Back to Homeconverting.email

Data Processing Agreement

Last updated: 9/5/2025

Enterprise Customers
Agreement Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Service between IDEA GROUP sp. z o.o. ("Data Processor") and enterprise customers ("Data Controller") who use our services to process personal data.

This DPA ensures compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Definitions

Data Controller

The enterprise customer who determines the purposes and means of processing personal data.

Data Processor

IDEA GROUP sp. z o.o., who processes personal data on behalf of the Data Controller.

Personal Data

Any information relating to an identified or identifiable natural person.

Processing

Any operation performed on personal data, including collection, storage, and analysis.

Processing Details

Subject Matter

Processing of personal data for the provision of AI-powered email analysis and strategy services through the converting.email platform.

Duration

For the duration of the service agreement, plus any additional period required for data retention or legal compliance.

Nature and Purpose

  • Email content analysis and optimization
  • User account management and authentication
  • Service delivery and support
  • Platform security and fraud prevention
  • Service improvement and analytics

Types of Personal Data

  • Contact information (email addresses, names)
  • Email content and communications
  • Account preferences and settings
  • Usage data and analytics
  • Technical data (IP addresses, device information)

Categories of Data Subjects

  • Enterprise customer employees and representatives
  • End users of the customer's email campaigns
  • Third parties whose data appears in email content
Data Processor Obligations

Processing Instructions

We will process personal data only in accordance with documented instructions from the Data Controller and this DPA.

Confidentiality

All personnel with access to personal data are bound by confidentiality obligations and receive appropriate training on data protection.

Security Measures

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments and audits
  • Incident response and breach notification procedures
  • Data backup and recovery systems

Sub-processors

We may engage sub-processors with the Data Controller's prior written consent. All sub-processors are bound by equivalent data protection obligations.

Data Controller Rights

Audit Rights

The Data Controller has the right to audit our compliance with this DPA, subject to reasonable notice and confidentiality obligations.

Data Subject Rights

We will assist the Data Controller in responding to data subject requests for access, rectification, erasure, and portability.

Data Protection Impact Assessments

We will provide reasonable assistance for data protection impact assessments and prior consultations with supervisory authorities.

Breach Notification

We will notify the Data Controller without undue delay of any personal data breach, providing detailed information about the incident.

Technical and Organizational Measures

Technical Measures

  • • AES-256 encryption for data at rest
  • • TLS 1.3 for data in transit
  • • Multi-factor authentication
  • • Regular security updates
  • • Network segmentation
  • • Intrusion detection systems
  • • Automated backup systems
  • • Secure coding practices

Organizational Measures

  • • Data protection training programs
  • • Access control policies
  • • Incident response procedures
  • • Regular security assessments
  • • Vendor management processes
  • • Data retention policies
  • • Privacy by design principles
  • • Regular compliance audits
International Data Transfers

We may transfer personal data to countries outside the European Economic Area (EEA) only with appropriate safeguards in place.

Standard Contractual Clauses

We use EU-approved Standard Contractual Clauses for international transfers.

Adequacy Decisions

We may transfer data to countries with adequacy decisions from the European Commission.

Binding Corporate Rules

We implement binding corporate rules for intra-group transfers.

Data Retention and Deletion

Retention Periods

  • Account data: Until account deletion
  • Email analysis data: 90 days
  • Audit logs: 2 years
  • Backup data: 30 days after deletion

Deletion Procedures

Upon termination of the service agreement, we will delete or return all personal data to the Data Controller, unless retention is required by law.

Secure Deletion

We use secure deletion methods that make data recovery impossible, including cryptographic erasure and physical destruction of storage media.

Liability and Indemnification

Data Processor Liability

We are liable for damages caused by processing that infringes this DPA, subject to the limitations set forth in the main service agreement.

Data Controller Liability

The Data Controller is liable for ensuring that processing instructions comply with applicable data protection laws.

Indemnification

Each party will indemnify the other against claims arising from their breach of this DPA or applicable data protection laws.

Termination

This DPA terminates automatically upon termination of the main service agreement. Upon termination, we will return or delete all personal data in accordance with our data retention and deletion procedures.

Contact Information

For questions about this Data Processing Agreement:

Data Protection Officer: hello@converting.email

Legal Department: hello@converting.email

Company: IDEA GROUP sp. z o.o.