v2026.02.28 This Data Processing Addendum ("DPA") forms part of the agreement between Giftpack, Inc. ("Giftpack") and the customer, user, partner, or organization that submits personal data to Giftpack or uses the Giftpack services ("Customer"). This DPA applies where Giftpack processes personal data on behalf of Customer as a processor, service provider, contractor, or similar role under applicable Data Protection Laws. This DPA may be accepted by signing an order form, accepting the Terms of Service, clicking acceptance in the platform, submitting recipient data, approving a campaign, or using services that involve processing personal data on Customer’s behalf. A separately signed data processing agreement will supersede this online DPA to the extent of conflict.
“Data Protection Laws” means privacy, data protection, and security laws applicable to the processing of Customer Personal Data, which may include the GDPR, UK GDPR, Swiss Federal Act on Data Protection, CCPA/CPRA, and other applicable laws.
“Customer Personal Data” means personal data, personal information, or similar regulated data that Customer provides to Giftpack or makes available to Giftpack for processing on Customer’s behalf.
“GDPR” means Regulation (EU) 2016/679. “CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act and implementing regulations.
Terms such as controller, processor, business, service provider, contractor, personal data, personal information, process, and data subject have the meanings given under applicable Data Protection Laws.
For Customer Personal Data processed in connection with customer-managed campaigns, recipient workflows, order fulfillment, platform administration, reporting, and related services, Customer is the controller or business and Giftpack is the processor, service provider, contractor, or similar role. Giftpack may process certain data as an independent controller or business for account administration, security, fraud prevention, analytics, legal compliance, service improvement, billing, and internal operations as described in the Privacy Policy.
Giftpack will process Customer Personal Data only on Customer’s documented instructions, including this DPA, the Terms of Service, the applicable order form, Campaign Order, platform configuration, customer instructions submitted through the services, and other written instructions agreed by the parties, unless required by law. Giftpack will inform Customer if Giftpack believes an instruction violates Data Protection Laws, unless prohibited by law.
The subject matter, duration, nature, purpose, personal data categories, and data subject categories are described in Annex A. Customer is responsible for ensuring that Customer’s instructions are lawful and that Customer has provided required notices and obtained required rights, permissions, consents, and lawful bases for Giftpack to process Customer Personal Data.
Giftpack will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations or professional duties of confidentiality and receive appropriate instructions regarding data handling.
Giftpack will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and accidental loss, destruction, damage, disclosure, or access. Current security measures are described in Annex B and on Giftpack’s Security page. Giftpack may update security measures from time to time, provided updates do not materially reduce the overall protection of Customer Personal Data.
Customer authorizes Giftpack to use subprocessors to provide and support the services. Giftpack will impose written data protection obligations on subprocessors that are substantially similar to those in this DPA to the extent applicable to the subprocessor’s services. Giftpack remains responsible for subprocessor processing to the extent required by Data Protection Laws. Giftpack will make information about subprocessors available upon request or through a trust, security, or privacy channel. Customer may object to a new subprocessor on reasonable data protection grounds within a reasonable period after notice where notice is provided.
Giftpack will notify Customer without undue delay after becoming aware of a confirmed security incident that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed on Customer’s behalf. Giftpack will provide information reasonably available to Giftpack to help Customer meet its breach notification obligations. Notification is not an admission of fault or liability.
Taking into account the nature of the processing, Giftpack will provide reasonable assistance to Customer, through appropriate technical and organizational measures where feasible, to help Customer respond to data subject, consumer, or privacy rights requests under applicable Data Protection Laws. If Giftpack receives a request directly from an individual relating to Customer Personal Data, Giftpack may refer the individual to Customer unless legally required to respond otherwise.
Giftpack will provide reasonable assistance to Customer with data protection impact assessments, prior consultations, cybersecurity assessments, and other compliance obligations where required by Data Protection Laws and where the requested assistance relates to Giftpack’s processing of Customer Personal Data. Giftpack may charge reasonable fees for assistance that exceeds standard support unless prohibited by applicable law or agreed otherwise.
Upon termination of the services or upon Customer’s written request, Giftpack will delete or return Customer Personal Data in accordance with the agreement, platform functionality, and applicable law. Giftpack may retain Customer Personal Data as required by law, for legitimate business records, fraud prevention, security, dispute resolution, tax, accounting, compliance, or backup purposes, provided retained data remains protected under this DPA until deletion.
Giftpack will make available information reasonably necessary to demonstrate compliance with this DPA. Where required by Data Protection Laws, Customer may request an audit or assessment of Giftpack’s relevant controls. Audits must be reasonable in scope, frequency, timing, and confidentiality, and may be satisfied through SOC 2 reports, security questionnaires, certifications, summaries, or other appropriate documentation. On-site audits require advance written notice, reasonable scope, and Giftpack’s security and confidentiality approval.
Customer authorizes Giftpack and its subprocessors to process Customer Personal Data in the United States and other jurisdictions where Giftpack or subprocessors operate. Where Customer Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country that does not provide an adequate level of protection, the parties will use appropriate transfer mechanisms, which may include the Standard Contractual Clauses, the UK Addendum, or other lawful transfer mechanisms as applicable. The parties agree that the applicable SCCs are incorporated by reference where required, with Giftpack as data importer and Customer as data exporter, unless the facts require a different configuration.
Where the CCPA applies, Giftpack will process Customer Personal Data as a service provider or contractor for the business purposes described in Annex A. Giftpack will not sell or share Customer Personal Data, retain, use, or disclose Customer Personal Data for purposes other than the business purposes specified in the agreement or as otherwise permitted by the CCPA, retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer except as permitted by the CCPA, or combine Customer Personal Data with personal information received from other sources except as permitted by the CCPA. Giftpack will comply with applicable CCPA obligations for service providers and contractors and will notify Customer if Giftpack determines it can no longer meet those obligations.
Giftpack may process de-identified, aggregated, or anonymized data for analytics, benchmarking, product improvement, service reliability, and business operations, provided such data does not identify Customer or any individual and is handled in accordance with applicable law.
If this DPA conflicts with the agreement, this DPA controls with respect to the processing of Customer Personal Data. If SCCs are required and conflict with this DPA, the SCCs control to the extent required by law.
| Field | Details |
|---|---|
| Subject Matter | Giftpack’s provision of platform, gifting, rewards, sourcing, campaign management, recipient engagement, fulfillment coordination, donation/impact allocation, reporting, support, and related services. |
| Duration | For the term of the agreement and as otherwise required for retention, deletion, legal compliance, dispute resolution, and backup. |
| Nature and Purpose | Hosting, storing, organizing, transmitting, displaying, analyzing, securing, supporting, fulfilling, shipping, communicating, reporting, troubleshooting, and otherwise processing Customer Personal Data to provide the services. |
| Data Subjects | Customer administrators, authorized users, employees, recipients, end users, purchasers, donors, supplier contacts, beneficiary contacts, and other individuals whose data is submitted to Giftpack. |
| Personal Data Categories | Name, business contact information, personal contact information where provided, delivery address, email, phone number, company, job title, account credentials, campaign information, gift preferences, messages, redemption activity, order details, payment metadata, delivery status, support communications, device/log data, and other data submitted through the services. |
| Sensitive Data | Giftpack does not require Customer to submit sensitive personal data unless expressly supported and approved in writing. Customer must not submit sensitive data unless authorized under the agreement and applicable law. |
| Customer Obligations | Customer is responsible for lawful basis, notices, permissions, data accuracy, campaign eligibility, and instructions. |
Giftpack maintains measures designed to protect Customer Personal Data, including cloud infrastructure controls, encryption in transit and at rest, role-based access controls, least-privilege practices, internal confidentiality obligations, security awareness, logging and monitoring, vulnerability scanning and periodic testing, incident response processes, backup and disaster recovery practices, change management, vendor and subprocessor review, and physical, administrative, and technical safeguards appropriate to the nature of the services. Giftpack’s public Security page provides a high-level overview and may be updated from time to time.