Data Processing Agreement

Scope

This Data Processing Agreement ("DPA") applies to personal data processed by Borks Marketing LLC ("Processor") on behalf of the client ("Controller") in connection with managed outbound services. This DPA supplements the Terms of Service and any applicable SOW.

Processing purposes

We process personal data solely for the purpose of delivering managed B2B cold email services as directed by the Controller. This includes: prospect list management, email sending, reply handling, enrichment, analytics, and reporting. We will not process personal data for any purpose other than as instructed by the Controller.

Categories of data processed

Personal data processed may include: names, business email addresses, job titles, company names, IP addresses, and engagement data (opens, clicks, replies). We do not process special categories of personal data (health, political, biometric) unless explicitly provided by the Controller.

Subprocessors

We use the following categories of subprocessors to deliver services:

• Cloud infrastructure: Amazon Web Services (AWS)
• Email services: Google Workspace, Microsoft 365
• Sending platform: Borks private sequencer (operated in-house)
• Data enrichment: Apollo, ZoomInfo, Clay, Lusha, RocketReach
• Analytics: Google Analytics, Microsoft Clarity
• Communication: Slack (for client communication)

We will notify the Controller of any new subprocessor additions with at least 14 days notice before engagement. The Controller may object to a new subprocessor, in which case we will work to find an alternative or allow termination without penalty.

Security measures

We implement appropriate technical and organizational measures including: AES-256 encryption at rest, TLS 1.2+ encryption in transit, role-based access controls, multi-factor authentication, regular security training, vulnerability scanning, encrypted backups, and incident response procedures.

Data subject rights

We will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection) within 10 business days of receiving a forwarded request. If a data subject contacts us directly, we will forward the request to the Controller within 3 business days.

Breach notification

In the event of a personal data breach, we will notify the Controller without undue delay and in any case within 48 hours of becoming aware of the breach. Notification will include: the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed to address the breach.

Data return and deletion

Upon termination of services, we will, at the Controller's election, return all personal data in a standard format (CSV) or securely delete all personal data within 30 days. We will provide written confirmation of deletion upon request. Copies retained for legal or compliance purposes will be deleted when no longer required.

International transfers

Where personal data is transferred outside the EEA, we ensure appropriate safeguards through Standard Contractual Clauses (SCCs) as approved by the European Commission. Copies of applicable SCCs are available upon request.

Contact

For DPA-related inquiries, contact privacy@borks.io.

Borks Marketing LLC
633 Pierce Ave, Linden, NJ 07036