Data Processing Agreement
Member Loop, LLC d/b/a CopyLoop — Last Updated: March 28, 2026
Parties and Background
(A) Customer ("Customer") has entered into an agreement with Member Loop, LLC d/b/a CopyLoop ("CopyLoop") (each a "Party" and collectively the "Parties") under which CopyLoop has agreed to provide the Services in accordance with such agreement (the "Agreement"). This Data Processing Agreement (the "DPA") is incorporated into and forms part of the Agreement and shall be effective on the effective date of the Agreement, except that for customers that have entered into an Agreement before the DPA updated date above, the DPA shall be effective on the “Last Updated” date listed above and shall replace any previously agreed data processing and security terms.
(B) To the extent that CopyLoop processes any Customer Personal Data (as defined below) on behalf of the Customer (or, where applicable, the Customer Affiliate) in connection with the provision of the Services, the Parties have agreed that it shall do so on the terms of this DPA.
1. Definitions
1.1 Capitalized terms used but not defined within this DPA shall have the meaning set forth in the Agreement. The following capitalized terms used in this DPA shall be defined as follows:
“Account Information” means Customer’s information, including Personal Data of Customer and Customer Affiliate’s users, provided for account creation, access, administration, and maintenance, and may include names, usernames, login credentials, phone numbers, email addresses, and billing information associated with a CopyLoop account.
“Affiliate” means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a Party and is a beneficiary of the Agreement.
“Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time, including, where applicable, European Data Protection Laws, US Data Protection Laws, the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018, and the Privacy Act 1988 (Cth) of Australia (“Australian Privacy Law”).
“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses.
“Customer Personal Data” means the Personal Data processed by CopyLoop on behalf of Customer or Customer Affiliate in connection with the provision of the Services, which specifically excludes Personal Data contained in Account Information.
“Data Privacy Framework” or “DPF” means the EU-U.S. Data Privacy Framework, or where applicable, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework self-certification programs operated by the U.S. Department of Commerce, and their respective successors.
“Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as amended, superseded, or replaced.
“EEA” means the European Economic Area.
“Effective Date” means the date that the DPA is effective, as set forth in clause (A) above.
“European Data Protection Laws” means all data protection laws and regulations applicable to Europe, including (i) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("EU GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, "UK Data Protection Laws"); and (v) the Swiss Federal Data Protection Act and its Ordinance ("Swiss DPA").
“Europe” means, for the purposes of this DPA, the European Economic Area and its member states ("EEA"), Switzerland, and the United Kingdom ("UK").
“GDPR” means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR" as defined in section 3 of the Data Protection Act 2018.
“Mandatory Clauses” means "Part 2: Mandatory Clauses" of the Approved Addendum.
“Member State” means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein.
“Personal Data” means any information relating to an identified or identifiable individual, or is otherwise “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by Applicable Data Protection Laws.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data on systems managed or otherwise controlled by CopyLoop.
“Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated last four digits of a credit or debit card); (c) employment, financial, credit, genetic, biometric, or health information; (d) racial, ethnic, political, or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under Applicable Data Protection Laws.
“Services” means the services provided by CopyLoop under the applicable Agreement, including AI-powered content generation, email marketing, CRM integration, document processing, and related platform capabilities.
“Standard Contractual Clauses” or “SCCs” means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.
“Sub-processor” means CopyLoop Affiliates and third-party processors appointed by CopyLoop to process Customer Personal Data.
“UK” means the United Kingdom of Great Britain and Northern Ireland.
“US Data Protection Laws” means, to the extent applicable, federal and state laws relating to data protection, the processing of Personal Data, privacy, and/or data protection in force from time to time in the United States, which may include the California Consumer Privacy Act (Cal. Civ. Code Sections 1798.100 et seq.), as amended by the California Privacy Rights Act of 2023, along with its implementing regulations ("CCPA"), and other applicable state privacy laws.
1.2 The terms "controller," "processor," "data subject," "process," "supervisory authority," "sell," and "service provider" shall have the same meaning as set out in the Applicable Data Protection Laws, or if not defined thereunder, the GDPR, and "processes" and "processed," with respect to any Customer Personal Data, shall be interpreted accordingly.
2. Interaction with the Agreement
2.1 This DPA supplements and, in the case of contradictions, supersedes the Agreement with respect to any processing of Customer Personal Data. In the event of any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (i) the SCCs (where applicable); then (ii) this DPA; and then (iii) the Agreement.
2.2 With respect to Customer Affiliates, by entering into the Agreement Customer warrants it is duly authorized to enter into this DPA for and on behalf of any such Customer Affiliates and, subject to Section 2.3, each Customer Affiliate shall be bound by the terms of this DPA as if they were the Customer.
2.3 Customer warrants that it is duly mandated by any Customer Affiliates on whose behalf CopyLoop processes Customer Personal Data in accordance with this DPA to (a) enforce the terms of this DPA on behalf of the Customer Affiliates, and to act on behalf of the Customer Affiliates in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on behalf of Customer Affiliates.
2.4 The Parties agree that any notice or communication sent by CopyLoop to Customer shall satisfy any obligation to send such notice or communication to a Customer Affiliate.
2.5 Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect.
2.6 This DPA shall remain in effect for as long as CopyLoop carries out Customer Personal Data processing operations on behalf of Customer or until termination of the Agreement (and all Customer Personal Data has been returned or deleted in accordance with Section 9).
3. Role of the Parties
3.1 The Parties acknowledge and agree that:
(a) For the purposes of the GDPR, CopyLoop acts as "processor" or "sub-processor." CopyLoop’s function as processor or sub-processor will be determined by the function of Customer:
(i) In general, Customer functions as a controller, whereas CopyLoop functions as a processor.
(ii) In certain cases, Customer functions as a processor on behalf of Customer’s clients (for example, where Customer is a marketing agency processing Personal Data on behalf of its end clients), and Customer and Customer’s client have concluded a data processing agreement in relation to the processing of Personal Data of Customer’s clients’ data subjects; in such cases, CopyLoop functions as a sub-processor.
(b) For the purposes of the US Data Protection Laws, CopyLoop will act as a "service provider" or "processor" in its performance of its obligations pursuant to the Agreement.
(c) Account Information shall not be governed by this DPA and shall be subject to CopyLoop’s Privacy Policy.
3.2 Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Applicable Data Protection Laws, in respect of its processing of Customer Personal Data and any processing instructions it issues to CopyLoop; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Applicable Data Protection Laws for CopyLoop to process Customer Personal Data for the purposes described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired such data.
3.3 Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Applicable Data Protection Laws) applicable to any email campaigns, marketing communications, or other content created, sent, or managed through the Services, including those relating to obtaining consents (where required) to send emails, the content of the emails, and Customer’s email deployment practices.
3.4 Customer will not provide (or cause to be provided) any Sensitive Data to CopyLoop for processing under the Agreement, and CopyLoop will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
3.5 Where Customer acts as a processor on behalf of a third-party controller, Customer warrants that its processing instructions as set out in the Agreement and this DPA, including its authorizations to CopyLoop for the appointment of Sub-processors in accordance with this DPA, have been authorized by the relevant controller. Customer shall serve as the sole point of contact for CopyLoop, and CopyLoop need not interact directly with any third-party controller. Customer shall be responsible for forwarding any notifications received under this DPA to the relevant controller, where appropriate.
4. Details of Data Processing
4.1 The details of data processing (such as subject matter, nature and purpose of the processing, categories of Personal Data and data subjects) are described in the Agreement and in Schedule 1 (Details of Processing).
4.2 Customer Personal Data will only be processed on behalf of and under the instructions of Customer and in accordance with Applicable Data Protection Laws. The Agreement and this DPA shall be Customer’s instructions for the processing of Customer Personal Data. Customer may issue further written instructions in accordance with this DPA. The Parties agree that the Agreement, including this DPA, along with Customer’s configuration of or use of any settings, features, or options in the Services (as Customer may modify from time to time) constitute Customer’s complete and final instructions to CopyLoop in relation to the processing of Customer Personal Data (including for the purposes of the SCCs), and processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties.
4.3 If Customer’s instructions will cause CopyLoop to process Customer Personal Data in violation of Applicable Data Protection Laws or outside the scope of the Agreement or this DPA, CopyLoop shall promptly inform Customer thereof, unless prohibited by Applicable Data Protection Laws (without prejudice to the SCCs).
4.4 CopyLoop may store and process Customer Personal Data anywhere CopyLoop or its Sub-processors maintain facilities, subject to Section 5 of this DPA and Section 7 (International Transfers).
5. Sub-processors
5.1 Customer grants CopyLoop general authorization to engage Sub-processors to process Customer Personal Data, subject to Section 5.2, from an agreed list. CopyLoop’s current Sub-processors are listed at https://copyloop.com/legal/subprocessors as of the Effective Date, and a summary is provided in Schedule 3 (Sub-processors).
5.2 CopyLoop shall (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data than CopyLoop’s obligations under this DPA, to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA and for any acts or omissions of such Sub-processor that cause CopyLoop to breach any of its obligations under this DPA.
5.3 CopyLoop shall provide Customer with at least fifteen (15) days’ notice of any proposed additions or replacements to the Sub-processors it uses to process Customer Personal Data, by updating the Sub-processor list at the URL referenced in Section 5.1 and, if Customer has opted in to receive such notifications, by email. Customer may reasonably object to CopyLoop’s use of a new Sub-processor (including when exercising its right to object under Clause 9(a) of the SCCs) by providing CopyLoop with written notice of the objection within ten (10) days after CopyLoop has provided notice to Customer of such proposed change (an "Objection"). Such Objection must be based on reasonable grounds relating to data protection.
5.4 In the event Customer objects to CopyLoop’s use of a new Sub-processor, Customer and CopyLoop will work together in good faith to find a mutually acceptable resolution to address such Objection. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either Party may, as its sole and exclusive remedy, terminate the affected portion of the Agreement by providing written notice to the other Party, without liability to either Party (but without prejudice to any fees incurred by Customer prior to such termination). During any such Objection period, CopyLoop may suspend the affected portion of the Services.
5.5 CopyLoop shall ensure that any person who is authorized by CopyLoop to process Customer Personal Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
6. Security
6.1 CopyLoop will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure the security and confidentiality of Customer Personal Data and to protect against Security Incidents, including, without limitation, protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. CopyLoop will implement and maintain as a minimum standard the measures set out in Schedule 2 (Technical and Organizational Measures).
6.2 CopyLoop may update or modify the security measures set out in Schedule 2 from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provided to Customer.
6.3 Customer is responsible for reviewing the information made available by CopyLoop relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Laws.
6.4 Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or back up any Customer Personal Data uploaded to the Services.
7. Security Incidents
7.1 CopyLoop shall notify Customer in writing without undue delay, and in no event later than seventy-two (72) hours, after becoming aware of any Security Incident.
7.2 CopyLoop shall reasonably cooperate in the investigation of any such Security Incident and any obligation of Customer under Applicable Data Protection Laws to make any notifications to individuals, supervisory authorities, governmental or other regulatory authorities, or the public in respect of such Security Incident.
7.3 CopyLoop shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall, without undue delay, send Customer timely information about the Security Incident, including, but not limited to:
(a) the nature and scope of the Security Incident, including, where possible, the categories and approximate number of data subjects and records concerned;
(b) the likely consequences of the Security Incident;
(c) the measures taken or proposed to mitigate or contain the Security Incident; and
(d) the status of the investigation.
7.4 CopyLoop’s notification of or response to a Security Incident under this Section 7 will not be construed as an acknowledgment by CopyLoop of any fault or liability with respect to the Security Incident. CopyLoop will not assess the contents of Customer Personal Data to identify any specific reporting or other legal obligations that are applicable to Customer. Any and all regulatory and/or data subject reporting obligations related to the Security Incident are the responsibility of Customer.
7.5 Notification(s) of any Security Incident(s) by CopyLoop shall be delivered to the notification email or address provided in the Agreement or Customer’s account. Customer is solely responsible for ensuring that notification contact details (e.g., phone and email) are valid and accurate.
8. Data Subject Rights and Cooperation
8.1 As between the Parties, Customer shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Customer Personal Data ("Data Subject Request").
8.2 CopyLoop will forward to Customer without undue delay any Data Subject Request received by CopyLoop or any Sub-processor from an individual in relation to their Customer Personal Data and may advise the individual to submit their request directly to Customer. If CopyLoop is required to respond to such a request, CopyLoop shall, where Customer is identified or identifiable from the request, promptly notify Customer and provide Customer with a copy of the request unless CopyLoop is legally prohibited from doing so.
8.3 CopyLoop will (taking into account the nature of the processing of Customer Personal Data) provide Customer with self-service functionality through the Services or other reasonable assistance as necessary for Customer to fulfill its obligation under Applicable Data Protection Laws to respond to Data Subject Requests. Such self-service functionality includes the ability to access, export, correct, and delete Customer Personal Data through the CopyLoop platform. CopyLoop may charge Customer for any such assistance beyond providing self-service features included as part of the Services.
8.4 To the extent required under Applicable Data Protection Laws, CopyLoop shall (considering the nature of the processing and the information available to CopyLoop) provide all reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Applicable Data Protection Laws.
9. Data Retention and Deletion
9.1 Upon termination or expiration of the Agreement, CopyLoop shall provide Customer with a period of thirty (30) days during which Customer may export or retrieve all Customer Personal Data using CopyLoop’s self-service export tools or by submitting a written request.
9.2 Following the expiration of the thirty (30) day export period described in Section 9.1, CopyLoop shall, within ninety (90) days, delete and use all reasonable efforts to procure the deletion of all copies of Customer Personal Data processed by CopyLoop or any Sub-processors.
9.3 Notwithstanding anything to the contrary, CopyLoop may retain copies of Customer Personal Data where, and only to the extent, CopyLoop reasonably determines such retention is (i) required to comply with applicable laws, a court order, subpoena, or regulatory requirement applicable to CopyLoop, or (ii) necessary for the establishment, exercise, or defense of legal claims. In such cases, CopyLoop shall securely isolate and protect such data from any further processing and shall eventually delete it in accordance with CopyLoop’s deletion policies.
9.4 The Parties agree that the certification of deletion of Customer Personal Data described in Clause 8.5 and 16(d) of the SCCs (as applicable) shall be provided by CopyLoop to Customer only upon Customer’s written request.
10. Security Reports and Audits
10.1 CopyLoop shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Customer, in order to assess compliance with this DPA.
10.2 Customer or its independent third-party auditor reasonably acceptable to CopyLoop (which shall not include any auditors who are not suitably qualified or independent or are a competitor of CopyLoop) may audit CopyLoop’s compliance with its obligations under this DPA up to once per year, or more frequently in the event a Security Incident has occurred or to the extent required by Applicable Data Protection Laws, including where mandated by Customer’s regulatory or governmental authority.
10.3 To request an audit, Customer must submit a detailed proposed audit plan to CopyLoop at least two (2) weeks in advance of the proposed audit date. CopyLoop will review the proposed audit plan and work cooperatively with Customer to agree on a final audit plan. All such audits must be conducted during regular business hours, subject to the agreed final audit plan and CopyLoop’s health and safety or other relevant policies, and may not unreasonably interfere with CopyLoop’s business activities. Nothing in this Section 10.3 shall require CopyLoop to breach any duties of confidentiality.
10.4 If the requested audit scope is addressed in a SOC 2 Type 2 report, ISO 27001 certification, or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request and CopyLoop confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
10.5 Customer will promptly notify CopyLoop of any non-compliance discovered during the course of an audit and provide CopyLoop any audit reports generated in connection with any audit, unless prohibited by applicable law or otherwise instructed by a regulatory or governmental authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
10.6 Any audits are at Customer’s expense. Customer shall reimburse CopyLoop for any time expended by CopyLoop or its Sub-processors in connection with such audits at CopyLoop’s then-current professional services rates.
11. International Transfers
11.1 Data Center Locations
Customer acknowledges that CopyLoop may transfer and process Customer Personal Data to and in the United States and anywhere else in the world where CopyLoop, its Affiliates, or its Sub-processors maintain data processing operations. CopyLoop shall at all times ensure that such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this DPA.
11.2 Standard Contractual Clauses
The Parties agree that the terms of the Standard Contractual Clauses Module Two (Controller to Processor) and Module Three (Processor to Processor), as further specified in Schedule 4 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and apply to any transfers of Customer Personal Data falling within the scope of the GDPR from Customer (as data exporter) to CopyLoop (as data importer), to the extent and for as long as CopyLoop cannot rely on the DPF according to Section 11.3 or another adequate transfer mechanism.
11.3 Data Privacy Framework
As of the date of this DPA, CopyLoop is not self-certified under the DPF. In the event that CopyLoop obtains DPF self-certification, CopyLoop will use the Data Privacy Framework to lawfully receive Customer Personal Data in the United States and ensure that it provides at least the same level of protection to such Customer Personal Data as is required by the Data Privacy Framework Principles. CopyLoop will notify Customer if it is unable to comply with this requirement. CopyLoop will notify Customer when DPF self-certification is achieved. In the absence of a valid DPF self-certification by CopyLoop, the SCCs shall serve as the applicable transfer mechanism.
11.4 UK Data Transfers
With respect to transfers to which the UK Data Protection Laws apply, the SCCs shall, where applicable in accordance with Section 11.2, apply and shall be deemed amended as specified by the Approved Addendum. The Approved Addendum shall be deemed executed by the Parties and incorporated into and form an integral part of this DPA. In addition: Tables 1 to 3 in Part 1 of the Approved Addendum shall be deemed completed with the information set out in Schedule 1 and Schedule 2 of this DPA; and Table 4 in Part 1 of the Approved Addendum shall be deemed completed by selecting “neither party.”
11.5 Swiss Data Transfers
With respect to transfers to which the Swiss DPA applies, the SCCs shall, where applicable in accordance with Section 11.2, apply with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU,” “Union,” and “Member State law” shall be replaced with “Switzerland”; (iv) Clause 13(a) and Part C of Annex I shall be deleted; (v) references to the “competent supervisory authority” and “competent courts” shall be replaced with “the Swiss Federal Data Protection and Information Commissioner” and “relevant courts in Switzerland”; (vi) Clause 17 shall be replaced to state “The Clauses are governed by the laws of Switzerland”; and (vii) Clause 18 shall be replaced to state “Any dispute arising from these Clauses shall be resolved by the applicable courts of Switzerland. The Parties agree to submit themselves to the jurisdiction of such courts.”
11.6 Compliance with the SCCs
The Parties agree that if CopyLoop cannot ensure compliance with the SCCs (where applicable), it shall promptly inform Customer of its inability to comply. If Customer intends to suspend the transfer of data and/or terminate the affected parts of the Services, it shall first provide notice to CopyLoop and provide CopyLoop with a reasonable period of time to cure such non-compliance, during which time CopyLoop and Customer shall reasonably cooperate to agree what additional safeguards or measures, if any, may be reasonably required. Customer shall only be entitled to suspend the transfer of data and/or terminate the affected parts of the Services for non-compliance with the SCCs if CopyLoop has not or cannot cure the non-compliance within a reasonable period.
11.7 Alternative Transfer Mechanism
To the extent CopyLoop adopts an alternative lawful data transfer mechanism for the transfer of Customer Personal Data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Applicable Data Protection Laws and extends to the countries to which Customer Personal Data is transferred).
12. Jurisdiction-Specific Terms
12.1 United States
To the extent that CopyLoop processes Customer Personal Data subject to US Data Protection Laws, the terms set forth in Schedule 5 (U.S. Addendum) shall apply.
12.2 Europe
To the extent that CopyLoop processes Customer Personal Data originating from and protected by European Data Protection Laws, the following additional terms apply:
(a) Objection to Sub-processors. Customer may object in writing to CopyLoop’s appointment of a new Sub-processor in accordance with Section 5.3 and Section 5.4 of this DPA.
(b) Government data access requests. As a matter of general practice, CopyLoop does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about CopyLoop accounts (including Customer Personal Data). If CopyLoop receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority for access to or information about a CopyLoop account belonging to a Customer whose primary contact information indicates the Customer is located in Europe, CopyLoop shall: (i) review the legality of the request; (ii) inform the government agency that CopyLoop is a processor of the data; (iii) attempt to redirect the agency to request the data directly from Customer; (iv) notify Customer via email sent to Customer’s primary contact email address of the request to allow Customer to seek a protective order or other appropriate remedy; and (v) provide the minimum amount of information permissible when responding to the agency or authority based on a reasonable interpretation of the request. CopyLoop shall not be required to comply with this paragraph if it is legally prohibited from doing so, or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or public safety.
12.3 Canada
To the extent that CopyLoop processes Customer Personal Data subject to PIPEDA, CopyLoop takes steps to ensure that CopyLoop’s Sub-processors are third parties under PIPEDA, with whom CopyLoop has entered into a written contract that includes terms substantially similar to this DPA. CopyLoop shall implement technical and organizational measures as set forth in Section 6 and Schedule 2 of this DPA.
13. Limitation of Liability
13.1 Each Party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.
13.2 Any claims made against CopyLoop or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Customer entity that is a party to the Agreement.
13.3 In no event shall any Party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
14. General
14.1 The Parties hereby certify that they understand the requirements in this DPA and will comply with them.
14.2 This DPA and the Agreement set forth the entire agreement between the Parties with respect to the subject matter of this DPA. This DPA shall replace any existing data processing agreement or similar document that the Parties may have previously entered into in connection with the Services.
14.3 No one other than a Party to this DPA, its successors, and permitted assignees shall have any right to enforce any of its terms.
14.4 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
14.5 CopyLoop’s mailing address for notices under this DPA is:
Member Loop, LLC d/b/a CopyLoop
439 US Route 1, Suite A, York, ME 03909, USA
Email: privacy@copyloop.com
Schedule 1 — Details of Processing
Part 1: List of Parties
1. Data Exporter
Customer and/or the Customer Affiliates. Customer and Customer Affiliate’s contact person’s position and contact details, as well as (if appointed) the data protection officer’s and (if relevant) the representative’s contact details, will be as set forth in the Agreement or as notified to CopyLoop via email to privacy@copyloop.com.
The activities relevant to the data transfer under these Clauses are defined by the Agreement, and the data exporter decides on the scope of the processing of Personal Data in connection with the Services, further described in this Schedule 1 and in the Agreement.
2. Data Importer
Member Loop, LLC d/b/a CopyLoop
439 US Route 1, Suite A, York, ME 03909, USA
The data importer’s contact person can be contacted at privacy@copyloop.com.
The data importer’s activities relevant to the data transfer under these Clauses are as follows: the data importer processes Personal Data provided by the data exporter on behalf of the data exporter in connection with providing the Services to the data exporter as further specified in this Schedule 1 and in the Agreement.
Part 2: Description of Transfer
1. Categories of Data Subjects
The categories of data subjects whose Personal Data is processed include:
(a) Workspace Members: Individual end users with access to a CopyLoop workspace account, including Customer’s employees, contractors, and agents who use the platform to create, edit, and manage content.
(b) Contacts/Subscribers: Individuals whose Personal Data is uploaded, imported, or otherwise provided to CopyLoop by Customer or on Customer’s behalf, including email marketing contacts, CRM contacts, subscribers, and other individuals who are recipients of marketing communications or other outreach by Customer.
2. Categories of Personal Data
Customer may upload, submit, or otherwise provide certain Personal Data to the Services, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of Personal Data:
(a) Workspace Members: Identification and contact data (name, email address, username, login credentials); role and access level within the workspace; usage and activity data within the platform.
(b) Contacts/Subscribers: Identification and contact data (name, email address, mailing address, phone number); demographic information (job title, company name, industry, geographic location); marketing preferences and subscription status; engagement data (email opens, clicks, bounces, unsubscribes); CRM data synced from third-party platforms (Salesforce, HubSpot, or similar); custom fields and tags as configured by Customer; IP addresses, device data, browser data, and online navigation data collected in connection with email tracking and engagement analytics.
3. Sensitive Data (if applicable)
CopyLoop does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Services. Customer is prohibited from providing Sensitive Data pursuant to Section 3.4 of this DPA.
4. Frequency of Processing
Continuous and as determined by Customer’s use and configuration of the Services.
5. Subject Matter and Nature of the Processing
CopyLoop provides an AI-powered brand voice content generation platform, email marketing platform, and related services, as more particularly described in the Agreement. Customer Personal Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities:
- Storage and other processing necessary to provide, maintain, and improve the Services provided to Customer pursuant to the Agreement;
- AI-powered content generation and brand voice analysis using Customer-provided documents and content;
- Generation of text embeddings and vector representations for retrieval-augmented generation (RAG) and content similarity matching;
- Email campaign creation, sending, and delivery tracking;
- Contact management, segmentation, and list processing;
- CRM data synchronization with third-party platforms as configured by Customer;
- Engagement analytics and reporting (email opens, clicks, bounces, unsubscribes);
- Automation rule processing (triggers, actions, and scheduling);
- Disclosures in accordance with the Agreement and/or as compelled by applicable law.
6. Purpose of the Processing
CopyLoop shall only process Customer Personal Data for the following purposes (the "Permitted Purposes"): (i) processing as necessary to provide the Services in accordance with the Agreement; (ii) processing initiated by Customer in its use of the Services; and (iii) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.
7. Duration of Processing
CopyLoop will process Customer Personal Data as outlined in Section 9 (Data Retention and Deletion) of this DPA.
Part 3: Competent Supervisory Authority
Where the data exporter is established in an EU Member State: the supervisory authority of the country in which the data exporter is established shall be the competent authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: the competent supervisory authority shall be the one of the Member State in which the representative is established.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: the competent supervisory authority shall be the Irish Data Protection Commission (https://www.dataprotection.ie/).
Schedule 2 — Technical and Organizational Measures
CopyLoop has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:
1. Organizational Security Management
Dedicated staff responsible for the development, implementation, and maintenance of CopyLoop’s information security program, including defined roles, responsibilities, and reporting structures.
2. Audit and Risk Assessment
Procedures for periodic review and assessment of risks to CopyLoop’s organization, monitoring and maintaining compliance with CopyLoop’s policies and procedures, and reporting the condition of its information security and compliance to internal management. CopyLoop aspires to obtain SOC 2 Type 2 and/or ISO 27001 certification and will notify Customer when such certifications are achieved.
3. Encryption
(a) Customer Personal Data transmitted over public networks (i.e., the internet) is encrypted using industry-standard TLS 1.2 or higher.
(b) Customer Personal Data at rest is encrypted using AES-256 or equivalent encryption, including database storage (AWS RDS encryption), file storage (AWS S3 server-side encryption), and backup storage.
4. Access Controls
(a) Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, including granting access on a need-to-know and least-privilege basis.
(b) Use of unique identifiers and passwords for all users, with periodic review and prompt revocation or modification of access when employment terminates or job functions change.
(c) Multi-factor authentication (MFA) required for access to production infrastructure and administrative systems.
(d) Role-based access control (RBAC) within the application, with multi-tenant workspace isolation enforced at the database level through row-level security (RLS) policies.
5. Password Controls
Password controls designed to manage and control password strength, including requirements for minimum length, complexity, and prohibition of password reuse.
6. Audit Logging and Monitoring
System audit and event logging procedures to record user access and system activity, including security-relevant events, for routine review and incident investigation.
7. Physical and Environmental Security
CopyLoop’s production infrastructure is hosted on Amazon Web Services (AWS), which maintains physical and environmental security controls for its data centers, including physical access restrictions, monitoring, and protection against environmental hazards. AWS’s security practices are described in AWS’s compliance documentation available at https://aws.amazon.com/compliance/.
8. Operational Procedures
Operational procedures and controls for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal standards, including secure disposal of systems and media.
9. Change Management
Change management procedures and tracking mechanisms designed to test, approve, and monitor all material changes to CopyLoop’s technology and information assets.
10. Incident and Problem Management
Incident management procedures designed to allow CopyLoop to investigate, respond to, mitigate, and notify of events related to CopyLoop’s technology and information assets, including a defined incident response plan with escalation procedures.
11. Network Security
Network security controls that provide for the use of firewall systems, virtual private cloud (VPC) isolation, security groups, and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
12. Vulnerability Management
Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
13. Business Continuity and Disaster Recovery
Business resiliency, continuity, and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters, including automated backups, multi-availability-zone deployment, and infrastructure-as-code reproducibility.
14. Data Isolation
Multi-tenant data isolation enforced at the database level through PostgreSQL row-level security (RLS) policies, ensuring that each Customer workspace’s data is logically separated from all other Customer workspaces’ data. Application-level access controls provide defense in depth.
15. Sub-processor Security
CopyLoop requires its Sub-processors to maintain appropriate technical and organizational security measures. CopyLoop conducts appropriate due diligence on its Sub-processors and ensures that written agreements with data protection obligations are in place.
Schedule 3 — Sub-processors
The following is a list of CopyLoop’s current Sub-processors as of the date of this DPA. An up-to-date list is maintained at https://copyloop.com/legal/subprocessors.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. (AWS) | Cloud infrastructure hosting, compute (ECS Fargate), database (RDS PostgreSQL), caching (ElastiCache), object storage (S3), content delivery (CloudFront), email sending (SES), secrets management, monitoring (CloudWatch) | United States |
| Anthropic, PBC | AI content generation (Claude language models) | United States |
| Voyage AI, Inc. | Text embeddings for vector search and retrieval-augmented generation | United States |
| Qdrant Solutions GmbH | Vector database storage for content similarity and RAG | Germany / United States |
| Stripe, Inc. | Payment processing and billing | United States |
| Sentry (Functional Software, Inc.) | Application error monitoring and performance tracking | United States |
| PostHog, Inc. | Product analytics and usage tracking | United States |
| Cloudflare, Inc. | SSL certificate issuance and request proxying for customer email tracking domains | United States |
| Firecrawl, Inc. | Web page crawling and content extraction for document processing | United States |
CopyLoop will provide at least fifteen (15) days’ advance notice before adding or replacing any Sub-processor, as described in Section 5.3 of this DPA.
Schedule 4 — Standard Contractual Clauses
For the purposes of the Standard Contractual Clauses:
1. Module Two shall apply where Customer is a controller and CopyLoop is a processor (as described in Section 3.1(a)(i) of the DPA). Module Three shall apply where Customer is a processor and CopyLoop is a sub-processor (as described in Section 3.1(a)(ii) of the DPA).
2. Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
3. Clause 9(a) Option 2 (General written authorization) is selected, and the time period to be specified is fifteen (15) days as set forth in Section 5.3 of the DPA.
4. The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
5. With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option one shall apply. The Parties agree that the governing law shall be the law of the Republic of Ireland.
6. In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of the Republic of Ireland.
7. For the purpose of Annex I of the Standard Contractual Clauses, Schedule 1 of this DPA contains the specifications regarding the Parties, the description of transfer, and the competent supervisory authority.
8. For the purpose of Annex II of the Standard Contractual Clauses, Schedule 2 of this DPA contains the technical and organizational measures.
9. The specifications for Annex III of the Standard Contractual Clauses are determined by Section 5.1 and Schedule 3 of the DPA.
Schedule 5 — U.S. Addendum
As stipulated in Section 12.1 of the DPA, this U.S. Addendum shall apply to any processing of Customer Personal Data subject to US Data Protection Laws.
1. CCPA Definitions
Except as described otherwise, for the purposes of this Schedule 5 the definitions of: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under the CCPA. The terms “sell,” “share,” “Business Purpose,” and “Commercial Purpose” shall take their meanings as defined in the CCPA.
2. Role Under US Data Protection Laws
If and to the extent that CopyLoop acts as a processor when processing Customer Personal Data as set forth in Section 3 of the DPA, then CopyLoop shall take the same processing role as applicable under all US Data Protection Laws other than the CCPA. With respect to Personal Data subject to the CCPA, the Parties agree and acknowledge that CopyLoop acts as a “Service Provider” under the CCPA.
3. Prohibited Activities
To the extent required by US Data Protection Laws, CopyLoop is prohibited from:
(a) Selling Customer Personal Data or otherwise making Customer Personal Data available to any third party for monetary or other valuable consideration;
(b) Sharing Customer Personal Data with any third party for cross-context behavioral advertising;
(c) Retaining, using, or disclosing Customer Personal Data for any purpose other than for the Permitted Purposes specified in this DPA and the Agreement, or as otherwise permitted by US Data Protection Laws;
(d) Retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the Parties; and
(e) Except as otherwise permitted by US Data Protection Laws, combining Customer Personal Data with Personal Data that CopyLoop receives from or on behalf of another person or persons, or collects from its own interaction with the data subject.
4. Data Subject Rights Under US Laws
CopyLoop’s obligations regarding Data Subject Requests, as described in Section 8 of this DPA, extend to rights requests under US Data Protection Laws. CopyLoop shall provide the same level of protection to Customer Personal Data as required by the CCPA and will: (i) assist Customer in responding to any request from a consumer (as defined under US Data Protection Laws) to exercise rights under US Data Protection Laws; and (ii) promptly notify Customer if it determines that it can no longer meet its obligations under US Data Protection Laws.
5. Sub-processor Compliance
Where Sub-processors process Customer Personal Data, CopyLoop takes steps to ensure that such Sub-processors are Service Providers under the CCPA with whom CopyLoop has entered into a written contract that includes terms substantially similar to this Schedule 5, or are otherwise exempt from the CCPA.
6. Customer Rights
Customer may take such reasonable and appropriate steps as may be necessary (a) to ensure that Customer Personal Data collected is used in a manner consistent with Customer’s obligations under the CCPA; (b) to stop and remediate any unauthorized use of Customer Personal Data; and (c) to ensure that any relevant Personal Data is used in a manner consistent with the CCPA.
7. De-identification
Notwithstanding any use restriction contained elsewhere in this DPA, CopyLoop may de-identify or aggregate Customer Personal Data as part of performing the Services specified in this DPA and the Agreement, provided such de-identification or aggregation is performed in compliance with US Data Protection Laws.
Schedule 6 — Supplementary Measures for International Transfers
CopyLoop commits to implementing the following supplementary measures to enhance the protection of Customer Personal Data in relation to processing in a third country:
1. Additional Technical Measures
1.1 Customer Personal Data is transmitted between the Parties and by CopyLoop between data centers, as well as to Sub-processors and back, using strong encryption (TLS 1.2 or higher).
1.2 Customer Personal Data at rest is stored by CopyLoop using strong encryption (AES-256 or equivalent).
2. Additional Organizational Measures
2.1 Adoption of adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels, and standard operating procedures for cases of formal or informal requests from public authorities to access the data.
2.2 Development of specific training procedures for personnel in charge of managing requests for access to Personal Data from public authorities, which are periodically updated to reflect new legislative and jurisprudential developments.
2.3 Regular review of internal policies to assess the suitability of the implemented complementary measures and to identify and implement additional or alternative solutions when necessary.
3. Additional Contractual Measures
3.1 Transparency obligations. CopyLoop declares that (a) it has not purposefully created back doors or similar programming that could be used to access the system and/or Personal Data; (b) it has not purposefully created or changed its business processes in a manner that facilitates access to Personal Data or systems; and (c) national law or government policy does not require CopyLoop to create or maintain back doors or to facilitate access to Personal Data or systems, or for CopyLoop to be in possession of or to hand over any encryption key.
3.2 Obligations to take specific actions. In case of any order to disclose or to grant access to Customer Personal Data, CopyLoop commits to inform the requesting public authority of the incompatibility of the order with the safeguards contained in the Article 46 GDPR transfer tool and the resulting conflict of obligations for CopyLoop.
4. Obligations in Case of Government Access Requests
4.1 CopyLoop shall promptly inform Customer:
(a) Of any legally binding requests from a law enforcement or other government authority ("Public Authority") to disclose Customer Personal Data, including information about the data requested, the requesting authority, the legal basis for the request, and the response provided. Such notification shall occur prior to the disclosure of any Customer Personal Data in response to such requests, unless CopyLoop is legally prohibited from doing so.
(b) If it becomes aware of any direct access by Public Authorities to Customer Personal Data in accordance with the laws of the country of destination.
(c) If CopyLoop is prohibited from notifying Customer, CopyLoop agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information and as soon as possible.
4.2 CopyLoop agrees to review, under the laws of the country of destination, the legality of the Public Authority’s request, and to exhaust all available remedies to challenge the request if, after careful assessment, CopyLoop concludes that there are grounds to do so under the laws of the country of destination.
4.3 CopyLoop agrees to preserve the information required to comply with this Schedule 6 for the duration of the Agreement and, unless prohibited by applicable law, make it available to the competent supervisory authority upon request and when required by applicable law.