Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of any agreement executed between Continuity and a customer that requires Continuity to process personal data on the customer's behalf. It sets the terms, commitments, and controls we apply when operating your licensed Microsoft tenants and related infrastructure.
This DPA is available for countersignature upon request. Customers can obtain a version with signature blocks or propose amendments by contacting our legal team.
1. Definitions
Terms such as "personal data", "processing", "controller", and "processor" have the meanings given in the General Data Protection Regulation (EU) 2016/679 ("GDPR"). "Customer" refers to the contracting party receiving Continuity services. "Continuity" refers to the entity providing the services described on this site.
2. Roles of the Parties
Customer acts as the controller. Continuity acts as the processor. We only process personal data on documented instructions from the Customer, except where required to do so by applicable law.
3. Subject Matter and Duration
Processing covers the provisioning, hardening, and monitoring of outbound email infrastructure, including licensed Microsoft tenants, DNS management, and associated playbooks. The DPA remains in force for the duration of the underlying services agreement and continues until all personal data is deleted or returned.
4. Nature and Purpose of Processing
Continuity processes personal data to deliver horizontal scaling infrastructure, incident response, analytics, and resilience improvements on behalf of Customer. This may include sending campaign communications, logging delivery metrics, and safeguarding domains from abuse.
5. Categories of Data and Data Subjects
- Prospect and client contact information (names, business email addresses, company affiliations).
- Campaign performance metadata (delivery logs, engagement signals, suppression indicators).
- Customer administrative data (user accounts, role assignments, support interactions).
6. Security and Confidentiality
Continuity implements technical and organisational measures aligned with Microsoft baseline controls, including enforced multi-factor authentication, role-based access policies, encrypted transport/storage, and continuous monitoring. Personnel accessing personal data are bound by confidentiality obligations.
7. Sub-Processors
Continuity may engage the Sub-Processors listed on the Sub-Processor Register. Customer authorises these engagements. Continuity will inform Customer in advance of changes and provide an opportunity to object where reasonable.
8. Data Subject Rights
Continuity assists Customer in fulfilling data subject requests by providing relevant logs, access tools, or deletion workflows. Requests should be submitted to legal@withcontinuity.com. Continuity will respond without undue delay.
9. Breach Notification
If Continuity becomes aware of a personal data breach impacting Customer data, we will notify Customer without undue delay and share information to support impact assessment, regulatory reporting, and remediation steps.
10. Audit and Compliance Assistance
Upon reasonable notice, Continuity will provide documentation demonstrating compliance with this DPA and will assist with supervisory authority inquiries. On-site audits may be requested once per contract year and are subject to scheduling, scope, and cost allocation agreements.
11. Return or Deletion
At termination, Continuity will return or securely delete personal data within sixty (60) days unless law requires longer retention. Customer may request written confirmation of deletion.
12. Governing Law
This DPA is governed by the laws of the State of South Dakota, United States of America, unless the parties agree otherwise in writing.
13. Contact
For countersigned copies, amendment requests, or additional documentation, reach out to legal@withcontinuity.com.