Data Processing Agreement

Last Updated: December 15th, 2025

This Data Processing Agreement (“DPA”) governs the processing of Customer Personal Data (as defined below) by Stodge Inc. d/b/a Postscript (“Postscript”) in connection with providing the Postscript Services to Customers. This DPA supplements, and is incorporated by reference into, the Postscript Terms of Service and any relevant Service Order for Postscript Services. By using the Postscript Services, or by signing a Service Order for Postscript Services, you accept and agree to be bound by this DPA.

Postscript may update this DPA at any time, in its sole discretion. Postscript will notify you of changes to this DPA by posting the changes to the Postscript website or application, by email, or through other communications. If you continue to use the Postscript Services after Postscript posts updates to the DPA, you agree to be bound by those updated terms.

This DPA will remain in effect from the earlier of the date you begin using Postscript Services or enter a Service Order for Postscript Services, until such time as Postscript no longer processes Customer Personal Data on your behalf. This DPA will expire upon deletion or disposal of all Customer Personal Data.

1. Definitions

“Account Data” means Personal Data of Customer’s personnel and authorized representatives that Postscript collects in connection with account creation, billing, access to the Postscript Services, and contract administration. 

“Customer” or “you” means the counterparty entering this DPA.

"Customer Personal Data” means Personal Data processed by Postscript on behalf of Customer in connection with the provision of the Postscript Services. Customer Personal Data does not include Account Data, or Personal Data that Postscript or its affiliates receive directly from Postscript’s end users.

“Data Protection Laws” means all applicable data privacy and data protection laws, rules, and regulations to which Customer Personal Data is subject, which may include the GDPR and US Data Protection Laws.

“Data Subject Request” means a valid and lawful request from or on behalf of an individual to exercise that individual’s rights relating to Personal Data under Data Protection Laws.

“GDPR” means the EU General Data Protection Regulation 2016/679 or, where applicable, the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018.

“Non-Personal Data” means Customer Personal Data that has been aggregated, de-identified, or anonymized so it no longer meets the definition of Personal Data under Data Protection Laws, and cannot reasonably be identified to Customer.

“Personal Data” has the meaning assigned to the terms “personal data, “personal information, “personally identifiable information”, and similar terms as defined under Data Protection Laws.

“Postscript Services” has the meaning set forth in the Postscript Terms of Service.

“Postscript Terms of Service” means the Postscript Terms of Service available at https://postscript.io/terms-of-service, as updated from time to time.

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data on systems managed by or otherwise controlled by or on behalf of Postscript.

“Standard Contractual Clauses” means the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

“UK” means the United Kingdom of Great Britain and Northern Ireland.

“US Data Protection Laws” means all applicable federal and state data privacy and data protection laws, rules, and regulations in effect in the United States to which Customer Personal Data is subject, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020.

“UK Addendum” means the International Data Transfer Addendum to the European Commission's standard contractual clauses for international data transfers issued by the UK Information Commissioner's Office under S119A(1) of the UK Data Protection Act 2018.

The terms “controller”, “processor”, “data subject”, “process”, “supervisory authority”, “sensitive personal data”, “special categories of personal data”, “subprocessor”, “business”, and “service provider” will have the same meaning assigned to them in relevant Data Protection Laws.

Under this DPA, the words “include” and “including” mean “including but not limited to.”

Capitalized terms used but not defined within this DPA will have the meaning set forth in the Postscript Terms of Service.

2. Roles of the Parties 

2.1 When providing the Postscript Services to Customers and as otherwise set forth in this Section: (a) for purposes of the GDPR, Customer acts as a controller or processor, and Postscript acts as a processor or subprocessor, as further described in Schedule 1; and (b) for purposes of US Data Protection Laws, Postscript acts as a service provider or processor, as further described in Schedule 3. 

2.2 Where Postscript processes Account Data, for purposes of the GDPR, it acts as a data controller. For purposes of US Data Protection Laws, Postscript acts as a business. Postscript’s data processing activities related to Account Data are subject to the Postscript Privacy Policy available at https://postscript.io/privacy.

2.3 Customer represents and warrants that: (a) Customer will comply with its obligations as a controller under Data Protection Laws in respect of its processing of Customer Personal Data and any processing instructions it issues to Postscript; and (b) it has provided notice and obtained all necessary authorization (including verifiable consent) and rights necessary under Data Protection Laws for Postscript to process Customer Personal Data and provide the Postscript Services.

3. Data Processing

3.1 Postscript will process Customer Personal Data only to provide the Postscript Services in accordance with the Postscript Terms of Service and any relevant Service Order. Customer may issue further written instructions in accordance with this DPA. Postscript will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and Data Protection Laws, and the parties will act promptly and in good faith to modify the instructions.

3.2 Postscript will limit access to Customer Personal Data only to personnel who have a business need for such access, and will ensure that such personnel are subject to confidentiality obligations at least as protective of Customer Personal Data as the terms of this DPA.

3.3 Where permitted by Data Protection Laws, Postscript may process Customer Personal Data: (i) for its internal use to build or improve the quality of its products and services; (ii) to detect Security Incidents; (iii) to protect against fraudulent or illegal activity, including to verify that a subscriber is authorized to consent to receive marketing messages by identifying the device or confirming the subscriber’s contact information; and (iv) any other purposes permitted by Data Protection Laws.

3.4 Postscript may process Non-Personal Data for its own lawful purposes, including to improve Postscript’s products and services.

4. Subprocessors

4.1 Customer authorizes Postscript to engage subprocessors to process Customer Personal Data. Postscript will enter into a written agreement with subprocessors imposing requirements for processing Customer Personal Data that are consistent with this DPA. Postscript will remain responsible to Customer for a subprocessor’s failure to perform its obligations related to processing of Customer Personal Data.

4.2 Postscript makes available a list of subprocessors online. Postscript will publish and make available to Customer any proposed updates with reasonable advance notice. Postscript may notify Customer via the Postscript website or application, the contact email associated with Customer’s account, or other means of communication. Customer may object in good faith to Postscript’s use of a new subprocessor by written notice within ten (10) days after Postscript has published its proposed change. The parties will work together in good faith to find a mutually acceptable resolution to such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either party may, as its sole and exclusive remedy, terminate the portion of any relevant Service Order relating to the affected Postscript Services by providing no less than thirty (30) days’ written notice. During any such objection period, Postscript may suspend the affected portion of the Postscript Services in its sole discretion.

5. Cross-Border Transfers of Customer’s Personal Data

5.1 Customer authorizes Postscript to store and process Customer Personal Data anywhere Postscript or its subprocessors maintain facilities, including the United States.

5.2 If Customer Personal Data originating in the European Economic Area is transferred, either directly or via onward transfer, to a country that is not recognized by the European Commission as providing an adequate level of protection for Personal Data, the Standard Contractual Clauses as supplemented by this DPA will apply to the transfer. Each party’s acceptance of this DPA will be considered a signature to the Standard Contractual Clauses to the extent applicable hereunder. For purposes of the Standard Contractual Clauses:

(a) Module Two will apply in the case of processing where Customer acts as a controller of Customer Personal Data with Postscript acting as a processor of Customer Personal Data. Module Three will apply in the case of processing where Customer acts as a processor of Customer Personal Data with Postscript acting as a subprocessor of Customer Personal Data.

(b) Clause 7 of the Standard Contractual Clauses (Docking Clause) will not apply.

(c) Clause 9(a) Option 2 (General Written Authorization) is selected, and the time period to be specified is determined in Section 4 (Subprocessors).

(d) The option in clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.

(e) With regard to clause 17 of the Standard Contractual Clauses (Governing law), Customer and Postscript agree that option one will apply, and that the governing law will be the law of the Republic of Ireland.

(f) In clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), Customer and Postscript agree that any dispute arising from the Standard Contractual Clauses will be resolved by the courts of the Republic of Ireland.

(g) For the purpose of Annex I of the Standard Contractual Clauses, Schedule 1 contains the specifications regarding the parties, the description of the transfer, and the competent supervisory authority.

(h) For the purpose of Annex II of the Standard Contractual Clauses, Schedule 2 contains the technical and organizational measures.

(i) The specifications for Annex III of the Standard Contractual Clauses are determined by Section 4 (Subprocessors) of this DPA. The subprocessor’s contact person’s name, position, and contact details will be provided by Postscript upon request.

5.3 If Customer Personal Data originating in the UK is transferred, either directly or via onward transfer, to a country that is not recognized by the UK as providing an adequate level of protection for Personal Data, the UK Addendum will apply to the transfer, and will be deemed executed between the relevant Customer and Postscript. If Customer directs Postscript to transfer Customer Personal Data from any other jurisdiction where applicable Data Protection Laws require that additional steps, or safeguards, be imposed before such Customer Personal Data can be transferred to another jurisdiction, Postscript will cooperate with Customer to take appropriate steps to comply with applicable Data Protection Laws. 

5.4 Postscript will, upon Customer’s request, provide information to Customer which is reasonably necessary to complete a transfer impact assessment. At Postscript’s reasonable request, Customer will reimburse Postscript for any assistance provided by Postscript with respect to a transfer impact assessment.

5.5 Postscript may, in its sole discretion, replace any transfer mechanism to ensure that data transfers comply with Data Protection Laws. If at any time a transfer mechanism set forth in this DPA ceases to constitute an appropriate safeguard under Data Protection Laws, Postscript may update this DPA with alternative appropriate measures.

6. Data Subject Rights Requests. As between Customer and Postscript, Customer will have sole discretion and responsibility in responding to Data Subject Requests. Postscript will provide Customer with self-service functionality as further described in the Postscript help center or with other reasonable assistance as required for Customer to fulfill its obligations under Data Protection Laws to respond to Data Subject Requests. Postscript may charge Customer, and Customer will reimburse Postscript, for any such assistance beyond providing self-service features included as part of the Platform Services. Postscript will forward to Customer without undue delay any Data Subject Request received by Postscript, and may advise the relevant individual to submit their request directly to Customer.

7. Regulator and Government Requests. Postscript will provide prompt written notice to Customer of any request for disclosure of, or access to, Customer Personal Data, or any other notices, complaints, or enforcement actions related to Customer Personal Data, that have been submitted or brought by a government or regulatory body or law enforcement agency, including any data protection supervisory authority. The foregoing obligation will not apply to the extent prohibited by law or legally binding order of the relevant body or agency. Where possible, Postscript will allow Customer to assume conduct of and respond to requests under this Section, or otherwise challenge such request by all reasonable means.

8. Data Protection Impact Assessments and Prior Consultation. Where required by Data Protection Laws, at Customer’s expense, Postscript will provide reasonable assistance to Customer to perform a data protection impact assessment.

9. Security. Postscript will implement and maintain reasonable administrative, technical, and physical measures designed to protect Customer Personal Data. When assessing the appropriate level of security, Postscript will take into account the nature of the Customer Personal Data, and the scope, context, and purpose of relevant processing.

10. Security Incidents. Upon becoming aware of a Security Incident, Postscript will provide written notice as required by Data Protection Laws without undue delay and within the time frame required under Data Protection Laws to the email address associated with Customer’s account. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or data subjects affected by the Security Incident. Postscript will take reasonable steps to contain, investigate, and mitigate any Security Incident, and to the extent practicable, will provide Customer with timely information about the foregoing. Postscript’s notification or response to a Security Incident under this Section will not be construed as an acknowledgement of any fault or liability by Postscript.

11. Assessments and Audits. Postscript will provide information reasonably necessary to demonstrate compliance with this DPA upon Customer’s reasonable request. Where Data Protection Laws afford Customer an audit right, Customer (or its independent third-party auditor reasonably acceptable to Postscript) may carry out an audit of Postscript’s policies, procedures, and records relevant to the processing of Customer Personal Data by having Postscript complete a data protection questionnaire of reasonable length.

12. End of Processing. Following termination of a Customer’s account and after you cease all use of the Postscript Services, Postscript will, at Customer’s option, delete and/or provide to Customer a copy of all Customer Personal Data, except that: (a) back up or archival copies will be deleted in accordance with Postscript’s data retention schedule; and (b) for compliance with Applicable Laws, Postscript will retain relevant data solely for that purpose and consistent with all other obligations under this DPA. 

13. General. This DPA together with the Postscript Terms of Service sets forth the entire agreement between Customer and Postscript with respect to the subject matter of this DPA. Except for the changes made by this DPA, the Postscript Terms of Service and any relevant Service Order remain unchanged and in full force and effect. If any term or condition of this DPA is declared illegal or otherwise unenforceable, it will be severed from the remainder of this DPA without affecting the legality or enforceability of the remaining portions. To the extent this DPA conflicts with the Postscript Terms of Service or a relevant Service Order, this DPA will govern, unless the Service Order expressly states that a relevant term will supersede. For the avoidance of doubt and to the extent allowed by Data Protection Laws, all limitations of liability set forth in the Postscript Terms of Service apply to this DPA.

With respect to any transfers of Customer Personal Data falling within the scope of the GDPR from Customer (as data exporter) to Postscript (as data importer):

A. List of Parties

1. Data Exporter

Customer operating in the countries which comprise the European Economic Area and UK.

Customer’s contact person details will be notified to Postscript prior to the processing of Customer Personal Data via Customer’s account.

The activities relevant to the data transfer under the Standard Contractual Clauses are the Postscript Services, as may be further described in a Service Order between Customer and Postscript.

Customer acts as a controller (Module Two) or processor (Module Three).

2. Data Importer: Postscript

Stodge Inc. d/b/a Postscript, 

ATTN: Legal Department, 

3370 N Hayden Road, Suite 123-251,

Scottsdale AZ 85251

United States

The data importer’s contact person can be contacted at privacy@postscript.io.

The activities relevant to the data transfer under the Standard Contractual Clauses are the Postscript Services, as may be further described in a Service Order between Customer and Postscript.

Postscript acts as a processor (Module Two) or subprocessor (Module Three).

B. Description of the Transfer

1. Categories of Data Subjects: Customer’s subscribers, customers, and other individuals that Customer may seek to engage through marketing communications using the Postscript Services.

2. Categories of Personal Data Transferred: Personal Data related to Customer’s marketing communications and as otherwise determined by Customer’s configuration of the Postscript Services, which may include full name, phone number, email address, address, shipping information, purchase and transaction information, device ID, IP address, browsing data from Customer’s website (e.g. products viewed and/or included in shopping carts), message content and related message data, and other Personal Data Customer may choose to collect via or provide to Postscript.

3. Special Categories of Personal Data (If Applicable): Customer will not transfer any sensitive Personal Data or special categories of Personal Data to Postscript.

4. Frequency of the Transfer: Personal Data is transferred on a continuous basis and is determined by the Customer’s configuration of the Postscript Services.

5. Nature of the Processing: Processing required for the provision of Postscript Services to Customers as further described in the Postscript Terms of Service, including collection, access, use, transfer, deletion, hosting, and storage of Customer Personal Data.

6. Purpose(s) of the Data Transfer and Further Processing: Personal Data is processed for the purpose of providing the Postscript Services to Customers, and as otherwise set forth in this DPA.

7. The Period for Which Personal Data Will Be Retained, or, If That Is Not Possible, The Criteria Used to Determine That Period: Postscript will retain Customer Personal Data as further set forth in Section 12 (End of Processing).

8. Sub-Processor (If Applicable): A list of subprocessors is made available online, as further described in Section 4 (Subprocessors) of the DPA.

C. Competent Supervisory Authority.

The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13. With respect to Customer Personal Data subject to the UK Addendum, competent supervisory authority means the UK Information Commissioner’s Office.

Postscript has implemented the following technical and organizational measures. Postscript may update or amend these measures from time to time.

1. Administrative Measures 

• Security Program and Policies. Postscript maintains an ISMS governance framework with defined security roles and responsibilities (including an Information Security Officer) and approved security policies covering (among others) access control, encryption, endpoint security, operations security, asset management, data classification, vendor management, incident management, and acceptable use. Policies are reviewed at least annually and when significant changes occur.

• Risk Assessment. The information security team performs risk assessments, and implements and maintains controls for risk identification, monitoring, reporting, and mitigation.

• Asset Management. Postscript classifies and protects information assets (infrastructure, software, physical, service, people, and documentation assets) throughout their lifecycle, with ownership and handling requirements defined.

• Training. Security and policy awareness training is provided at onboarding and at least annually thereafter. Staff acknowledge applicable policies annually.

• Business Continuity and Disaster Recovery. Postscript maintains backup and restoration procedures, tests restoration, stores backups in redundant locations, and periodically tests business continuity and disaster recovery capabilities.

• Data Retention and Deletion. Postscript implements and maintains data retention policies and procedures related to Personal Data and reviews these policies and procedures as appropriate.

2. Physical Measures

• Postscript Facilities. Postscript offices are located in a multi-tenant building where key-card access is managed by the building’s security provider/landlord. Postscript coordinates with building management on visitor and access expectations.

• Service Providers. Postscript uses reputable third-party service providers to host its production infrastructure. Postscript relies on these third parties to manage the physical access controls to the data center facilities that they manage. 

3. Technical Measures

• Encryption. Postscript encrypts data at rest (e.g. managed database/storage encryption; device disk encryption) and in transit (TLS for external communications using trusted certificates). Passwords and cryptographic keys are protected; custom (“roll-your-own”) cryptography is discouraged.

• Access Controls. Postscript implements measures to prevent systems from being used by unauthorized persons, including user identification and authentication procedures, ID/password security procedures, automatic blocking (e.g. password or timeout and break-in-attempt monitoring. Postscript implements measures to ensure that persons entitled to use a data processing system gain access only to the data allowed for their access rights, and that data cannot be read, copied, modified, or deleted without authorization. Periodic access reviews are performed.

• Vulnerability Assessments. Postscript performs continuous, tool-based vulnerability scanning, and tracks and remediates vulnerabilities by severity. In addition, Postscript commissions an annual third-party penetration test.

• Disclosure Controls. Postscript implements measures to ensure that: (a) Personal Data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport, or storage on storage media; and (b) Postscript can verify to which companies or other legal entities Personal Data is disclosed, including logging, transport security, and encryption.

• Separation Controls. Postscript implements measures to ensure that Personal Data collected for different purposes can be processed separately, including “least privileged” limitation of access to data by internal service; segregation of functions (production/testing); procedures for storage, amendment, deletion, and transmission of data for different purposes; and logical segmentation processes to manage the separation of Personal Data.

• System Configuration. Secure configuration baselines are established and monitored for drift. Endpoints follow hardening standards and are managed via MDM to enforce disk encryption, screen-lock/timeout, and endpoint/antivirus protection. Security patches and configuration updates are applied on a risk-based cadence.

• Change Management. Changes to production systems (infrastructure, applications, and configurations) follow formal change control: documented change requests; security and impact analysis; approval; testing in segregated environments; version control with peer/independent review; and scheduled deployment with rollback plans. Duties are segregated between author, reviewer, and deployer where feasible; change records and approvals are retained. Vendor-supplied updates are evaluated and tested; automatic updates on critical systems are risk-assessed before enabling; platform changes trigger technical review and regression testing; independent acceptance testing occurs prior to release; development/test environments are isolated from production and access is limited.

This US Addendum will apply to any processing of Customer Personal Data by Postscript as a service provider or processor under this DPA, subject to US Data Protection Laws.

To the extent required by US Data Protection Laws, Postscript will not: 

(a) sell Customer Personal Data or otherwise make Customer Personal Data available to any third party for monetary or other valuable consideration;

(b) share Customer Personal Data with any third party for cross-behavioral or targeted advertising;

(c) retain, use, or disclose Customer Personal Data for any purpose other than for the business purposes specified in the Postscript Terms of Service and any relevant Service Order, or as otherwise permitted by US Data Protection Laws;

(d) retain, use, or disclose Customer Personal Data outside of the direct business relationship between the parties; and 

(e) except as otherwise permitted by US Data Protection Laws, combine Customer Personal Data with Personal Data that Postscript receives from or on behalf of another person or persons, or collects from its own interaction with the data subject.

The foregoing will not restrict Postscript from:

(i) complying with Applicable Laws;

(ii) complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; 

(iii) cooperating with law enforcement agencies concerning conduct that Postscript believes in good faith may violate federal, state, or local laws; or

(iv) exercising or defending legal claims.