CAD pricing. CASL compliance. Data that stays at home. Cakemail supports Canadian businesses — See How
Discover our Professional Services
Talk to Sales
Sales Team
Talk with an expert Monday to Friday between 9 AM and 5 PM EST.
‍
Call: +1 514 316-1550
Email: sales@cakemail.com
Talk with an expert
Our sales team is available Monday to Friday between 9 AM and 5 PM EST
+1 514 316-1550
sales@cakemail.com
Sign In
English
English (Canada)
Français (Canada)
Français (France)
Italian
Español
Portuguese
Products
Email Marketing Platform Plate-forme d'emailing Plateforme de marketing courriel Piattaforma di email marketing Marketing por Correo
Email API Email API API courriel API di Email API de Correo
Email Marketing Add-on for SaaS Module d'emailing pour SaaS Module marketing courriel pour SaaS Componente aggiuntivo per SaaS Complemento de marketing por correo para SaaS
Agency Email Marketing Emailing pour agences Marketing courriel pour agences Email marketing per le agenzie Email marketing para agencias
Launch high-converting email campaigns, effortlessly
Customer journey builder
Drag-and-drop editor
800+ professional email templates
Responsive, human support
Data stored in Canada
Create Free Account
Learn More
Send transactional and marketing emails at scale
Industry-leading deliverability
Multi-tenant support
Dynamic email templating
Real-time delivery analytics
Scalable infrastructure
Build with Cakemail
Learn More
Embed a full-featured email platform into your product
Easy integration
Custom UI branding
Built-in campaign & contact tools
Ready-made infrastructure & compliance
Dedicated support for your team and users
Get a Demo
Learn More
Manage all your email marketing clients in one account
Fully branded platform
Centralized dashboard for all clients
Seamless multi-client management
Built-in billing and user controls
Developer-ready API
Create Free Account
Learn More
Solutions
CAKEMAIL IS FOR
Use cases
For teams who need email to work, at scale and on-brand
Agencies
Enhance client retention and increase recurring revenue
SaaS Platforms
Bring modern email marketing to your product
Nonprofits
Engage your audience and donors with a simple email marketing tool
Web Hosts
Offer a modern email marketing solution to your customers
Other Industries
Contractors
Dealerships
Ecommerce
Gyms
Hospitality
Real Estate
Restaurants
Retail
Salons
Tourism
Power up your product with embedded email, automation, or resale
Send newsletters & updates
Add email marketing to your SaaS app without overloading your dev team
Promote offers & drive sales
Send marketing & transactional emails at scale
Send marketing & transactional emails at scale
Automate customer journeys
Send marketing & transactional emails at scale
Trigger action-based emails
Send marketing & transactional emails at scale
Personalize emails at scale
Send marketing & transactional emails at scale
Deliver critical emails reliably
Manage client campaigns
Generate income by selling Cakemail under your brand
Send marketing & transactional emails at scale
Repatriate your data in Canada
White-label email marketing
Send marketing & transactional emails at scale
Send marketing & transactional emails at scale
Resell white-labeled email to your clients
Send marketing & transactional emails at scale
Sell Cakemail locally
Send marketing & transactional emails at scale
Deliver multi-tenant email marketing
Send marketing & transactional emails at scale
Let users send campaigns
Send marketing & transactional emails at scale
Embed into your product
Start For Free
Need direction? Get a Free Audit
Success Story
Empowering 60,000 nonprofits with seamless email marketing
Left Arrow

Read the Case Study

Right Arrow
Resources
discover
educate
SUPPORT
Professional Services Services professionnels Services professionnels Servizi Professionali Servicios Profesionales
Knowledge Base
Know and do more with Cakemail
API & Developers
Comprehensive guides and documentation
Integrations
Connect Cakemail with the other apps you use
Blog
Articles to spark, nurture and measure interactions
Newsletter
Get marketing insights right in your inbox
Live Events & Webinars
Learn and improve your email marketing skills
Release Notes
Everything new with Cakemail
Contact Support
Monday to Friday from 9 a.m. to 5 p.m. EST
System Status
Check the current status of Cakemail's servers
Our experts can help you set up, scale and optimize your email strategy
Migration
Integrations & API
Audience Management
Strategy Development
Design & Implementation
Automation
Deliverability & Compliance
Performance Analysis
Explore Professional Services
Pricing
Choose Email Template
Sign UpSign Up
Cakemail Logo
Close
Products
Email Marketing Platform
Run campaigns that convert, with tools that save time
Email API
Send transactional and marketing emails at scale
Email Marketing Add-On For SaaS
Embed a full-featured email platform into your product
Agency Email Marketing
Offer Cakemail under your own brand
Solutions
CAKEMAIL IS FOR
AgenciesNonprofitsSaaS PlatformsWeb Hosts
use cases
Send newsletters & updatesPromote offers & drive salesAutomate customer journeysTrigger action-based emailsPersonalize emails at scaleDeliver critical emails reliablyRepatriate your data in CanadaManage client campaignsWhite-label email marketingResell white-labeled email to your clientsSell Cakemail locallyDeliver multi-tenant email marketingLet users send campaignsEmbed into your productNot sure where to start? Get a Free Audit
Resources
Professional Services
Our experts can help you set up, scale and optimize your email strategy
Migration
Integrations & API
Audience Management
Strategy Development
Design & Implementation
Automation
Deliverability & Compliance
Performance Analysis
Start For Free
Get a Free Audit
discover
Knowledge baseIntegration guidesAPI reference
educate
BlogNewsletterLive Events & Webinars
support
Release NotesSubmit Support ticketSystem Status
Pricing
Company
About CakemailCareersContacts Us
Sign in
Cakemail Next-gen
Sign in
Cakemail Classic
Change Language
English
English (Canada)
Français (Canada)
Français (France)
Italian
Español
Portuguese
Create Free Account

Data processing addendum

In the Addendum

  • 1. Definitions
  • 2. Processing of personal data
  • 3. Authorized personnel
  • 4. Rights of data subjects
  • 5. Government access requests
  • 6. Security
  • 7. Compliance
  • 8. Sub-processing
  • 9. Return and deletion
  • 10. Data breach
  • 11. International and interprovincial transfers
  • 12. General provisions
  • Schedule 1: Processing details
This Data Processing Addendum (“DPA”) is effective as Effective Date of any master agreement for the provision of Services (the “Agreement”) between Cakemail Inc. ("Cakemail") and the Client specified in the Agreement (“Client”). Alternatively, the DPA is effective as of the date the Client enters into the Cakemail online Terms of Use at https://www.cakemail.com/legal/terms-of-use, which shall also be deemed the “Agreement” under this DPA.

Cakemail and Client shall hereafter be collectively known as the “Parties” and individually known as a “Party”. To the extent that any of the terms or conditions contained in this DPA may contradict or conflict with any terms or conditions regarding the processing of Personal Data in the Agreement, it is expressly understood and agreed that the terms of this DPA shall take precedence and supersede those other terms or conditions as it regards the subject matter.

The Parties agree as follows:

1. Definitions

1.1 For the purposes of this DPA, the following expressions bear the following meanings unless the context otherwise requires:

“Applicable Data Protection Laws” means, in respect of a Party, any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument relating to the protection of Personal Data, including:

(a) the Directive 2002/58/EC (as amended) (the “e-Privacy Directive”), the e-Privacy Regulation 2017/003 (COD) (the “e-Privacy Regulation”), and any laws and regulations implementing these;

(b) the Directive 95/46/EC (as amended) (the “Data Protection Directive”), the Regulation 2016/679 (the “GDPR”), and any laws and regulations implementing these; and

(c) Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (the “Quebec Privacy Act”) as amended by Law 25;

(in each case as amended, consolidated, re-enacted or replaced from time to time).

“Data Subject”, “Personal Data”, “Process”, “Processed” and “Processing” shall each have the meaning as set out in the GDPR. Processing shall also mean to “collect, hold, use or communicate to third parties” as found in the Quebec Privacy Act. Personal Data shall also mean “personal information” as found in the Quebec Privacy Act;

“EU Data Protection Laws” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument relating to the protection of personal data in force in the territory of the European Union, including the Data Protection Directive, the GDPR, the e-Privacy Directive and the e-Privacy Regulation;

“Model Clauses” mean the Standard Contractual Clauses between controllers and processors under Article 28 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29 (7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, as adopted by the European Commission Implementing Decision of June 4, 2021; or alternatively the Standard Contractual Clauses (Controller to Processor) as set out in the European Commission Decision of 5 February 2010 (C (2010) 593), until such time as they are no longer valid on December 27, 2022;

“Regulator” means the data protection supervisory authority which has jurisdiction over a Data Controller’s Processing of Personal Data. This includes but is not limited to the Commission d’accès à l’information in Quebec;

“Third Countries” means all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”) and the United Kingdom, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time, which at the date of this DPA include Andorra, Argentina, Canada (commercial organizations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, and Uruguay.

Any capitalized terms used but not defined herein shall have the meaning given to them in the Agreement.

2. Processing of personal data

2.1 The Parties acknowledge and agree that with regard to the Processing of Personal Data, Client is the “Data Controller”, Cakemail is the “Data Processor” and that Cakemail will engage “Sub-Processors” pursuant to the requirements set forth in Section 8 below.
2.2 The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 “Processing Details” of this DPA.
2.3 The Data Processor shall only process the Personal Data on behalf of and in accordance with documented instructions from the Data Controller. The Parties agree that this DPA is Client’s complete and final instructions to Cakemail in relation to processing of Client Data. The Data Controller shall ensure that its instructions comply with all Applicable Data Protection Laws, and that the Processing of Personal Data in accordance with Data Controller’s instructions will not cause Data Processor to be in breach of the Applicable Data Protection Laws. The Data Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Data Controller acquired Personal Data and shall establish the legal basis for Processing under Applicable Data Protection Laws.
2.4 Each Party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including Applicable Data Protection Laws.

3. Authorized personnel

3.1 The Data Processor shall ensure that its personnel authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Data Processor shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4. Rights of data subjects

4.1 The Data Processor shall, to the extent legally permitted, promptly notify the Data Controller if it receives a request from a Data Subject for access to its own Personal Data, or for the rectification or erasure of such Personal Data or any other request or query from a Data Subject relating to its own Personal Data (including Data Subjects’ exercising rights under Applicable Data Protection Laws, such as rights of objection, restriction of processing, data portability or the right not to be subject to automated decision making) (a “Data Subject Request”). Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to a Data Subject Request under Applicable Data Protection Laws. In addition, to the extent the Data Controller, in its use of the Services, does not have the ability to address a Data Subject Request, the Data Processor shall upon Data Controller’s request provide commercially reasonable efforts to assist the Data Controller in responding to such Data Subject Request, to the extent the Data Processor is legally permitted to do so and the response to such Data Subject Request is required under Applicable Data Protection Laws. To the extent legally permitted, the Data Controller shall be responsible for any costs arising from the Data Processor’s provision of such assistance.

5. Government access requests

5.1 The Data Processor shall promptly notify the Data Controller about any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited from doing so. The Data Controller shall have the right to defend such action in lieu of and/or on behalf of the Data Processor. The Data Processor shall reasonably cooperate with the Data Controller in such defense.

6. Security

6.1 The Data Processor shall implement and maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data.

7. Compliance

7.1 The Data Processor shall take reasonable efforts to make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Laws.
7.2 Upon Data Controller’s request, the Data Processor shall provide the Data Controller with reasonable cooperation and assistance needed to fulfil Data Controller’s obligation under the GDPR and the Quebec Privacy Act to carry out a data protection impact assessment related to Data Controller’s use of the Services, to the extent the Data Controller does not otherwise have access to the relevant information, and to the extent such information is available to the Data Processor. The Data Processor shall provide reasonable assistance to the Data Controller in the cooperation or prior consultation with the Regulator in the performance of its tasks relating to Section 7 of this DPA, to the extent required under the GDPR and Applicable Data Protection Laws, including the Quebec Privacy Act.

8. Sub-processing

8.1 The Data Controller agrees that the Data Processor may engage Sub-Processors to Process Personal Data. The Sub-Processors currently engaged by Cakemail and authorized by the Client are listed in Schedule 2 “List of Sub-Processors”
8.2 The Data Processor shall ensure that such Sub-Processor has entered into a written agreement requiring the Sub-Processor to abide by terms no less protective than those provided in this DPA. The Data Processor shall be liable for the acts and omissions of any Sub-Processors to the same extent as if the acts or omissions were performed by the Data Processor.
8.3 The Data Processor shall make available to the Data Controller a list of Sub-Processors authorized to Process Personal Data (“Sub-Processor List”, currently found in Schedule 2) and provide the Data Controller with a mechanism to obtain notice of any updates to the Sub-Processor List. Notification of a new Sub-Processor shall be issued prior to such new Sub-Processor being authorised to Process Personal Data in connection with the Agreement.
8.4 The Data Controller may object to Data Processor’s use of a new Sub-Processor where there are reasonable grounds to believe that the new Sub-Processor will be unable to comply with the terms of this DPA or the Agreement. If the Data Controller objects to Data Processor’s use of a new Sub-Processor, the Data Controller shall notify the Data Processor promptly in writing within ten (10) days after notification regarding such Sub-Processor. Data Controller’s failure to object in writing within such time period shall constitute approval to use the new Sub-Processor. The Data Controller acknowledges that the inability to use a particular new Sub-Processor may result in delay in providing the Services, inability to provide the Services or increased fees. The Data Processor will notify the Data Controller in writing (including by email) of any change to the Services or fees that would result from Data Processor’s inability to use a New Sub-Processor to which the Data Controller has objected. The Data Controller may either execute a written amendment to the Agreement implementing such change or exercise its right to terminate the Agreement in accordance with the termination provisions thereof. Such termination shall not constitute termination for breach of the Agreement. The Data Processor shall have a right to terminate the Agreement if the Data Controller unreasonably objects to a Sub-Processor, or does not agree to a written amendment to the Agreement implementing changes in fees or the Services resulting from the inability to use the Sub-Processor at issue.

9. Return and deletion

9.1 The Data Processor shall, at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of the Services relating to Processing, and delete existing copies of the Personal Data unless prohibited by law or the order of a governmental or regulatory body or it could subject the Data Processor to liability. Data Processor may also anonymize such Personal Data and retain copies of anonymized Personal Data if permitted by the Applicable Data Protection Laws.
9.2 The Data Controller acknowledges and agrees that the Data Processor shall have no liability for any losses incurred by the Data Controller arising from or in connection with Data Processor’s inability to provide the Services as a result of Data Processor complying with a request to delete or return Personal Data made by the Data Controller pursuant to Section 9.1.

10. Data breach

10.1 In the event there is, or Data Processor reasonably believes that there is, any improper, unauthorized or unlawful access to, use of, or disclosure of, or any other compromise which affects the availability, integrity or confidentiality of Personal Data which is Processed by Data Processor under or in connection with this DPA and/or the Agreement (“Data Breach”), then upon becoming aware of such Data Breach, Data Processor shall promptly notify the Data Controller and provide the Data Controller with the following information as it becomes available:

(i) a description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects concerned;

(ii) the name and contact details of the Data Processor contact from whom more information can be obtained; and

(iii) a description of the measures taken or proposed to be taken to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
10.2 The Parties agree to coordinate in good faith on developing the content of any related public statements and any required notices to the affected Data Subjects and/or the relevant Regulators in connection with a Data Breach, provided that nothing in this Section 10.2 shall prevent either party from complying with its obligations under Applicable Data Protection Laws. The Parties further acknowledge and agree to use the established standards under Applicable Data Protection Laws to determine whether to notify the affected Data Subjects and/or the relevant Regulators, including but not limited to the “risk of serious injury” of the Quebec Privacy Act.

11. International and interprovincial transfers

11.1 The Data Processor will only process data in, or transfer Personal Data to, a Third Country where such processing or transfer takes place based and in compliance with the Model Clauses, with the processing details that comprise Appendix 1 to the Model Clauses, and the technical and organizational security measures that comprise Appendix 2 to the Model Clauses. The Data Processor shall comply with the obligations of the data importer and Data Controller shall comply with the obligations of the data exporter as set out in the Model Clauses.
11.2 Where the Data Processor appoints an affiliate or third-party Sub-Contractor to process Personal Data in a Third Country, the Data Processor must ensure that such processing takes place in accordance with the requirements of the Applicable Data Protection Laws. The parties agree that Personal Data may be transferred to an affiliate or third-party Sub-Contractor in the United States who agrees to process Personal Data according to the Model Clauses.
11.3 The Data Processor will only process data in, or transfer Personal Data to, Sub-Processors in a province other than Quebec after performing an “Assessment of the privacy-related factors” as per the Quebec Privacy Act prior to the Personal Data leaving Quebec. If the PIA does not meet our standards and the standards required by the Quebec Privacy Act, the Data Processor will not transfer Personal Data to such Sub-Processor.

12. General provisions

12.1 This DPA will terminate upon termination of the Agreement or when the Data Processor ceases to Process Personal Data, whichever is later, unless otherwise agreed in writing between the Parties.
12.2 The Parties hereby acknowledge and agree that a person with rights under this DPA may be irreparably harmed by any breach of its terms and that damages alone may not be an adequate remedy. Accordingly, a person bringing a claim under this DPA shall be entitled to the remedies of injunction, specific performance or other equitable relief for any threatened or actual breach of the terms of this DPA.
12.3 If one of the Parties seeks changes to the DPA to comply with a change in Applicable Data Protection Laws or binding and final decision of a Regulator with jurisdiction over the Party’ Processing of Personal Data, the Parties will discuss in good faith how to address any necessary changes.
12.4 The section headings contained in this DPA are for reference purposes only and shall not in any way affect the meaning or interpretation of this DPA.

Schedule 1: Processing details

Processing Activities

The Personal Data Processed by Data Processor will be subject to the following basic Processing activities:

‍
Provision of the Services, as outlined in the Agreement and as otherwise agreed upon by the Parties

Duration

The Personal Data Processed by Data Processor will be Processed for the following duration:

The length of the Term of the Agreement between Data Controller and Data Processor.

Data Subjects

The Personal Data Processed by Data Processor concern the following categories of Data Subjects:

Clients and their Subscribers, as those terms are defined in the Agreement or the Cakemail Privacy Policy at https://www.cakemail.com/legal/privacy-policy, and Cakemail website visitors

Categories of Data

The Personal Data Processed by Data Processor includes the following categories of data:

Client information:
  • Contact information (First name, Last name, Phone, Email)
  • Address (includes civic address, city / town, postal code, country)
  • Invoicing and billing information (credit card holder name, number, expiration date, CVV number and billing address)
Subscriber information:
  • First name, Last name
  • Email
Analytics information:
  • Unique analytics identifiers
  • IP addresses
Advertising information:
  • Unique advertising identifiers

Special Categories of Data (if applicable)

The Personal Data Processed by Data Processor concern the following special categories of data:

‍
None by default.

Get email marketing insights sent right to your inbox.

Subscribe to Newsletter
Products
FeaturesEmail Marketing PlatformEmail APIEmail Marketing Add-On for SaaSAgency Email MarketingPricing
Solutions
AgenciesSaaS PlatformsNonprofitsWeb HostsWhite label
Other Industries
Contractors
Dealerships
Ecommerce
Gyms
Hospitality
Real Estate
Restaurants
Retail
Salons
Tourism
Resources
Professional Services
Knowledge Base
API & Developers
Integrations
Blog
Events & WebinarsRelease NotesContact Support
System Status
Company
Media
PressBlog
Careers
About CakemailContact Us
Legal
Terms of UsePrivacy PolicyAnti-Spam PolicyApp LicenseCookie PolicyAffiliate Program Agreement
Cookie Preferences

© Cakemail. All rights reserved.