The purpose of processing is to provide the email marketing services agreed in the main contract.

3. Categories of data subjects and data types

Data subjects: email subscribers and contacts of the Controller, recipients of email campaigns.

Categories of personal data: email addresses, first and last name, custom fields (defined by the Controller), engagement data (opens, clicks, timestamps), technical data (IP addresses, user agent, geolocation at country level), and consent evidence (timestamp, source, double‑opt‑in status).

4. Obligations of the Processor

EngageBay agrees to: process personal data only on documented instructions from the Controller, ensure the confidentiality of the data, implement appropriate technical and organizational measures, engage subprocessors only with prior approval, assist the Controller in fulfilling its obligations, and delete or return all data at the end of the processing.

5. Technical and organizational measures (TOMs)

The Processor implements the following TOMs: encryption of all data in transit (TLS 1.3) and at rest (AES‑256), physical access control through ISO 27001‑certified data centres, logical access control with role‑based permissions and 2FA, input control via comprehensive audit logs for all data changes, transfer control through encrypted communication channels, availability control via redundant systems and daily backups, and separation by design through a multi‑tenant architecture with strict data isolation.

6. Subprocessors

EngageBay uses the following subprocessors:

Amazon Web Services EMEA SARL (Luxembourg) – cloud hosting and data processing. Hetzner Online GmbH (Germany) – backup servers. Stripe Inc. (USA, based on EU standard contractual clauses) – payment processing. Postmark/ActiveCampaign (USA, based on EU standard contractual clauses) – SMTP delivery.

Changes to subprocessors are notified at least 30 days in advance by email. The Controller has the right to object.

7. Support for data subject rights

EngageBay supports the Controller in fulfilling data subject rights through: API endpoints for data export and deletion, dashboard features for one‑click deletion, automated handling of unsubscribe requests, and notification of any data subject requests received directly by EngageBay.

Data subject requests received directly by ${n} are forwarded to the Controller without delay.

8. Notification of data breaches

EngageBay will notify the Controller of any data breach without undue delay, and in any case within 48 hours of becoming aware of it.

The notification will include: the nature of the breach, the categories of data and approximate number of affected data subjects, likely consequences, and measures taken or proposed to mitigate the impact.

9. Deletion and return of data

Following termination of the main agreement, the Processor will delete all personal data within 30 days, unless statutory retention obligations require otherwise.

Upon request, the Controller may export the data in JSON or CSV format before deletion.

Deletion includes all systems: live databases, backups, logs, caches, and third‑party systems.

10. Audits and controls

The Controller has the right to verify compliance with this DPA: by requesting current certifications and audit reports (e.g., SOC 2 Type II, available on request), by submitting written inquiries answered within 14 days, and by on‑site audits with reasonable prior notice (at least 30 days) and at the Controller’s own cost.

The Controller bears the costs of on‑site audits. ${n} will provide the necessary resources.

11. Final provisions

This DPA forms an integral part of the main agreement and becomes effective upon registration. Modifications require written form.

This agreement is governed by German law. The place of jurisdiction is Berlin.

A PDF version of this DPA can be requested at hello@engage-bay.com.