COLDMSG

DATA PROCESSING ADDENDUM

Effective date: May 3, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between ColdMsg and the customer ("Customer") and applies to the extent ColdMsg processes Personal Data on behalf of Customer that is subject to the GDPR, the UK GDPR, the Swiss FADP, the California Consumer Privacy Act as amended by the CPRA, or other applicable data-protection laws ("Applicable Data Protection Laws"). Capitalised terms not defined here have the meaning given in the Terms or, where applicable, in the GDPR.

By using ColdMsg, Customer accepts this DPA on behalf of itself and any affiliate using the service under Customer's account. No signature is required; this DPA is automatically incorporated into Customer's agreement with ColdMsg.

1. ROLES OF THE PARTIES

Customer Personal Data (processor scope). For Personal Data that Customer uploads, imports, or otherwise provides to the service — including recipient lists, campaign content, mailbox contents, sender configuration, and inbound replies received on Customer's behalf — Customer is the controller and ColdMsg is the processor acting on Customer's documented instructions.

Investor database (independent controller scope). For Personal Data contained in the ColdMsg investor database, ColdMsg acts as an independent controller on the legal basis of legitimate interests (Art. 6(1)(f) GDPR), as described in the Investor Privacy Notice . This DPA does not apply to that processing; it is governed by the Investor Privacy Notice.

Service operations (independent controller scope). For Personal Data ColdMsg processes about Customer's authorised users for account management, billing, security, fraud prevention, abuse detection, and product improvement, ColdMsg acts as an independent controller as described in the Privacy Policy .

2. PROCESSING DETAILS

Subject matter: provision of the ColdMsg outbound-email and CRM platform.
Duration: the term of the agreement, plus any retention windows disclosed in the Privacy Policy.
Nature and purpose: transmission of outbound email at Customer's direction; capture of inbound replies; AI drafting and scoring; suppression management; deliverability monitoring; storage and search of Customer-uploaded content.
Categories of data subjects: Customer's authorised users; recipients of Customer's outbound campaigns; senders of inbound replies.
Categories of Personal Data: names, business email addresses, postal addresses, professional roles, employer affiliations, message content, message metadata, and any other Personal Data Customer chooses to include.

3. CUSTOMER WARRANTIES

Customer represents and warrants that:

  • Customer has a documented lawful basis under Applicable Data Protection Laws for every processing activity it instructs ColdMsg to perform, including for the sending of outbound communications to each recipient;
  • Customer has provided all notices and obtained all consents required by Applicable Data Protection Laws prior to providing Personal Data to ColdMsg;
  • Customer's instructions to ColdMsg do not violate any Applicable Data Protection Law;
  • Personal Data uploaded to the service was not obtained from purchased consumer lists, breached datasets, or scraped consumer profiles;
  • Customer will respond to data-subject requests directed to it as the controller, including by promptly issuing instructions to ColdMsg as needed.

Customer will indemnify ColdMsg against any claim, fine, or loss arising from breach of these warranties, in addition to the indemnity in the Terms.

4. COLDMSG OBLIGATIONS

ColdMsg will:

  • process Customer Personal Data only on Customer's documented instructions, including as set out in the Terms and this DPA, except where required by law;
  • ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations;
  • implement and maintain the technical and organisational measures described in Section 8 (TOMs);
  • assist Customer, taking into account the nature of the processing, in fulfilling Customer's obligations to respond to data-subject requests under Articles 12–23 GDPR;
  • assist Customer, taking into account the information available to ColdMsg, with security, breach notification, data-protection impact assessments, and prior-consultation obligations under Articles 32–36 GDPR;
  • make available to Customer the information necessary to demonstrate compliance with Article 28 GDPR.

5. SUB-PROCESSORS

Customer provides general written authorisation for ColdMsg to engage sub-processors. The current list is published in Section 5 of the Privacy Policy and is incorporated by reference. ColdMsg will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and will remain liable to Customer for the performance of each sub-processor's obligations.

ColdMsg will give at least 30 days' advance notice of any new or replaced sub-processor by updating the list in the Privacy Policy and notifying account-administrator users by email. If Customer reasonably objects on data-protection grounds within that notice period, Customer may terminate the affected service for convenience.

6. INTERNATIONAL TRANSFERS

Where Customer Personal Data originating in the EEA, the United Kingdom, or Switzerland is transferred to a country not covered by an adequacy decision, transfers are governed by:

  • the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller-to-processor), incorporated into this DPA by reference and completed as follows: Clause 7 (docking) applies; Clause 9(a) option 2 (general written authorisation, 30 days' notice); Clause 11(a) optional independent dispute-resolution language is not selected; Clause 17 governing law is Ireland; Clause 18 forum is the courts of Ireland; Annexes I and II are populated by Section 2 (Processing Details) and Section 8 (TOMs) of this DPA respectively;
  • for UK data, the UK International Data Transfer Addendum (version B1.0) issued by the ICO under section 119A of the Data Protection Act 2018, incorporated by reference;
  • for Swiss data, the SCCs as adapted under guidance from the Swiss FDPIC.

In a conflict between this DPA and the SCCs, the SCCs prevail.

7. DATA-SUBJECT REQUESTS AND BREACH NOTIFICATION

If ColdMsg receives a data-subject request that relates to Customer Personal Data processed on Customer's behalf, ColdMsg will, without undue delay, forward the request to Customer and will not respond directly except to confirm receipt and to direct the data subject to Customer.

ColdMsg will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data breach affecting Customer Personal Data, and will provide reasonably available information to assist Customer in meeting its own notification obligations.

8. TECHNICAL AND ORGANISATIONAL MEASURES

ColdMsg implements and maintains the following technical and organisational measures, which constitute Annex II to the SCCs:

  • TLS 1.2+ for all data in transit;
  • AES-256-GCM encryption at rest for sensitive credentials including OAuth tokens and integration secrets;
  • least-privilege access controls and role-based access for production systems;
  • audit logging of administrative actions and access to Personal Data;
  • hosting in EU-region data centres operated by Hetzner, with sub-processor transfers governed by Section 6;
  • segregation of customer data at the application layer with row-level scoping enforced in the database;
  • regular dependency patching and vulnerability scanning;
  • background-checked personnel under written confidentiality obligations, with access provisioned on a need-to-know basis and revoked promptly on role change;
  • incident-response procedures including a 72-hour breach-notification commitment;
  • no storage of full payment card numbers (handled by Stripe, a PCI-DSS Level 1 service provider).

9. AUDITS

ColdMsg will, on Customer's reasonable written request and no more than once per twelve-month period (except where required by a competent supervisory authority or following a confirmed Personal Data breach affecting Customer), make available a summary of its most recent third-party security assessment, completed industry questionnaires (such as SIG Lite), and reasonable written responses to Customer's compliance questions, in lieu of on-site audit. On-site audits, where strictly required by Applicable Data Protection Laws, will be conducted at Customer's expense, on at least 30 days' notice, during business hours, subject to confidentiality, and in a manner that does not disrupt ColdMsg's operations or other customers.

10. RETURN AND DELETION

On termination of the agreement, ColdMsg will, at Customer's choice, return or delete Customer Personal Data within 30 days, except for: (a) data ColdMsg is required to retain by law; (b) suppression-list entries, which are retained as one-way hashes to honour opt-outs; (c) backup copies, which are deleted on the standard backup-rotation schedule (90 days); and (d) Derived Data (as defined in the Terms) that no longer identifies any data subject.

11. EU REPRESENTATIVE

ColdMsg's GDPR Article 27 representative in the EU is to be appointed and disclosed in the Privacy Policy. Until appointment, EU data-protection inquiries should be sent to privacy@coldmsg.com.

12. ORDER OF PRECEDENCE

In a conflict between this DPA and the Terms of Service, this DPA prevails with respect to ColdMsg's processing of Customer Personal Data. In a conflict between this DPA and the SCCs, the SCCs prevail.

13. CONTACT

Privacy and DPA questions: privacy@coldmsg.com
Legal notices: legal@coldmsg.com

← Back to home