About FAQ Contact
Sign In

Data Processing Addendum (DPA)

Last Update Date
December 21, 2025

Between

Countable Services Group, Inc. (“CSG,” “Actionable,” or “Processor”)
3871 Piedmont Ave, #364
Oakland, CA 94611
support@myactionable.com

and

“Customer” or “Controller”

This Data Processing Addendum (“DPA”) forms part of, and is incorporated into, the agreement between CSG and Customer (the “Agreement”) governing Customer’s use of the Actionable Platform and related services (collectively, the “Services”).

1. Purpose and Scope

1.1 This DPA governs CSG’s processing of personal data on behalf of the Customer in connection with the Services.

1.2 The parties acknowledge that, for purposes of applicable data protection laws:

  • Customer acts as the Data Controller (under GDPR) and/or Business (under CCPA/CPRA).
  • CSG acts as the Data Processor (under GDPR) and/or Service Provider (under CCPA/CPRA).

1.3 Both parties agree to comply with all applicable data protection and privacy laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act (CPRA), and any similar or successor laws.

2. Definitions

For purposes of this DPA:

  • “Data Protection Laws” means all laws and regulations relating to privacy and data protection that apply to the processing of Personal Data under this DPA.
  • “Personal Data” means any information relating to an identified or identifiable natural person that is processed by CSG on behalf of the Customer under the Agreement.
  • “Processing,” “Controller,” “Processor,” “Data Subject,” and “Supervisory Authority” shall have the meanings given in applicable Data Protection Laws.
  • “Sub-Processor” means any third party engaged by CSG to assist in processing Personal Data.

3. Roles and Responsibilities

3.1 Customer’s Responsibilities.

Customer determines the purposes and means of processing Personal Data and ensures that:

  • all Personal Data provided to CSG has been collected lawfully;
  • Customer has obtained all necessary consents and provided all required notices to Data Subjects; and
  • all processing instructions to CSG comply with applicable Data Protection Laws.

3.2 CSG’s Responsibilities.

CSG shall:

  • process Personal Data only on documented instructions from Customer;
  • not retain, use, or disclose Personal Data for any purpose other than providing the Services or as required by law; and
  • comply with all applicable Data Protection Laws in performing its obligations.

4. Processing of Personal Data

4.1 Nature and Purpose of Processing.

CSG processes Personal Data to host, maintain, support, and improve the Actionable Platform and provide related services such as analytics, communications, campaign management, and data storage.

4.2 Categories of Data Subjects.

May include individuals who visit, register, or interact with Customer’s campaigns, petitions, or digital experiences via the Platform.

4.3 Types of Personal Data.

May include contact information (name, email, phone), demographic information, communications, campaign actions, device identifiers, IP addresses, and cookies.

4.4 Duration.

Personal Data will be processed for the duration of the Agreement and retained thereafter only as required by law or necessary for legitimate business purposes consistent with this DPA.

5. Sub-Processors

5.1 Customer authorizes CSG to engage Sub-Processors to provide hosting, analytics, messaging, and related technical services.

5.2 CSG shall maintain a list of Sub-Processors, available upon request, and will notify Customer of material changes to that list.

5.3 CSG shall enter into written agreements with all Sub-Processors that impose data protection obligations no less protective than those set forth in this DPA.

6. Security Measures

6.1 CSG shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, alteration, or disclosure, including:

  • encryption of data in transit and at rest;
  • access controls and authentication;
  • network firewalls and intrusion detection;
  • data backup and recovery procedures; and
  • regular security assessments and employee training.

6.2 Upon Customer’s written request, CSG shall provide a summary of its security policies and third-party audit certifications (e.g., SOC 2 or equivalent).

7. Data Subject Rights

7.1 CSG shall, to the extent legally permitted, assist Customer in responding to requests from Data Subjects to exercise rights under applicable Data Protection Laws (e.g., access, correction, deletion, or portability).

7.2 If CSG receives a Data Subject request directly, it shall promptly forward the request to the Customer and not respond except as directed or required by law.

8. Data Breach Notification

8.1 In the event of a Personal Data Breach, CSG shall:

  • notify Customer without undue delay after becoming aware of the breach;
  • provide reasonable information about the nature and impact of the breach; and
  • cooperate in investigating, mitigating, and remediating the breach.

8.2 Customer shall be responsible for notifying Data Subjects or regulators unless otherwise agreed.

9. Data Transfers

9.1 CSG stores and processes data primarily in the United States.

9.2 For international data transfers from the European Economic Area (EEA), the United Kingdom, or Switzerland, CSG agrees to implement the Standard Contractual Clauses (SCCs) approved by the European Commission (or their successor mechanism).

9.3 Where applicable, both parties agree to comply with any additional transfer impact assessments or supplementary measures required by law.

10. Deletion or Return of Data

Upon termination or expiration of the Agreement, CSG shall, at Customer’s request, delete or return all Personal Data in its possession, except as required by law to retain certain records. Aggregated or anonymized data may be retained indefinitely.

11. Audits and Certifications

Upon reasonable written notice, CSG shall make available to Customer information necessary to demonstrate compliance with this DPA and, where appropriate, allow for audits or inspections conducted by Customer or a mutually agreed third-party auditor, subject to confidentiality and reasonable limitations.

12. CCPA / CPRA-Specific Provisions

For California data subjects, the parties agree that:

  • CSG acts as a Service Provider to Customer;
  • CSG will not sell or share Personal Information (as defined by the CCPA/CPRA);
  • CSG will not retain, use, or disclose Personal Information outside the direct business relationship with Customer; and
  • CSG certifies its understanding and compliance with these restrictions.

13. Liability and Indemnification

Each party’s liability arising from this DPA is subject to the limitations of liability set forth in the Agreement.

Customer agrees to indemnify CSG against claims arising from Customer’s unlawful or unauthorized instructions or failure to comply with applicable data protection laws.

14. Governing Law

This DPA is governed by the laws of the State of Delaware, without regard to conflict-of-law principles, except to the extent Data Protection Laws require otherwise.

15. Order of Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall control with respect to data protection obligations.

actionable is made with ❤️ by CSAG.
About FAQ Contact Legal
© CSAG