Data Processing Addendum

This DPA is designed for customer-facing SaaS use. If you process regulated data, international data requiring transfer mechanisms, or data subject to a specialized law, contact Aballel before using the Services for that data.

1. Definitions

"Customer Personal Data" means personal information, personal data, or similar regulated information contained in Customer Data that Aballel processes on behalf of Customer through the Services.

"Data Protection Laws" means privacy, data protection, cybersecurity, breach notification, marketing, and similar laws that apply to the parties' processing of Customer Personal Data.

"Customer" means the person or organization that has accepted the Terms or signed an order with Aballel.

Terms such as controller, processor, business, service provider, contractor, consumer, personal data, personal information, sell, share, and process have the meanings given under applicable Data Protection Laws.

2. Roles

For Customer Personal Data, Customer is the controller or business, and Aballel is the processor, service provider, or contractor, except where Aballel processes information as an independent controller for account administration, billing, security, fraud prevention, product analytics, legal compliance, or other purposes described in the Privacy Policy.

Customer determines the purposes and means of processing Customer Personal Data. Aballel processes Customer Personal Data according to Customer's documented instructions, including the Terms, this DPA, order forms, product settings, integrations, support requests, and other written instructions.

3. Processing instructions

Customer instructs Aballel to process Customer Personal Data to:

provide, host, operate, maintain, secure, debug, and support the Services;
generate, optimize, and deliver Outputs, Hosted Assets, workflows, automations, analytics, and recommendations;
operate integrations and third-party services enabled by Customer;
prevent spam, fraud, abuse, security incidents, and policy violations;
comply with law and valid legal process;
perform billing, account administration, and customer support; and
process data as otherwise authorized by Customer, the Terms, this DPA, or Data Protection Laws.

Aballel may use aggregated, anonymized, or deidentified information that does not identify Customer or End Users to improve and develop Aballel, provided Aballel does not attempt to reidentify the information except to test deidentification safeguards or as permitted by law.

4. Customer responsibilities

Customer is responsible for:

providing all required privacy notices, cookie notices, disclosures, and consents;
ensuring that Customer has a lawful basis or permission to submit and process Customer Personal Data through Aballel;
configuring Hosted Assets, integrations, cookies, pixels, forms, emails, and workflows lawfully;
honoring End-User rights, opt-outs, unsubscribe requests, revocation of consent, and suppression obligations;
avoiding submission of restricted data unless Aballel has authorized the use case in writing;
ensuring Customer Content, claims, offers, and campaigns comply with law and platform policies; and
responding to End Users and regulators regarding Customer's campaigns and data practices.

5. Confidentiality

Aballel will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations or professional obligations of confidentiality.

6. Security measures

Aballel will maintain reasonable administrative, technical, and organizational safeguards designed to protect Customer Personal Data against unauthorized access, destruction, loss, alteration, or disclosure. Measures may include access controls, authentication, encryption in transit where supported, monitoring, logging, backup practices, vendor review, least-privilege access, and incident response procedures.

Customer is responsible for securing its accounts, credentials, users, devices, integrations, exports, customer websites, DNS settings, and downstream systems.

7. Subprocessors and vendors

Customer authorizes Aballel to use subprocessors and vendors to provide the Services. Subprocessor categories may include AI model providers, hosting, cloud infrastructure, storage, database, security, diagnostics, analytics, payment processing, email delivery, messaging, support, CRM, automation, domain/DNS, and professional service providers.

Aballel will impose appropriate contractual obligations on subprocessors that process Customer Personal Data on Aballel's behalf. Aballel remains responsible for subprocessors as required by applicable Data Protection Laws.

Vendor categories and examples are described in the Privacy Policy and may change over time. Customer may contact Aballel for current subprocessor information.

8. Assistance with privacy rights

Taking into account the nature of the Services, Aballel will provide reasonable assistance to Customer in responding to legally required End-User rights requests relating to Customer Personal Data, such as access, deletion, correction, portability, opt-out, or restriction requests.

If Aballel receives a request directly from an End User relating to Customer Personal Data, Aballel may redirect the requester to Customer, ask for information to identify the relevant customer, or assist Customer according to the Terms and applicable law.

9. Security incidents

Aballel will notify Customer without undue delay after confirming a security incident involving Customer Personal Data that legally requires notification to Customer. The notice may include available information about the incident, affected data, steps taken, and recommended customer actions.

Aballel's notice of an incident is not an admission of fault or liability. Customer is responsible for determining whether notice to End Users, regulators, platforms, or other parties is required due to Customer's campaigns, data, or legal obligations.

10. Legal requests

If Aballel receives a subpoena, court order, warrant, regulator request, or other legal process seeking Customer Personal Data, Aballel may notify Customer unless prohibited by law or if notice would create risk to Aballel, users, third parties, or an investigation. Aballel may disclose information where it believes disclosure is legally required or necessary to protect rights, safety, security, or operations.

11. Audits and compliance information

Upon reasonable written request, Aballel will provide information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, trade-secret, and operational limits. Customer may not conduct scans, penetration tests, on-site audits, or security tests of Aballel systems without prior written approval.

12. Return and deletion

Upon termination or expiration of the Services, Aballel will delete, return, archive, or retain Customer Personal Data according to the Terms, Privacy Policy, product functionality, and applicable law. Aballel may retain Customer Personal Data as required for legal compliance, security, fraud prevention, backups, dispute resolution, billing, audit, enforcement, or other permitted purposes.

Backup copies may persist for a limited period and are protected according to Aballel's standard practices.

13. U.S. state privacy service-provider terms

For Customer Personal Data subject to U.S. state privacy laws requiring service-provider, contractor, or processor terms, Aballel will not sell Customer Personal Data, share Customer Personal Data for cross-context behavioral advertising, retain, use, or disclose Customer Personal Data outside the business purposes described in the Terms and this DPA, or combine Customer Personal Data with personal information from other sources except as permitted by applicable law.

Aballel will notify Customer if Aballel determines it can no longer meet its applicable service-provider, contractor, or processor obligations. Customer has the right to take reasonable and appropriate steps to help ensure Aballel processes Customer Personal Data consistently with Customer's obligations, subject to the audit and confidentiality limits in this DPA.

14. International data

Aballel is based in the United States, and Customer Personal Data may be processed in the United States and other countries where Aballel, subprocessors, or integrations operate.

Customer must notify Aballel before using the Services for Customer Personal Data subject to GDPR, UK GDPR, Swiss data protection law, or other international laws requiring specific transfer mechanisms or contractual terms. Where required and agreed, the parties will execute or incorporate appropriate transfer terms, such as standard contractual clauses or an approved addendum.

15. Order of precedence

If there is a conflict between this DPA and the Terms regarding processing of Customer Personal Data, this DPA controls only for that processing. The Terms control all other matters.

Annex 1: Processing details

Subject matter: Providing Aballel software, hosting, AI-assisted marketing workflows, campaign workspaces, hosted assets, forms, analytics, integrations, support, billing, and related services.

Duration: The term of the customer's account or subscription plus the retention period described in the Privacy Policy, Terms, and this DPA.

Nature and purpose: Hosting, storing, securing, analyzing, generating, optimizing, transmitting, displaying, supporting, troubleshooting, and improving customer campaigns, Hosted Assets, AI-assisted Outputs, analytics, and integrations.

Categories of data subjects: Customer personnel and Authorized Users; End Users such as prospects, leads, subscribers, customers, visitors, audience members, and recipients; support contacts; billing contacts.

Categories of Customer Personal Data: identifiers, contact information, business information, campaign interactions, form submissions, email events, analytics events, device and technical information, preferences, segmentation, lead/customer records, and other information submitted by Customer or collected through Customer-controlled Hosted Assets.

Sensitive data: Not permitted unless expressly authorized in writing by Aballel.

Annex 2: Security measures summary

Aballel's security measures may include role-based access controls, authentication, least-privilege access, secure hosting providers, encryption in transit where supported, logging and monitoring, backups, vendor management, incident response procedures, employee or contractor confidentiality obligations, and administrative controls appropriate to the nature of the Services.