1. Introduction
This Data Processing Agreement ("DPA") forms part of the DropSaaS Terms of Service between Saaslink S.R.L. ("DropSaaS", "Processor", "we", "us", "our") and the customer entity agreeing to these terms ("Customer", "Controller" or "Processor", depending on context).
This DPA ensures that personal data is handled in compliance with applicable data protection laws, including but not limited to the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). In the event of conflict between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to data processing obligations.
2. Definitions
Unless otherwise defined, all terms used in this DPA have the same meanings as in the GDPR or other applicable data protection laws:
“Data Protection Laws”: All laws and regulations applicable to the processing of personal data, including the GDPR, UK GDPR, Swiss DPA, CCPA, and equivalent laws globally.
“Customer Personal Data”: Any personal data processed by DropSaaS on behalf of the Customer in connection with the provision of services.
“Standard Contractual Clauses (SCCs)”: The clauses issued by the European Commission under Decision (EU) 2021/914 for international data transfers.
“Processing”, “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Supervisory Authority”: Have the same meanings as defined in the GDPR.
3. Compliance with Applicable Laws
Both parties agree to comply with applicable Data Protection Laws at all times in the context of processing Customer Personal Data. This DPA does not relieve either party of any obligations imposed by such laws.
4. Roles and Scope
DropSaaS acts as a Processor of Customer Personal Data.
The Customer is the Controller, or Processor on behalf of a third-party Controller.
The Customer determines the purposes and means of the processing of personal data.
5. Customer Obligations
The Customer is solely responsible for:
Ensuring lawful basis for processing Customer Personal Data.
Informing and obtaining valid consent from data subjects as required.
Ensuring the accuracy, legality, and integrity of Customer Personal Data.
Complying with all applicable legal requirements regarding the collection and use of data.
Customer agrees to indemnify and hold DropSaaS harmless against any claims or fines arising from its failure to meet these obligations.
6. Nature and Purpose of Processing
DropSaaS will process Customer Personal Data only as necessary to provide the services described in the Terms of Service. The types of data and processing activities are defined in Annex A of this agreement.
7. Instructions
DropSaaS will only process Customer Personal Data based on documented instructions from the Customer unless legally required to do otherwise. In such a case, DropSaaS will inform the Customer unless prohibited by law.
8. Processor Obligations
DropSaaS will:
Implement appropriate technical and organizational security measures (see Annex B).
Ensure all personnel authorized to process Customer Personal Data are bound by confidentiality.
Notify the Customer without undue delay upon becoming aware of a personal data breach.
Assist the Customer in responding to data subject requests and fulfilling its obligations under Data Protection Laws.
At termination of the service, delete or return Customer Personal Data, unless legal obligations require retention.
Maintain complete and accurate records to demonstrate compliance with this DPA and applicable laws.
9. CCPA Compliance
Where the CCPA applies:
The Customer is a Business and DropSaaS is a Service Provider.
DropSaaS will not sell, share, retain, or use California Personal Information for any purpose other than delivering services under the Terms of Service.
10. Subprocessors
DropSaaS may engage Subprocessors to process Customer Personal Data. A current list is provided in Annex C. DropSaaS shall:
Ensure each Subprocessor complies with equivalent data protection obligations.
Notify Customer of any new Subprocessor at least 30 days in advance. Customer may object for reasonable grounds.
11. International Data Transfers
When processing European Data outside the EEA or other recognized jurisdictions, DropSaaS shall:
Rely on Standard Contractual Clauses (SCCs) and supplementary measures as needed.
If compliance is no longer possible, DropSaaS shall promptly notify the Customer.
12. Amendments
This DPA may be updated by DropSaaS to reflect changes in law or data protection practices. Any updates will be made available to the Customer in writing, and continued use of the platform after changes constitutes acceptance.
ANNEX A – Details of Data Processing
Controller: The Customer
Processor: DropSaaS (Saaslink S.R.L., Via Marsala 29H, Rome, Italy)
Data Subjects: End-users, customers, leads managed by Customer on the Platform.
Personal Data Processed: Name, email, phone number, location, business data, usage data.
Purpose of Processing: Hosting, campaign automation, review management, communication services.
Duration: For the duration of the Customer’s subscription to the Platform or as required by law.
Sensitive Data: None expected.
ANNEX B – Technical and Organizational Security Measures
DropSaaS maintains, at minimum, the following controls:
Encryption: TLS v1.2+ in transit, secure backups at rest.
Access Control: Role-based access; password and token protections.
Monitoring: Activity logs, uptime monitors, security alerts.
Data Isolation: Logical separation of customer data.
Backup & Disaster Recovery: Regular backups stored securely; ability to restore in event of incident.
User Controls: Customers may update or delete data, request access, and manage user permissions.
ANNEX C – Subprocessors
Subprocessor | Purpose | Jurisdiction |
Google Cloud | Hosting and infrastructure | US |
Amazon Web Services (AWS) | Hosting and infrastructure | US |
Stripe | Payment processing | US |
MongoDB | Database storage | US |
Meta (Facebook/Instagram) | Social integrations | US |
Bird.com | SMS delivery | EU |
OpenAI | AI assistance features | US |
DropSaaS will notify the Customer at least 30 days in advance of adding any new Subprocessor.
Contact Information
For data protection questions or to exercise your rights:
Saaslink S.R.L. Via Marsala 29H, Rome (Italy) Email: legal@dropsaas.com