Data Processing Agreement

This Data Processing Agreement (“Agreement”) is made between Loops, Astrodon Corporation (“Data Processor”) and any entity using Loops’s services (“Data Controller”). By using the services provided by the Data Processor, the Data Controller agrees to the terms of this Agreement.

This Data Processing Agreement (“Agreement”) is made between Loops, Astrodon Corporation (“Data Processor”) and any entity using Loops’s services (“Data Controller”). By using the services provided by the Data Processor, the Data Controller agrees to the terms of this Agreement.

Last updated: 02/06/2025

  1. Purpose and Scope

  1. Objective

This Agreement defines the terms, conditions, and obligations of each Party to comply with applicable data protection laws regarding the processing of personal data (“Personal Data”).

  1. Nature, Purpose, and Duration of Processing

  • Nature: The Data Processor will collect, store, and otherwise process Personal Data electronically in order to provide the Services.

  • Purpose: The purpose of the processing is to offer and maintain email-sending services, troubleshoot issues, and provide related customer support.

  • Duration: The processing will last for the duration of the Services provided, unless otherwise agreed in writing.

  • Types of Personal Data: Typical data may include names, email addresses, contact details, and other data supplied by the Data Controller for sending or managing emails.

  • Categories of Data Subjects: Individuals whose Personal Data may be processed include employees, customers, or any other users whose Personal Data the Data Controller uploads or manages through the Services.

  1. Processing of Personal Data

  1. Instructions

The Data Processor processes Personal Data strictly to provide the Services and will follow any documented instructions from the Data Controller unless required otherwise by law.

  1. Scope

The Data Processor may process Personal Data in the manner necessary to offer and maintain the Services, troubleshoot issues, and provide any related customer support.

  1. Assistance with DPIAs

The Data Processor shall assist the Data Controller in carrying out Data Protection Impact Assessments (DPIAs) when required under applicable data protection laws.

  1. Security of Processing

  1. Technical and Organizational Measures

The Data Processor implements commercially reasonable technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature and scope of the Services.

  1. Confidentiality Obligations

The Data Processor ensures that all individuals authorized to process Personal Data are subject to confidentiality obligations (e.g., employment contracts or separate confidentiality agreements).

  1. Continuous Risk Assessment

The Data Processor continually assesses risks to Personal Data, updates security measures, and regularly reviews security controls to maintain an appropriate level of security.

  1. Sub-processing

  1. Prior Authorization

The Data Processor shall not engage another processor (“Sub-processor”) without prior specific or general written authorization of the Data Controller.

  1. List of Sub-processors

The Data Processor will maintain a list of authorized Sub-processors available at loops.so/subprocessors. The Data Processor shall provide the Data Controller with reasonable notice of any intended changes concerning the addition or replacement of Sub-processors.

  1. Objection

If the Data Controller has a legitimate objection to any new Sub-processor, the Parties will make good-faith efforts to address the objection, which may include use of a different Sub-processor or another mutually agreeable solution.

  1. Flow-down Obligations

The Data Processor shall ensure that any Sub-processor is bound by equivalent data protection obligations as set out in this Agreement.

  1. Assistance with Data Subject Rights

The Data Processor will provide reasonable assistance to the Data Controller in responding to data subject requests (e.g., access, rectification, deletion, restriction, portability) if such requests relate to the Data Processor’s processing activities.

  1. Data Breach Notification

  1. Notification Obligation

The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach involving Personal Data processed under this Agreement, in accordance with Article 33 of the GDPR.

  1. Cooperation in Investigation and Mitigation

The Data Processor shall cooperate with the Data Controller and take reasonable steps as directed by the Data Controller to assist in the investigation, mitigation, and remediation of each such personal data breach.

  1. Demonstrating Compliance and Audits

  1. Documentation

The Data Processor will maintain sufficient records of its data protection practices and make them available to the Data Controller upon request, as required by applicable data protection laws.

  1. Audits

Upon reasonable written notice, the Data Controller (or its designated auditor) may perform an audit during regular business hours to verify compliance. Such audits will be conducted in a manner that minimizes disruption to the Data Processor’s operations.

  1. Data Transfers

  1. Data Transfers Within the EU/EEA and Internationally

The Data Processor may transfer Personal Data within the European Economic Area (EEA) or internationally provided that such transfers comply with applicable data protection laws and utilize appropriate safeguards (e.g., Standard Contractual Clauses, reliance on recognized adequacy decisions, or other legally accepted mechanisms).

  1. Documentation of Transfers

The Data Processor will keep records of such transfers and, upon request, make them available to the Data Controller.

  1. Termination

  1. Return or Deletion of Data

Following termination of the Services or upon the Data Controller’s written request, the Data Processor will, at the Data Controller’s choice, either return or securely delete all relevant Personal Data within thirty (30) days, unless applicable law requires continued retention.

  1. Retention Compliance

Where the Data Processor is legally required to retain Personal Data, it will store such data only as necessary to meet those obligations.

  1. Governing Law and Jurisdiction

In the event of a dispute or claim arising under this Agreement in relation to compliance with the EU General Data Protection Regulation (GDPR), the Parties agree that such dispute shall be governed by and construed in accordance with the laws of an EU member state mutually agreed upon by the Parties. If no mutual agreement is reached, the default shall be the laws of Ireland, and the Parties submit to the exclusive jurisdiction of the competent courts of that EU member state for the resolution of disputes.

By using Loops’s services, the Data Controller acknowledges and agrees to the terms of this Data Processing Agreement.