Data Processing Agreement

Last updated: October 01, 2024

This Data Processing Agreement (the “Agreement”) supplements the Terms of Service available at https://www.heybounce.io/legal/terms/ (the “Terms”) concluded between the Client and Heybounce (Client and Heybounce hereinafter collectively the “Parties” or individually a “Party”). 

By accepting the Terms, the Client enters into this Agreement on behalf of itself and, to the extent applicable, in the name and on behalf of its Authorized Affiliates. For the purposes of this Agreement only, and except where indicated otherwise, the term “Client” shall include Client and Client’s Authorized Affiliates.

1. Definitions

In this Agreement, the following definitions shall apply:

Authorized Affiliates” means any of Client’s Affiliate(s) which (i) is subject to the Data Protection Laws, and (ii) is permitted to use the Services pursuant to the Terms between Client and Heybounce but has not entered into its own Terms with Heybounce.

Client” and “Controller” means the entity that has entered into the Terms with Heybounce.

Client Data” and “Personal Data” shall mean the personal data submitted by the Client to the Services and processed on behalf of the Client by Heybounce as a Processor, as further specified in Section 4 of this Agreement.

Data Protection Laws” means applicable privacy, security and personal information protection laws and regulations applicable to the Client and/or Heybounce, including, but not limited to, the European General Data Protection Regulation (EU 2016/679) (the “GDPR”); European national laws implementing derogations, exceptions or other aspects of the GDPR; Personal Information Protection and Electronic Documents Act (Canada) (the “PIPEDA”); the California Consumer Privacy Act of 2018, as amended from time to time (the “CCPA”); California Privacy Rights Act of 2020 (the “CPRA”) as well as the GDPR, as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as amended or replaced from time to time) (the “UK GDPR”); Federal Act on Data Protection of 1992, as amended (Switzerland) (the “FADP”).

Data Privacy Framework” shall mean the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework. 

Data Privacy Framework Principles” shall mean the principles applicable to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, and which present a set of requirements governing the participating organizations’ use and treatment of personal data received from the EU, UK or Switzerland, as applicable. 

“Data Subject” shall have the meaning of “data subject” as defined in Art. 4(1) of the GDPR.

Heybounce” and “Processor” shall mean HEYBOUNCE LTD, a limited liability company registered in the United States and headquartered at Lale Sok. No:2 D:13, 34758 Atasehir/Istanbul, Turkiye.

“EU” shall mean the European Union.

EU-U.S. Data Privacy Framework” shall mean the EU-U.S. data transfer mechanism developed by the U.S. Department of Commerce which was recognized by the European Commission Implementing Decision of 10 July 2023 to provide an adequate level of protection of personal data pursuant to the GDPR. 

“Services” shall mean the services provided by Heybounce pursuant to the Terms, including in particular the provision of email verification service ‘Heybounce’ available at https://www.heybounce.io

Swiss-U.S. Data Privacy Framework” shall mean the Swiss-U.S. data transfer mechanism to be recognized by the Swiss Federal Administration’s adequacy decision under the FADP. 

Third Country” shall mean any country outside the EU not recognized by the European Commission as providing an adequate level of protection for Personal Data.

UK Extension to the EU-U.S. Data Privacy Framework” shall mean the UK-U.S. data transfer mechanism which was recognized by the UK Government decision effective as of 12 October 2023 to provide an adequate level of protection of personal data pursuant to the UK GDPR. 

The terms “Data Subject”, “Sub-Processor”, “Processing”, and “Personal Data Breach”, and where applicable “Business”, “Commercial Purpose”, “Consumer”, “Personal Information”, “Service Provider”, “Sell” and “Verifiable Consumer Request”, unless specifically defined otherwise herein, shall bear the respective meanings given to them in the applicable Data Protection Laws. With respect to any Personal Data subject to the CCPA, the Parties acknowledge that the Client is a “Business” and Heybounce is a “Service Provider” as those terms are defined in the CCPA.

2. Subject matter of the Agreement

2.1. This Agreement stipulates the rights and obligations of the Parties regarding the Processing of Client’s Data in connection with the Services to which Heybounce acts as a Processor. 

3. Scope, nature, and purpose of Processing

3.1. Heybounce shall Process the Client’s Data on behalf of the Client as a Processor for the purposes of providing and facilitating the Services to the Client, including improving, enhancing and developing the Services or their features. Heybounce shall Process the Client’s Data in accordance with the applicable Data Protection Laws, this Agreement and the Terms. 

3.2. The nature of the Processing may include any operation that Heybounce may perform on Personal Data or on sets of Personal Data when providing the Services, which may include collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, disclosure by transmission or otherwise making available, alignment or combination, erasure or destruction of data (whether or not by automated means).

3.3. The Client shall comply with the Data Protection Laws, remains responsible for the lawfulness of the Processing and hereby represents and warrants that it has all the requisite legal titles (consents or other, as may be applicable) and that it has provided all information and notification to the Data Subjects regarding the collection and processing of their Personal Data provided to Heybounce hereunder, as may be required under the Data Protection Laws. The Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Client acquired the Personal Data. 

4. Categories of Personal Data

4.1. The Categories of Personal Data processed by Heybounce are primarily designated by the Client and include in particular email addresses, submitted by the Client to the Services.

4.2. No special or sensitive categories of Personal Data are processed under this Agreement.

5. Categories of Data Subjects

5.1. Categories of Data Subjects are primarily designated by the Client, based on how it chooses to use the Services, and may include in particular the Client’s customers and prospects.

6. Duration of Processing

6.1. The Processor shall Process the Client’s Data for the duration of the provision of the Services.

6.2. The Processor shall securely erase the Client’s Data from Processor’s storage systems no later than 90 days after the termination of the Terms or end of the provision of the Services (as applicable) or if the Client requests the Processor to do so. Upon written request of the Client, the Processor shall provide the Client with a confirmation of erasure of the Client’s Data.

7. Security of Processing

7.1. The Processor shall maintain appropriate technical and organizational measures to protect the Client’s Data from any misuse, unauthorized access, disclosure, and transfer to any third parties unauthorized by the Client. Such measures shall include, without limitation:

  1. Maintaining adequate access control mechanisms (e.g., password protection and limited access) covering any systems, servers, or files in which the Client’s Data is stored;
  2. DDOS mitigation;
  3. Using SSL encryption for any transmission of the Client’s Data electronically; and
  4. Limiting access to the Client’s Data by Processor’s officers, directors, employees, consultants, and representatives only to the purpose specified in Section 3 of this Agreement.

7.2 The Processor may update or modify the technical and organizational measures from time to time provided that such updates and modifications do not result in a material decrease of the overall security of the Services.  

7.3 The Processor shall appropriately document technical and organizational measures implemented for the Processing of the Client’s Data and may provide the then-current version of such documentation to the Client, upon Client’s request (e.g., for audit purposes).

8. Data Subject Requests

8.1 In the event that a Data Subject sends a request to Heybounce and to the extent Heybounce is able to identify the Data Subject and confirm that the request relates to the Processing carried out on behalf of the Client, Heybounce will notify and assist the Client with the fulfillment of Client’s obligations to respond to requests for exercising the Data Subject rights laid down in Data Protection Laws. Heybounce shall not respond to Data Subject requests, unless authorized by the Client, except for informing the Data Subject that it has passed the request to the Client.

9. Further obligations of the Processor

9.1 Notwithstanding the Sections above, the Processor shall also:

  1. Maintain the confidentiality of the Personal Data processed under this Agreement and ensure that its personnel authorized to Process the Client’s Data are under an obligation of confidentiality or an appropriate statutory obligation of confidentiality. Heybounce shall train and educate all its personnel with access to Personal Data on the obligation to comply with Data Protection Laws; 
  2. Upon a written request of the Client, allow for an audit, conducted by the Client or another auditor mandated by the Client. Audits shall be conducted no more frequently than annually and during reasonable times, shall be of reasonable duration, and shall not unreasonably interfere with the Processor’s day-to-day operations. In the event that the Client conducts an audit through a third-party independent contractor, such independent contractor shall be required to enter into a non-disclosure agreement. Additionally, such independent contractor must not be the Processor’s direct or indirect competitor. Each Party shall bear its own costs and expenses arising out of or in connection with the audit;
  3. At Client’s written request, reasonably support the Client in dealing with requests from a supervisory authority with respect to the Processing of the Personal Data hereunder;
  4. Heybounce shall not sell or share, as defined in the CCPA and the CPRA, the Personal Data processed on the Client’s behalf.

10. Sub-processors

10.1 The Client hereby authorizes the Processor to engage the Sub-processors as further specified in this Section 10.

10.2 The Processor may remove or appoint other Sub-processor(s) at its own discretion in accordance with the following conditions:

  1. The Processor shall inform the Client 15 days in advance of any expected changes to the list of the Sub-processors;
  2. If the Client has a legitimate reason to object to Processor’s use of the Sub-processor(s), the Client shall notify the Processor within fourteen (14) days after receipt of Processor’s notice;
  3. If the Client does not object during this time period, the new Sub-processor(s) shall be deemed accepted;
  4. If the Client objects to the use of the Sub-processor(s) concerned, the Processor may, at Processor’s sole discretion:
    1. Choose not to engage the concerned Sub-processor(s) with regard to the Client’s Data; or
    2. Engage the Sub-processor(s) with regard to the Client’s Data after the Processor takes corrective measures requested by the Client.

10.3 Sub-processors engaged by the Processor are subject to the technical and organizational measures that are substantially similar to the technical and organizational measures set out in this Agreement.

10.4 Where the Sub-processor is located in a Third Country, the transfer of Personal Data outside of the EU, United Kingdom and Switzerland to such Third Country shall only take place if the specific conditions as laid down in the applicable Data Protection Laws have been fulfilled, in particular Art. 44 et seq. of GDPR.

10.5 The list of the Sub-processors used by the Processor and hereby authorized by the Client are as follows:

Sub-processorNature and Purpose of ProcessingData centers
HetznerCloud hosting providerGermany
CloudflareContent delivery network providerUS
SentryError Monitoring and ReportingUS
ResendCommunications technology provider over emailUS
PaddlePayment gateway servicesCanada
Google WorkspaceEmail Communication and Deliverability ReportingUS
PosthogProduct AnalyticsGermany
Google AnalyticsProduct AnalyticsUS
HCaptchaFraud prevention platformUS

11. Data Privacy Framework 

11.1 Transfers of Personal Data out of the EU, UK or Switzerland to the Processor located in the Turkiye are based on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (as of the effective date of its recognition by the Swiss Federal Administration). Detailed information about the Processor’s compliance with the Data Privacy Framework Principles can be found at: https://www.heybounce.io/legal/privacy/

11.2 The Parties undertake to negotiate and execute any other agreements or documents that might be adopted by competent public authorities for the purpose of amending, replacing, supplementing, or superseding the Data Privacy Framework, or for the purpose to fulfill any other requirements relating to transfers of Personal Data to Turkiye, as applicable.  

12. Personal Data Breaches

12.1 Without undue delay after the Processor becomes aware of any unauthorized use or disclosure of the Client’s Data, the Processor shall promptly report the unauthorized use or disclosure of the Client’s Data to the Client. The Processor shall further comply with breach notification laws and regulations applicable to the Processor.

12.2 The Processor shall in cooperation with the Client mitigate any effects of unauthorized use or disclosure of the Client’s Data.

13. Notifications

13.1 If the Processor receives a request, subpoena or court order (including through an obligation due to legal provisions or official injunctions from state authorities) requesting to provide any of the Client’s Data Processed under this Agreement to an authority, the Processor shall attempt to redirect the relevant authority to request that data directly from the Client, and notify the Client without undue delay, if permitted under applicable laws.

14. Instructions

14.1 Heybounce shall process the Personal Data only on documented instructions from the Client, and immediately inform the Client if, in Heybounce’s opinion, an instruction from the Client infringes the GDPR or other Data Protection Laws. Heybounce shall not be in breach of this Agreement if its Processing of Personal Data that does not comply with Data Protection Laws arises from Client’s use of the Services in violation of the Terms. 

14.2 Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. This Agreement and the Terms constitute Client’s documented instructions to Heybounce for the Processing of Personal Data. Any additional or alternate instructions must be documented, reasonable and consistent with the terms of this Agreement. 

15. Limitation of Liability  

15.1 The Processor’s liability under this Agreement is subject to limitations and exclusions set forth in the Terms. In case the Terms are not entered into between the Parties or do not include provisions on the limitations and exclusions of liability, the Parties agree on the following. 

15.2 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, WHATEVER THE LEGAL BASIS FOR THE CLAIM, THE PROCESSOR WILL NOT BE LIABLE FOR ANY INDIRECT DAMAGES (INCLUDING, WITHOUT LIMITATION, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND WHATSOEVER (INCLUDING, WITHOUT LIMITATION, ATTORNEYS’ FEES), DAMAGES FOR LOST PROFITS OR REVENUES, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) DUE TO, RESULTING FROM, OR ARISING IN CONNECTION WITH PROCESSING OF PERSONAL DATA.  

15.3 To the extent permitted by applicable law, whatever the legal basis for the claim, the Processor’s aggregate liability for any direct damages incurred by the Client in connection with the processing of Personal Data, including for loss of Personal Data, Personal Data Breach or costs related to the investigation, shall not exceed two times the amount of Service fees paid by the Client to the Processor in the preceding calendar year. 

16. Miscellaneous

16.1 No modification of this Agreement shall be valid and binding unless made in writing and then only if such modification expressly states that such modification applies to the regulations of this Agreement. The foregoing shall also apply to any waiver or modification of this mandatory written form.

16.2 This Agreement shall take precedence over any conflicting provisions of the Terms. Except as provided otherwise in this Agreement, any dispute or controversy relating to this Agreement shall be resolved under the law and jurisdiction specified in the Terms.

16.3 This agreement will commence on the date when the Terms are accepted by the Client and shall remain in effect throughout the duration of the Terms or for the period during which the Processor provides the Services to the Client, as applicable.

16.4 Neither Party may assign this Agreement or any of their rights or obligations under this Agreement without the other Party’s prior written consent.

16.5 The Parties shall attempt to resolve any dispute arising out of or relating to this Agreement in good faith through negotiations between senior executives of the Parties, who have authority to settle the same. If the matter is not resolved by negotiation within thirty (30) days of receipt of a written invitation to negotiate, the dispute shall be resolved by using binding arbitration services.

16.6 The headings used in this Agreement and its division into sections, schedules, exhibits, appendices, and other subdivisions do not affect its interpretation.