Engageo

Data Processing Agreement

Effective date: May 2, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Engageo ("Processor," "we," "us") and you ("Controller," "you," "your") and governs the processing of personal data by Engageo on your behalf.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
  • "Data Controller" means you, the entity that determines the purposes and means of Processing Personal Data.
  • "Data Processor" means Engageo, which processes Personal Data on behalf of the Data Controller.
  • "Sub-processor" means any third party engaged by Engageo to process Personal Data on behalf of the Data Controller.
  • "Data Subject" means the individual whose Personal Data is being processed.
  • "Applicable Data Protection Laws" means the GDPR, CCPA, and any other applicable privacy and data protection laws.

2. Scope and Purpose of Processing

Engageo processes Personal Data on your behalf solely to provide the Service as described in the Terms of Service. This includes:

  • Storing and managing your contacts and their information
  • Sending emails, SMS messages, and other communications on your behalf
  • Publishing social media content on your behalf
  • Managing appointments and calendar data
  • Processing form submissions and landing page interactions
  • Running automations and workflows you configure

Categories of data subjects

Your contacts, leads, customers, and any other individuals whose data you upload to or collect through the Service.

Types of personal data

Names, email addresses, phone numbers, mailing addresses, custom fields you define, communication history, form submission data, appointment data, and any other data you choose to store in the Service.

3. Controller Responsibilities

As the Data Controller, you are responsible for:

  • Ensuring you have a lawful basis for collecting and processing Personal Data
  • Obtaining necessary consents from Data Subjects
  • Providing appropriate privacy notices to Data Subjects
  • Complying with all applicable data protection laws in your use of the Service
  • Ensuring that SMS recipients have provided opt-in consent before you send them messages
  • Honoring unsubscribe and opt-out requests from your contacts

4. Processor Obligations

As the Data Processor, Engageo shall:

  • Process Personal Data only on your documented instructions (which are the instructions provided through your use of the Service)
  • Ensure that persons authorized to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organizational security measures (see Section 5)
  • Assist you in responding to Data Subject requests (access, deletion, portability, etc.)
  • Assist you in ensuring compliance with data protection impact assessments and prior consultations, where required
  • Delete or return all Personal Data upon termination of the Service, at your election
  • Make available to you all information necessary to demonstrate compliance with this DPA
  • Not process Personal Data for any purpose other than providing the Service

5. Security Measures

Engageo implements the following technical and organizational measures to protect Personal Data:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Sensitive fields (such as access tokens for connected accounts) are encrypted using AES-256-GCM.
  • Access control: Row-level security ensures that each workspace's data is isolated. Role-based access controls restrict what each user can access.
  • Audit logging: All write actions within the Service are logged with the actor, target, timestamp, and change details.
  • Password security: Passwords are hashed using bcrypt. We support two-factor authentication (TOTP).
  • Infrastructure: Our production environment is hosted on dedicated servers with encrypted storage, regular security updates, and network-level protections.
  • Vulnerability management: We regularly scan dependencies for known vulnerabilities and apply patches promptly.
  • Incident response: We maintain an incident response plan and will notify you of any data breach within the timeframes required by applicable law (see Section 7).

6. Sub-processors

You authorize Engageo to engage the following categories of Sub-processors to assist in providing the Service:

  • Postmark (ActiveCampaign, LLC): Email delivery
  • Twilio Inc.: SMS, voice, and WhatsApp message delivery
  • Stripe, Inc.: Payment processing
  • Hetzner Online GmbH: Cloud infrastructure and object storage
  • Sentry (Functional Software, Inc.): Error monitoring (may process IP addresses and user agent strings)

We will notify you before adding or replacing any Sub-processor by updating the list on this page and sending an email notification at least 30 days in advance. If you object to a new Sub-processor, you may terminate the affected services.

Each Sub-processor is bound by a data processing agreement that imposes data protection obligations no less protective than those in this DPA.

7. Data Breach Notification

In the event of a Personal Data breach, Engageo will:

  • Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Provide sufficient information to enable you to meet any obligations to report the breach to supervisory authorities or Data Subjects
  • Take reasonable steps to mitigate the effects of the breach and minimize any damage
  • Cooperate with you and provide assistance in investigating and remediating the breach

8. Data Subject Rights

Engageo provides self-service tools in the platform to help you respond to Data Subject requests:

  • Access and portability: You can export contact data and all associated records from the Service at any time.
  • Rectification: You can update contact information directly in the Service.
  • Erasure: You can delete individual contacts or your entire account. Account deletion removes all associated data within 30 days.

If we receive a request directly from one of your Data Subjects, we will redirect them to you unless legally required to respond directly.

9. Data Return and Deletion

Upon termination of the Service or upon your written request, Engageo will:

  • Provide you with the ability to export all your data in a standard, machine-readable format
  • Delete all Personal Data from our systems within 30 days of account closure, except where retention is required by law
  • Confirm deletion in writing upon your request

10. International Transfers

Personal Data is primarily stored and processed within the European Economic Area (Hetzner, Germany). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

11. Duration

This DPA remains in effect for the duration of your use of the Service. Obligations relating to data deletion and confidentiality survive termination.

12. Amendments

We may update this DPA to reflect changes in law, our Sub-processors, or our practices. Material changes will be communicated with at least 30 days' notice. Continued use of the Service after the effective date of changes constitutes acceptance.

13. Contact

For questions about this DPA or to exercise any rights under it, contact us at:

Engageo
Data Protection Officer: [email protected]
Legal: [email protected]