Play demo
GET a demo

Overview

The only platform built for full-funnel engagement. From referral to retention, Ambassador helps brands grow through programs that activate, automate, and scale customer relationships.

Solutions

Launch referral, affiliate, and loyalty initiatives with built-in workflows and automation.

Create personalized, goal-oriented journeys across acquisition, retention, and advocacy.

Deliver timely, personalized messages —natively integrated and intelligently automated.

Your AI engine for smarter engagement, feedback, and growth.

Trigger personalized gift cards, loyalty perks, and payouts—seamlessly delivered through customizable reward flows.

Capture clicks, actions, and milestones across every channel and turn them into moments that drive measurable outcomes.

Vaults, ledgers, and audit-ready systems ensure every engagement is secure, trackable, and aligned to business goals.

Channels

Coordinate every message—across email, SMS, WhatsApp, and more—so your channels work as one system, not siloed tools.

Incentives

Industries

Use Cases & ebooks

Ambassador For

Data Processing Agreement

v.09.30.2025

Exhibit C (Data Processing Addendum)

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum” or “DPA”) forms a part of, and is subject to, that certain Software-as-a-Service Agreement or other written or electronic terms of service or subscription agreement for the provision of services (the “Agreement”) entered into by and between [insert full name of Customer] (“Customer”) and I2H, Inc. dba Ambassador (“Ambassador”). By executing the Addendum, Customer enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its Affiliates (defined below), if any. This Addendum incorporates the terms of the Agreement, and any terms not defined in this Addendum shall have the meaning set forth in the Agreement. In the event of a conflict between the terms and conditions of this Addendum and the Agreement, the terms and conditions of this Addendum shall supersede and control.

1.        Definitions

1.1     “Affiliate” means any entity controlling, controlled by or under common control with a party, where “control” means ownership of or the right to control greater than 50% of the voting securities of such entity.

1.2     “Ambassador Services” shall have the meaning set forth in the Agreement.

1.3     “Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person.

1.4     “CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Ambassador Processes on behalf of Customer and/or Customer’s Affiliates in connection with Ambassador’s provision of the Ambassador Services.

1.5     “Customer Data” shall have the meaning set forth in the Agreement.

1.6     “Data Protection Laws” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“); European Directive 2002/58/EC, as amended by Directive 2009/136/EC (“E-Privacy Directive”); the UK GDPR; and any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”), as amended including by the California Privacy Rights Act (“CPRA”); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52; the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq.; guidance issued by the U.S. Federal Trade Commission pursuant to its authority under Section 5 of the FTC Act, 15 U.S.C. § 45; in each case, as amended from time to time.

1.7     “Data Subject” shall mean, as applicable, “data subject” as defined under the GDPR and UK GDPR, “consumer” under the CCPA and other Data Protection Laws, and any similar term under the Data Protection Laws.

1.8     “EU Standard Contractual Clauses” means the standard contractual clauses annex to European Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Information to Third Countries (and any successor clauses), as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.

1.9     “GDPR Personal Data” means the “personal data” (as defined in the GDPR and UK GDPR) that Ambassador Processes on behalf of Customer and/or Customer’s Affiliates in connection with Ambassador’s provision of the Ambassador Services.

1.10   “Messaging Data” means Personal Data Processed in connection with the Messaging Services, including phone numbers used to send and receive messages, message content (text and media), and technical/delivery metadata (e.g., timestamps, routing information, and delivery status).

1.11   “Messaging Providers” means telecommunications carriers and messaging delivery platforms (including Twilio, Inc.) engaged by Ambassador as Subprocessors solely to transmit and deliver communications on behalf of Customer.

1.12   “Messaging Services” means optional functionality of the Ambassador Services that enables Customer to send and/or receive communications via SMS (short message service), MMS (multimedia messaging service), and RCS (rich communication services) to or from end users as instructed by Customer.

1.13   “Personal Data” means any information relating to a Data Subject which is subject to Data Protection Laws (defined below) and which Ambassador Processes on behalf of Customer other than Anonymous Data. Personal Data includes GDPR Personal Data and CCPA Personal Information.   

1.14   “Personal Data Breach” means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

1.15   “Subprocessor” means any third party appointed by or on behalf of Ambassador to process Personal Data in connection with the Ambassador Services.

1.16   “Third Countries” means countries which are not recognized by the Data Protection Laws as countries providing adequate protection of Personal Information.

1.17   “UK Data Protection Laws” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

1.18   “UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

1.19   The terms “business,” “business purposes,” “consumer,” “controller,” “personal data breach,” “process” or “processing,” “processor,” “sale,” “sell,” “sensitive data,” “sensitive personal information,” “service provider,” “sharing,” “supervisory authority,” and “verifiable consumer request” shall have the meanings given to those terms in the applicable Data Protection Laws to the extent such meanings are materially similar to the meaning of terms in effect on the Effective Date. In the event of a conflict in the meanings of terms among the Data Protection Laws, the parties agree that only the meanings in applicable Data Protection Laws will apply.

2.        Processing of Personal Data

2.1     Each party will comply with the obligations applicable to it under the Data Protection Laws, including with respect to the processing of Personal Data.

2.2     Ambassador shall only process Personal Data in accordance with the instructions of Customer or as otherwise expressly permitted under the Agreement. Customer shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Personal Data, and that the processing of Personal Data in accordance with Customer’s instructions will not cause Ambassador to be in breach of the Data Protection Laws. As between Customer and Ambassador, Customer shall be responsible for (i) the means by which Customer acquired Personal Data, and (ii) the accuracy, quality, and legality of the Personal Data provided to Ambassador by or on behalf of Customer.

For the avoidance of doubt, where Customer enables the Messaging Services, Customer instructs Ambassador to Process Messaging Data for the limited purposes of transmission, delivery, routing, temporary storage/caching for delivery, logging delivery results, troubleshooting, and compliance with law and Carrier/Messaging Provider rules.

2.2.1        Customer Responsibilities for Messaging: Customer is solely responsible for (a) determining a lawful basis for Messaging (e.g., consent or legitimate interests, as applicable), (b) obtaining, recording, and honoring end‑user consent and opt‑out preferences, and (c) complying with applicable laws and industry policies (including, as applicable, the TCPA, CTIA messaging principles, the Twilio Messaging Policy) and any Carrier/Messaging Provider program rules. Customer will ensure that opt‑out keywords (e.g., STOP and recognized equivalents) are honored promptly and that suppression lists are maintained in accordance with Customer’s compliance obligations.

2.3     For the purposes of this DPA, the following is deemed an instruction by Customer to process Personal Data (a) to provide and support the Ambassador Services; (b) as documented in the Agreement (including this DPA and any other agreement that requires processing of Personal Data); and (c) as further documented in any other specific written instructions given by Customer in this DPA, the Agreement, or as otherwise notified by Customer to Ambassador from time to time, where such instructions are consistent with the terms of the Agreement.

Without limiting the foregoing, Customer’s use of the Messaging Services constitutes written instructions to Ambassador to engage Messaging Providers to Process Messaging Data for transmission and delivery consistent with Section 4 (Authorized Subprocessors).

  • The subject matter of the data processing covered by this DPA is the provision of the Ambassador Services and support by Ambassador. Schedule 1 of this DPA sets out the nature and purpose of the processing, the types of Personal Data Ambassador processes and the categories of Data Subjects whose personal data is processed.

  • For purposes of this DPA, Customer is the “controller” or “business,” and Ambassador is the “processor” or “service provider” of Personal Data, as such terms are defined in the Data Protection Laws per Section 1 above.

  • Messaging Data Retention. Ambassador will retain Messaging Data only as necessary to provide the Ambassador Services, comply with law, resolve disputes, and enforce the Agreement. Message content (including media) is generally retained only for transmission and delivery and may be stored for a limited duration for troubleshooting or compliance, or as otherwise instructed by Customer. Ambassador will make commercially reasonable efforts to support Customer‑configured retention for message logs and media to the extent enabled by applicable Messaging Providers.

Ambassador will not Sell or Share Messaging Data (including mobile numbers, opt-in/consent status, and message content) with third parties/affiliates for marketing or promotional purposes.

3.        Authorized Employees

3.1     With respect to employees who have a need to know or otherwise access Personal Data to enable Ambassador to perform their obligations under this Addendum or the Agreement (“Authorized Employees”) Ambassador shall (a) only disclose Customer Data to such Authorized employees; (b) take commercially reasonable steps to ensure the reliability and appropriate training of any Authorized Employee; (c) ensure that all Authorized Employees are made aware of the confidential nature of Customer Data and have executed confidentiality agreements that prevent them from disclosing or otherwise processing, both during and after their engagement with Ambassador, any Customer Data except in accordance with their obligations in connection with the Ambassador Services; and (d) take commercially reasonable steps to limit access to Customer Data to only Authorized Employees.

4.        Authorized Subprocessors

4.1     Customer agrees that (a) Ambassador may engage Affiliates and Subprocessors as listed at https://trust.getambassador.com/subprocessors (“Subprocessor Page”) which may be updated from time to time and (b) such Affiliates and Subprocessors respectively may engage third-party Subprocessors to process the Personal Data on Ambassador’s behalf. By way of this Addendum, Customer provides general written authorization to Ambassador to engage Subprocessors as necessary to perform the Ambassador Services.

For the Messaging Services, Subprocessors may include Messaging Providers such as Twilio, Inc., and telecommunications carriers engaged solely to transmit and deliver communications on Customer’s behalf and subject to Ambassador’s instructions and this DPA.

4.2     At least twenty (20) days before enabling any other Subprocessors to access or participate in the processing of Personal Data, Ambassador will add such third party to the Subprocessor Page. Ambassador will provide written notification of a new Subprocessor before authorizing any new Subprocessor to process any Personal Data. Customer may reasonably object to such an engagement on legitimate grounds by informing Ambassador in writing within ten (10) days of being informed of such new Subprocessor. If Customer reasonably objects to an engagement in accordance with this Section 4.2, and Ambassador cannot provide a commercially reasonable alternative within a reasonable period of time, Ambassador may terminate this Addendum as Customer’s sole and exclusive remedy for such objection.  Termination shall not relieve Customer of any fees owed to Ambassador under the Agreement; however, any prepaid and unused fees (corresponding to the period of time after the termination date) shall be promptly refunded to Customer.

4.3     If Customer does not object to the engagement of a third party in accordance with Section 4.2 within ten (10) days of notice by Ambassador, that third party will be deemed an Authorized Subprocessor for the purposes of this Addendum.

4.4     Ambassador will enter into a written agreement with the Authorized Subprocessor imposing on the Authorized Subprocessor data protection obligations comparable to those imposed on Ambassador under this Addendum with respect to the protection of Personal Data. In case an Authorized Subprocessors fails to fulfil its data protection obligations under such written agreement with Ambassador, Ambassador will remain liable to Customer for the performance of the Authorized Subprocessor’s obligations under such agreement.

5.        Security of PERSONAL Data

5.1     Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Ambassador shall maintain appropriate technical and organizational measures DESIGNED for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, PERSONAL Data), confidentiality and integrity of PERSONAL Data.

5.2     Ambassador shall notify Customer within seventy-two (72) hours after confirming any Personal Data Breach. Ambassador shall make reasonable efforts to identify the cause of such Personal Data Breach and take such steps as Ambassador deems necessary and reasonable to remediate the cause of such Personal Data Breach, to the extent the remediation is within Ambassador’s reasonable control. Ambassador will provide Customer with information and cooperation reasonably requested by Customer regarding such Personal Data Breach. Ambassador’s notification of or response to a Personal Data Breach under this Section 5.2 shall not be construed as an acknowledgment by Ambassador of any fault or liability with respect to the Personal Data Breach. Unless required by law or by Ambassador’s regulators, where Customer is the Data Controller, Ambassador shall not notify any Data Subject or any third party other than law enforcement of any Personal Data Breach involving Personal Data without first consulting with Customer. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users.

5.3     Messaging‑Specific Safeguards.  Without limiting Schedule 2, Ambassador will implement reasonable and appropriate technical and organizational measures for Messaging Data, which may include: encryption in transit; access controls and role‑based least‑privilege; opt‑out handling mechanisms that prevent further outbound messaging to opted‑out numbers when instructed by Customer; logging and monitoring of delivery status; media storage access controls; and configurable retention where supported by Messaging Providers.

6.        Requirements for GDPR Personal Data.  This Section 6 shall only apply to the processing of GDPR Personal Data by or on behalf of Ambassador.

6.1     The parties agree that Ambassador may transfer Personal Data processed under this Addendum outside the European Economic Area (“EEA”), UK, or Switzerland as necessary to provide the Ambassador Services. If Ambassador transfers Personal Data protected under this Addendum to a jurisdiction that has not been found to provide an adequate or equivalent level of protection under the applicable Data Protection Laws, Ambassador will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.

For Messaging Services, Customer acknowledges and instructs Ambassador that delivery of messages necessarily requires onward transfers of Messaging Data to Messaging Providers (including Twilio, Inc.) and downstream telecommunications carriers and aggregators, which may be located outside the EEA/UK/Switzerland. Ambassador will ensure appropriate safeguards for such transfers in accordance with Section 6 and the SCCs/UK Addendum, and will require Subprocessors to provide substantially similar safeguards.

6.2     Ambassador may engage Subprocessors pursuant to Section 4 (Authorized Subprocessors).

6.3     Transfer Mechanisms.  With regard to any transfers of GDPR Personal Data from the European Economic Area or the United Kingdom to countries that do not provide adequate protection for such data (as determined by the applicable Data Protection Laws), the parties hereby enter into applicable Standard Contractual Clauses in support of such transfer.

6.4     For transfers of Personal Data from the United Kingdom, the International Data Transfer Addendum to the Model Clauses issued by the Information Commissioner’s Office of the United Kingdom (“UK Addendum”) (including all Part 2 Mandatory Clauses) is hereby incorporated by reference when they are available and are a valid transfer mechanism under applicable Data Protection Laws. The parties further agree to the following provisions with respect to the UK Addendum:

6.4.1    Identity of the Parties:  The data exporter is Customer, and the data importer is Ambassador.

6.4.2    Conflicts:  In the event of any conflict or inconsistency between this Addendum and the UK Addendum, the UK Addendum shall prevail.

6.4.3    Appendices:  Responses to the Appendices to the UK Addendum are provided in Schedule 1, attached hereto. The list of parties and the descriptions of the transfers are provided in Schedule 1. The technical and organizational measures including technical and organizational measures designed to ensure the security of the data are provided in Schedule 2.

6.4.4    Ending this Addendum when the Approved Addendum Changes: The parties agree that Importer and Exporter may end the Addendum as set out in Section 19 of the UK Addendum.

6.4.5    Specific Provisions:

(i)       The Addendum EU SCCs shall be the Approved EU SCCs.

(ii)      Module Two will apply where Customer is a Controller of Customer Personal Data and Ambassador is a Processor of Customer Personal Data.

(iii)     In Clause 7, the optional docking clause does not apply.

6.4.6        The parties do not incorporate the optional liability clause included in the UK Addendum.

6.5     For all other transfers of Personal Data under this DPA to Third Countries, to the extent such transfers are subject to such applicable Data Protection Laws, the EU Standard Contractual Clauses are hereby incorporated by reference when they are available and are a valid transfer mechanism under applicable Data Protection Laws. The parties further agree to the following provisions with respect to the EU Standard Contractual Clauses:

6.5.1    Identity of the Parties:  The data exporter is Customer, and the data importer is Ambassador. Module Two (controller to processor) is the sole module applicable to transfers involving Personal Data.

6.5.2    Conflicts:  In the event of any conflict or inconsistency between this Addendum and the EU Standard Contractual Clauses, the EU Standard Contractual Clauses shall prevail.

6.5.3    Appendices:  Responses to the Annexes to the EU Standard Contractual Clauses are provided in Schedule 1, attached hereto.

6.5.4    Specific Provisions:

6.5.5    In Clause 7, the optional docking clause does not apply.

6.5.6    In Clause 9, the parties select Option 2, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.2 of this DPA, and Ambassador shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.2 of this DPA.

6.5.7    In Clause 11, the parties do not select the independent dispute resolution option.

6.5.8    In Clause 13, all square brackets are removed with the text remaining.

6.6     In Clauses 17 (Option 2) and 18(b), the parties agree that the jurisdiction is the member state in which Controller is established, or if the Controller is not established in a member state, the Republic of Ireland.

6.7     Where applicable by virtue of Article 28(3)(f) of the GDPR or UK GDPR, Ambassador shall provide reasonable assistance to Customer with any data protection impact assessments which are referred to in Article 35 of the GDPR and with any prior consultations to any Supervisory Authority of Customer which are referred to in Article 36 of the GDPR, in each case solely in relation to processing of GDPR Personal Data and taking into account the nature of the processing and information available to Ambassador.

7.        Requirements for CCPA. Section 7 of this DPA shall only apply to the processing of CCPA Personal Information by Ambassador. Ambassador shall not retain, use or disclose CCPA Personal Information for any purpose other than for the specific purpose of providing the Ambassador Services, or as otherwise permitted by the CCPA. Ambassador acknowledges and agrees that it shall not retain, use or disclose CCPA Personal Information for a purpose other than providing the Ambassador Services, except as permitted by the CCPA. Processing CCPA Personal Information outside the scope of this DPA or the Agreement will require prior written agreement between Customer and Ambassador on additional instructions for processing. Ambassador shall also not Sell or Share any CCPA Personal Information it collects pursuant to the Agreement with Customer. Ambassador shall not retain, use, or disclose CCPA Personal Information collected pursuant to the DPA or Agreement for purposes outside the direct business relationship between Ambassador and Customer, unless expressly permitted by CCPA and its regulations. To the extent prohibited by the CCPA, Ambassador will not combine CCPA Personal Information received from Customer with Personal Data that Ambassador receives from, or on behalf of, another person or persons, or collects from its own interaction with consumers.

8.        Rights of Data Subjects

8.1     Ambassador shall, to the extent permitted by law and within five (5) business days, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Ambassador receives a Data Subject Request in relation to Customer Data, Ambassador will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Ambassador Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Ambassador, and for ensuring that a record of consent to processing is maintained with respect to each Data Subject.

8.2     Ambassador shall, at the request of Customer, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Ambassador’s assistance and (ii) Ambassador is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Ambassador.

9.        Actions and Access Requests

9.1     Ambassador shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum and retain such records for a period of two (2) years after the termination of the Agreement. Customer shall, with reasonable notice to Ambassador, have the right to review, audit and copy such records at Ambassador’s offices during regular business hours.

9.2     Upon Customer’s request, Ambassador shall, no more than once per calendar year, either (i) make available for Customer’s review copies of certifications or reports demonstrating Ambassador’s compliance with Data Protection Laws or prevailing data security standards applicable to the processing of Customer Data, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow Customer or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Ambassador’s data security infrastructure and procedures that is sufficient to demonstrate Ambassador’s compliance with its obligations under this Addendum, provided that Customer shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Ambassador’s business. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Ambassador for any time expended for on-site audits. Any such audit shall be subject to Ambassador’s security and confidentiality terms and guidelines; if Ambassador declines to comply with the terms of this Section 9.2, Customer may terminate this DPA and the Agreement upon written notice to Ambassador within thirty (30) days of Ambassador’s notice of its refusal to comply with the terms of this Section 9.2.

9.3     Ambassador shall promptly notify Customer if an instruction, in Ambassador’s opinion, infringes the Data Protection Laws or supervisory authority.

10.     RETURN OR DELETION OF CUSTOMER DATA.  Following termination or expiration of the Agreement, Ambassador shall return or delete the Customer Data, unless further storage of Customer Data is required or authorized by applicable law, as stated under the Agreement. If return or destruction is impracticable or prohibited by law, rule or regulation, Ambassador shall take measures to block such Customer Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Customer Data remaining in its possession, custody, or control.

11.     AFFILIATES.  Customer acts as a single point of contact for its Affiliates with respect to compliance with Data Protection Laws such that where Ambassador gives notice to Customer, such information or notice is deemed received by Customer’s Affiliates. The parties acknowledge and agree that any claims in connection with Data Protection Laws under this DPA will be brought by Customer, whether acting for itself or on behalf of an Affiliate.

12.     Limitation of Liability.  The total liability of each of Customer and Ambassador (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this Addendum, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the applicable limitationS of liability set forth in the Agreement.

SCHEDULE 1

Data Processing appendix

            A.1        Parties

Name of Customer

 

Role of Customer

For purposes of the Agreement and this DPA, Customer is the sole party that determines the purposes and means of processing Personal Data as the “business” or “controller.”  To the extent of any cross-border data transfers under this DPA, Customer is the data exporter.

Address

The address set forth on the applicable Order Form.

Contact Person’s Name, Position, and Contact Details

The persons indicated on the applicable Order Form or such contact information as provided by Customer to Ambassador from time to time in writing.

Activities relevant to the data transferred under the EU Standard Contractual Clauses

Using the Ambassador Services provided by Ambassador.

Signature

By signing the DPA, the Standard Contract Clauses will be considered agreed to by both parties.

 

Role of Ambassador

For purposes of the Agreement and this DPA, Ambassador processes Personal Data on behalf of Customer as a “processor” or “service provider.”  To the extent of any cross-border data transfers under this DPA, Ambassador is the data importer.

Address

2212 Queen Anne Avenue N., Suite 759, Seattle, WA 98109

Contact Person’s Name, Position, and Contact Details

Mark Steffler, Chief Operating [email protected]

Activities relevant to the data transferred under the EU Standard Contractual Clauses

Providing the Ambassador Services to Customer.

Signature

By signing the DPA, the Standard Contract Clauses will be considered agreed to by both parties. 


A.2.      PROCESSING TERMS

Duration of the processing

Ambassador agrees to process Personal Data solely as instructed in the Agreement and this DPA for the duration of the provision of the Ambassador Services to Customer, and the longer of such additional period as: (i) is specified in any provisions of the Agreement regarding data retention; and (ii) is required for compliance with law.Messaging Services:  for the period necessary to complete transmission and delivery, and thereafter only as instructed by Customer or required by law, consistent with Section 2.6.

Nature of the processing

Such processing as is necessary to enable Ambassador to comply with its obligations and exercise its rights under the Agreement, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction processing activities.Messaging Services:  transmission, delivery, and routing of messages; temporary storage/caching to facilitate delivery; processing of delivery receipts and statuses; logging for support, security, and compliance; application of Customer‑provided opt‑out lists and honoring standard opt‑out keywords where supported by Messaging Providers; media hosting for MMS/RCS for the duration configured by Customer or required to complete delivery.

Purpose of the processing

Ambassador agrees to process Personal Data for limited and specified purposes described in the Agreement, this DPA, or as otherwise directed by authorized personnel of Customer in writing (email acceptable).For Messaging Services:  to send, receive, transmit, deliver, route, and log messages and related media as instructed by Customer, and to provide troubleshooting, support, abuse prevention, and compliance functions.

Consideration in exchange for processing

The parties acknowledge and agree that Ambassador receives no monetary or other valuable consideration in exchange for Personal Data.

Type of Personal Data processed

Customer may submit Personal Data to the Ambassador Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:●    Tracking of audience traffic and their conversions.●    Personal details, including payment details;●    Mobile advertising ID and/or cookie ID;●    Age;●    IP address;●    Purchase history; ●    Banking details (from Customer only).●    In order to manage the Agreement, Ambassador will process Personal Data from Customer’s employees and other personnel such as name, title, email address, telephone number and (for billing purposes) Customer’s payment details.●    Messaging Data (where Customer enables Messaging Services): phone numbers used to send and receive messages; message content (text); MMS/RCS media files (e.g., images, video, audio, documents); technical/delivery metadata (timestamps, delivery receipts, message IDs, routing information, carrier information); end‑user responses (e.g., STOP/HELP/START). Customer determines the extent of Messaging Data in its sole discretion.

Types of sensitive (or special) categories of Personal Data processed

N/A

Categories of data subjects

Customer may submit Personal Data to the Ambassador Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:●  Prospects, customers, business partners and vendors of Customer (who are natural persons)●  Employees or contact persons of Customer’s prospects, customers, business partners and vendors●  Employees, agents, advisors, freelancers of Customer (who are natural persons)●  Customer’s users authorized by Customer to use the Ambassador Services●  Messaging recipients and senders designated by Customer (which may include Customer’s end users, prospects, customers, personnel, and other contacts).

Obligations and rights of the parties

As set out in the Agreement.

 

  1. DESCRIPTION OF CROSS BORDER DATA TRANSFERS

 

Description of activities relevant to the Personal Data transferred under the Standard Contractual Clauses

Such processing as is necessary to enable Ambassador to comply with its obligations and exercise its rights under the Agreement, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction processing activities.

Categories of data subjects whose personal information is transferred

Customer may submit Personal Data to the Ambassador Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:●  Prospects, customers, business partners and vendors of Customer (who are natural persons)●  Employees or contact persons of Customer’s prospects, customers, business partners and vendors●  Employees, agents, advisors, freelancers of Customer (who are natural persons)●  Customer’s users authorized by Customer to use the Ambassador Services

Types of personal information that will be transferred

Customer may submit Personal Data to the Ambassador Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:●    Tracking of audience traffic and their conversions.●    Personal details, including payment details;●    Mobile advertising ID and/or cookie ID;●    Age;●    IP address;●    Purchase history; ●    Banking details (from Customer only).●    In order to manage the Agreement, Ambassador will process Personal Data from Customer’s employees and other personnel such as name, title, email address, telephone number and (for billing purposes) Customer’s payment details.

Types of sensitive (or special) categories of personal information that will be transferred and applicable restrictions or safeguards

N/A

Frequency of the transfer

Continuous

Purpose of the data transfer and further processing

Provision of the Ambassador Services as set forth in the Agreement.

Subprocessor transfers

Transfers to Subprocessors will occur where necessary for the provision of the Ambassador Services in accordance with the Agreement and the DPA solely for the term of the Agreement.For Messaging Services, Subprocessor transfers include Twilio, Inc. (messaging delivery platform) and telecommunications carriers/aggregators required for message delivery.

 

  1. COMPETENT SUPERVISORY AUTHORITY

EEA Data Subjects:  Republic of Ireland

UK Data Subjects:  United Kingdom

Swiss Data Subjects: Swiss Federal Data Protection and Information Commissioner

SCHEDULE 2

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

AMBASSADOR INFORMATION SECURITY PRACTICES

  1. Ambassador shall, in order to assist Customer to fulfill its legal obligations (including but not limited to security measures and privacy risk assessments), be obliged to take appropriate technical and organizational measures designed to protect the Personal Data which is processed and shall thereby follow any written information security requirements or policies communicated by Customer from time to time. The measures shall at least result in a level of security which is appropriate taking into consideration:

(i) existing technical possibilities;

(ii) the costs for carrying out the measures;

(iii) the particular risks associated with the processing of the Personal Data; and

(iv) the sensitivity of the Personal Data which is processed.

  1. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the technical and organizational measures to be implemented by Ambassador shall include as appropriate:

(i) the pseudonymization and encryption of Personal Data;

(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing Personal Data;

(iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

  1. Further to the technical and organizational measures mentioned in Section 2 of this Schedule 2, Ambassador shall implement the following measures:

(i) physical access protection whereby computer equipment and removable data containing personal information at Ambassador’s premises shall be locked up when not under supervision in order to protect against unauthorized use, impact and theft.

(ii) a process for testing read back after Personal Data has been restored from backup copies.

(iii) authorization control whereby access to the Personal Data is managed through a technical system from authorization control. Authorization shall be restricted to those who need the Personal Data for their work. User IDs and passwords shall be personal and may not be transferred to anyone else. There shall be procedures for allocating and removing authorizations.

(iv) secure communication whereby external data communication connections shall be protected using technical functions ensuring that the connection is authorized as well as content encryption for data in transit in communication channels outside systems controlled by Ambassador.

(v) a process for ensuring secure data destruction when fixed or removable storage media shall no longer be used for their purpose.

(vi) routines for entering into confidentiality agreements with suppliers providing repair and service of equipment used to store Personal Data.

(vii) routines for supervising the service performed by suppliers at the premises of Ambassador. Storage media containing the Personal Data shall be removed if supervision is not possible.

(viii) any additional measures as instructed by Customer in Schedule 1 (Data Processing Appendix).

  1. All technical and organizational security measures required by this DPA are being taken by Ambassador. Details of all security measures can be found in Ambassador’s Information Security Policy, Operations Security Policy, and Data Management Policy, each of which is available upon request.

  2. Supplemental measures implemented pursuant to The European Data Protection Board (EDPB) Recommendations 01/2020 applicable Data Protection Laws are available upon request.

Messaging‑Specific Measures.  Ambassador will implement measures appropriate to Messaging Data, including: TLS for API and console access; at‑rest encryption for message logs/media where stored by Ambassador; role‑based access controls; audit logging; abuse/threat detection and rate limiting; mechanisms to apply Customer suppression lists and to honor standard opt‑out keywords supported by Messaging Providers; and support for Customer‑configured message log/media retention to the extent exposed by Messaging Providers.

SCHEDULE 3

LIST OF SUBPROCESSORS

Ambassador’s list of Subprocessors (including Affiliates) is available at https://trust.getambassador.com/subprocessors (the “Subprocessor Page”). The Subprocessor Page may be updated from time to time in accordance with this DPA.

For avoidance of doubt, Subprocessors for the Messaging Services include Messaging Providers such as Twilio, Inc., and downstream telecommunications carriers and aggregators engaged solely for message transmission and delivery.