Data Processing Agreement
Last updated: 3 June 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", the controller) and Andrew James Finlayson trading as Unblot ("unblot", the processor). It applies where unblot processes personal data of your contacts on your behalf.
1. Definitions
"Controller", "Processor", "Personal Data", "Data Subject", "Processing" and "Sub-processor" have the meanings given under applicable data protection law (including the GDPR where it applies).
2. Roles & scope of processing
- Roles: Customer is the controller; unblot is the processor.
- Subject matter: providing the unblot Service.
- Duration: for the term of the Terms of Service.
- Nature & purpose: reading engagement data to score profiles, and suppressing/unsuppressing profiles at the Customer's direction.
- Types of personal data: contact identifiers, email addresses, and engagement/order event data held in the Customer's Klaviyo account.
- Categories of data subjects: the Customer's email/SMS marketing contacts.
3. unblot's obligations
- Process personal data only on the Customer's documented instructions (including those given through the Service), unless required by law.
- Ensure personnel are bound by confidentiality.
- Implement appropriate technical and organisational security measures (see our Security overview).
- Assist the Customer, where reasonable, with data-subject requests, security, breach notification, and data-protection impact assessments.
- Delete or return personal data at the end of the Service, except where retention is legally required.
- Make available information reasonably necessary to demonstrate compliance.
4. Sub-processors
The Customer authorises unblot to engage the sub-processors listed below to process personal data. unblot imposes data-protection obligations on each sub-processor and remains responsible for their performance. We will give reasonable notice of any new or replacement sub-processor so the Customer may object on reasonable data-protection grounds.
Current sub-processors
| Provider | Purpose | Data | Location |
|---|---|---|---|
| Amazon Web Services | Cloud hosting, storage & compute | All Service data, incl. processed contact data | Australia (ap-southeast-2) |
| Clerk | Authentication / account management | Account data (your name, email) | United States |
| Stripe | Payment processing | Billing data | United States / global |
| PostHog | Product analytics | Usage & event data, account identifiers | European Union |
| Sentry | Error monitoring | Error & diagnostic data, account identifiers | United States |
Planned (not yet active): transactional email via Amazon SES. We will update this list before it is enabled.
5. International transfers
Where a sub-processor processes personal data outside Australia or the EEA/UK, the transfer is made under an appropriate safeguard such as Standard Contractual Clauses.
6. Data-subject requests
If unblot receives a request from a data subject relating to Customer data, we will direct them to the Customer and assist the Customer in responding, taking into account the nature of the processing.
7. Personal data breach
unblot will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer data, with information reasonably available to assist the Customer's own obligations.
8. Deletion or return
On termination, unblot will delete Customer personal data within a reasonable period, except where retention is required by law. The Customer can also delete data at any time via the Service (account deletion / disconnecting Klaviyo).
9. Audits
unblot will make available information reasonably necessary to demonstrate compliance with this DPA and contribute to audits on reasonable notice, subject to confidentiality.
10. Liability & governing law
Liability under this DPA is subject to the limitations in the Terms of Service. This DPA is governed by the laws of South Australia, Australia.
11. Contact
Data protection enquiries: support@unblot.com.