Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between OnePush ("Processor") and the customer ("Controller") for the processing of personal data in connection with the OnePush messaging platform.

This DPA applies when the Controller is subject to the GDPR or similar data protection laws and uses OnePush to process personal data on behalf of data subjects.

"Personal Data" means any information relating to an identified or identifiable natural person processed through the OnePush platform on behalf of the Controller.

"Processing" means any operation performed on Personal Data, including collection, storage, transmission, and deletion.

"Sub processor" means any third party engaged by OnePush to process Personal Data.

3.1. Subject matter

Processing of Personal Data in connection with transactional email delivery, social publishing, form submissions, and related messaging services provided by OnePush.

3.2. Duration

For the term of the service agreement and until all Personal Data is deleted or returned per the Controller's instructions.

3.3. Nature and purpose

• Sending transactional and campaign messages on behalf of the Controller
• Storing email logs, form submissions, and delivery events
• Providing analytics and webhook notifications

3.4. Categories of data subjects

• End users and customers of the Controller
• Newsletter subscribers and form respondents
• Social media audiences where applicable

3.5. Types of Personal Data

• Email addresses and names
• IP addresses and device data in delivery logs
• Message content and form field responses
• Social profile identifiers where connected

OnePush shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller with data subject requests where feasible
• Notify the Controller of personal data breaches without undue delay
• Delete or return Personal Data upon termination of services
• Make available information necessary to demonstrate compliance

The Controller authorizes OnePush to engage Sub processors for infrastructure, payment processing, and support services. OnePush maintains an up to date list of Sub processors and will notify the Controller of material changes.

Current Sub processors include EU based cloud infrastructure providers and Stripe for payment processing.

OnePush primary infrastructure is hosted within the European Union. Where transfers outside the EEA are necessary, OnePush relies on Standard Contractual Clauses or other approved transfer mechanisms.