Data processing terms

This Data Protection Terms addendum (“Addendum”) forms part of the agreement based on the MailBluster Terms of Use (“Agreement”) between ThemeWagon, Inc. (“MailBluster”); and the person or entity identified as ‘you’ or ‘the Customer’ under the Agreement, to whom MailBluster provides services under the Agreement (the “Customer”). This Addendum applies where and only to the extent that MailBluster processes personal data (as defined below) that originates from the EEA (and/or that is otherwise subject to Data Protection Legislation) on behalf of the Customer as a data processor in the course of providing the MailBluster service under the Agreement. Data Protection Legislation means (i) unless and until the GDPR is no longer directly applicable in the United States, the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the United States and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998. “GDPR” means the General Data Protection Regulation ((EU) 2016/679).

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.

1.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This Clause 1 is in addition to and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.

1.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and MailBluster is the Data Processor of any Personal Data processed by MailBluster on behalf of the Customer under the Agreement (where Personal Data, Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).

1.3 Without prejudice to the generality of Clause 1.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data (as defined in the Data Protection Legislation) to MailBluster for the duration and purposes of the Agreement.

1.4 Without prejudice to the generality of Clause 1.1, MailBluster shall, in relation to any Personal Data processed in connection with the performance by MailBluster of its obligations under the Agreement:

1.4.1 process that Personal Data only on the written instructions of the Customer (as documented in clause 1.7) unless MailBluster is required by Data Protection Legislation;

1.4.2 implement and maintain such appropriate technical and organizational data security practices and processes to ensure a level of security appropriate to the risk of loss of confidentiality, integrity, and availability of the Personal Data from time to time;

1.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;

1.4.4 to the extent necessary to comply with applicable legal, regulatory or law enforcement requirements, inform the Customer without unreasonable delay after it becomes aware of any loss, theft, misuse, unauthorised access, disclosure, or acquisition, destruction or other compromise of Personal Data that has occurred in its systems which affects Personal Data;

1.4.5 inform the Customer of: (i) any formal requests from data subjects exercising their rights of access, correction or erasure of their Personal Data, their right to restrict or to object to the Processing as well as their right to data portability, and not to respond to such requests, unless instructed by the Customer in writing to do so; and (ii) any requests made by public authorities requiring Customer to disclose the Personal Data processed in the context of the Services or to participate in an investigation involving such Personal Data;

1.4.6 not transfer any Personal Data outside of the European Economic Area unless appropriate safeguards under Data Protection legislation have been applied. The parties agree that MailBluster may transfer Personal Data processed under the Agreement outside the European Economic Area (“EEA”) or Switzerland as necessary to provide the Services;

1.4.7 assist the Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

1.4.8 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Data Protection Legislation to store the Personal Data;

1.4.9 in accordance with Data Protection Legislation, make available to the Customer such information that is in its possession or control as is necessary to demonstrate MailBluster’ compliance with the obligations placed on it under this clause 1 and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose (subject to prior arrangement, and a maximum of one audit request in any 12 month period). ; and

1.4.10 maintain complete and accurate records and information to demonstrate its compliance with this Clause 1.

1.5 The Customer consents to MailBluster appointing the Sub-Processors listed by us in our current sub-processor list available as third-party sub-processors (“Sub-processors”) of Personal Data under the Agreement and provides a general authorization to MailBluster to appoint further Sub-processors. MailBluster confirms that it has entered or (as the case may be) will enter with any Sub-processor into a written agreement incorporating terms which are substantially similar to those set out in this Clause 1. MailBluster will inform the Customer of any addition, replacement or other changes of Sub-processors and provide the Customer with the opportunity to reasonably object to such changes on legitimate grounds. The Customer acknowledges that these Sub-processors are essential to provide the Services and that objecting to the use of a Sub-processor may prevent MailBluster from offering the Services to the Customer. In the event that the Customer objects to the use of a new Sub-Processor, either party may terminate the Agreement on notice to the other without any liability in respect of such termination.

1.6 The parties may by agreement in writing, revise this Clause 1 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to the Agreement).

1.7 Instructions for Processing:

Subject matter of the processing Providing the Customer with bulk email sending via the MailBluster platform.
Duration of the processing For the duration of the Agreement
Nature and purposes of the processingSending campaigns through the MailBluster platform storing email addresses provided through one of our forms or integrations. Storing data on recipient behavior, whether they click, open, unsubscribe, bounce when a campaign is sent. Actioning on the Customer’s behalf any ‘unsubscribe’ requests from recipients of messages sent using the Service.
Type of Personal Data Email address, Customer IP Address, First Name, Last Name, Timezone and any other personal data provided through a custom field.
Categories of Data SubjectRecipients of the emails as specified when creating a campaign
Plan for return and destruction of the data once the Customer wants to destroy them UNLESS there is a requirement under EU or applicable EU Member State law to preserve that type of dataCampaign data (Sent, Delivered, Fails, Bounces, Opens, Clicks, Revenues, Sells, Complaints, Unsubscribes), Customer data (email addresses, first name, last name, timezone, and any associated custom fields) will be held forever until the request to terminate The customer data is received.

IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Agreement with effect from the last date of execution below.


Signature _____________________________

Name: Ashraful Prium

Title: CEO

Date Signed:


Signature _____________________________



Date Signed:

Last update: 19 June 2019