Last Updated: June 1st 2025
Note for Creators: This Data Processing Agreement is specifically for Brands acting as Data Processors for Drop Station as Data Controller. For Podcasters using the Service, a separate Standard Data Processing Agreement for Creators (‘Creator DPA’) will be required, where Drop Station acts as the Data Processor for the Creators’ customer data.
This Standard Data Processing Agreement for Brands ("Brand DPA") is entered into between Drop Station Inc. ("Drop Station," acting as Data Processor), a corporation organized under the laws of Delaware, with its principal place of business in Tennessee, and the Brand ("Data Controller"), effective from the moment the Brand creates an account on the Drop Station platform. It governs the processing of Personal Data provided by the Brand to Drop Station for the purpose of running co-branded campaigns, solely branded campaigns, contests, communities, promo code landing pages, account setups, or other engagement activities with or without podcasters on the Drop Station platform.
This Agreement ensures compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable data protection laws. It is an extension of Drop Station's Terms of Service and Privacy Policy, which remain in full effect unless explicitly modified herein. The Brand DPA prevails to the extent necessary to ensure compliance with Data Protection Legislation. Drop Station may act as a Data Controller for its own use of Personal Data for platform services, as outlined in the Privacy Policy.
1. Introduction
For the purposes of this Agreement, the following terms shall have the meanings set forth below:
• "Agreement": This Standard Data Processing Agreement for Brands, including its preamble and all subsequent clauses.
• "Effective Date": The date the Brand account is created, making this Agreement binding.
• "Controller" or "Brand": The Brand utilizing the Drop Station platform to run co-branded campaigns, contests, communities, or engagement activities with podcasters, determining the purposes and means of processing Personal Data for its activities.
• "Data Processor" or “Drop Station”: Drop Station Inc., processing Personal Data on behalf of the Brand for co-branded campaigns and related activities, and acting as a Data Controller for its own platform services as specified in the Privacy Policy.
• "Data Protection Legislation": Includes, but is not limited to, GDPR, European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC), the CCPA, and any legislation implementing or replacing them.
• "Data Subject": An identified or identifiable natural person whose Personal Data is processed.
• "Personal Data": Any information relating to a Data Subject processed through the Drop Station platform, as defined in the Drop Station Privacy Policy, including survey responses, contest entries, or community interaction data collected during co-branded campaigns.
• "Processing": Any operation performed on Personal Data, whether automated or not, including collection, storage, use, disclosure, or deletion.
• "Good Industry Practice": Exercising skill, expertise, and judgment equivalent to a skilled provider, complying with Data Protection Legislation and standards like ISO/IEC 27001.
• "Appropriate Technical and Organizational Measures": Measures ensuring security appropriate to the risk, as detailed in Section 6.
• "Subprocessor" : Any third party appointed by Drop Station to process Personal Data on behalf of the Brand.
2. Introduction
This Agreement outlines the terms under which Drop Station (Data Processor) processes Personal Data on behalf of the Brand (Data Controller) to facilitate co-branded campaigns, contests, communities, account setups, or other engagement activities with podcasters on the Drop Station platform. It ensures compliance with GDPR, CCPA, and other applicable data protection laws, protecting Data Subjects’ privacy. Drop Station may also act as a Data Controller for its own use of Personal Data for platform services (e.g., drip campaigns, analytics), as disclosed in the Privacy Policy.
3. Scope And Role Of The Parties
Roles of Drop Station: Drop Station provides the technical infrastructure and tools for Brands to run co-branded campaigns, contests, communities, or engagement activities with podcasters. As Data Processor, Drop Station processes Personal Data solely on the basis of the Brand’s documented instructions for brand-related activities. As Data Controller, Drop Station processes Personal Data for its own platform services, per the Privacy Policy.
Roles of Brands: Brands act as Data Controllers, determining the purposes and means of processing Personal Data for their co-branded campaigns, contests, communities, or engagement activities. Brands ensure lawful processing and compliance with Data Protection Legislation.
Roles of Podcasters: Podcasters, as Data Controllers per the Standard Data Processing Agreement for Creators, determine the purposes and means of processing Personal Data for their audience in co-branded campaigns. Drop Station processes data on behalf of podcasters for these activities.
Purpose of Data Processing: To enable Brands and podcasters to run co-branded campaigns, contests, communities, or engagement activities, including processing survey responses, contest entries, or community interaction data to enhance user engagement and marketing. Drop Station may use this data for platform services as a Controller.
Responsibilities of Drop Station: Implement technical and organizational measures to ensure GDPR/CCPA compliance, maintain data security, and assist Brands with data subject requests and regulatory obligations as a Processor. As a Controller, Drop Station ensures compliance for its own processing activities.
Responsibilities of Brands: Provide lawful instructions for processing, ensure compliance with Data Protection Legislation, and notify Drop Station of any changes to processing purposes.
Collaboration: All parties collaborate to ensure compliance, including responding to Data Subject requests and regulatory inquiries.
Records of Processing: Drop Station maintains records of processing activities per GDPR Article 30, available to the Brand upon request.
4. Processing Instructions
1. Drop Station processes Personal Data only on the basis of the Brand’s documented instructions for co-branded campaigns, contests, communities, or engagement activities, unless required by applicable law, in which case Drop Station notifies the Brand beforehand (unless prohibited by law).
2. Drop Station ensures personnel processing Personal Data are bound by confidentiality obligations.
3. Drop Station limits processing to activities necessary for co-branded campaigns, contests, communities, or engagement, as instructed by the Brand, except for its own Controller activities as per the Privacy Policy.
4. If Drop Station believes instructions breach GDPR/CCPA, it notifies the Brand immediately and awaits further instructions.
5. Confidentiality
Drop Station treats Personal Data as confidential, disclosing it only as instructed by the Brand or required by law, except for its own Controller activities as disclosed in the Privacy Policy. Access is limited to authorized personnel bound by confidentiality obligations. Drop Station implements measures to ensure confidentiality and notifies the Brand of any breaches. Confidentiality obligations survive termination.
6. Security Measures
Drop Station implements Appropriate Technical and Organizational Measures to protect Personal Data, including:
• Access Control: Restrict access to authorized personnel with proper authentication.
• Data Minimization: Process only necessary Personal Data for the Brand’s purposes or Drop Station’s platform services.
• Data Encryption: Encrypt Personal Data in transit and at rest.
• Incident Management: Detect, respond to, and notify the Brand of breaches within 72 hours.
• Regular Audits: Review security measures to ensure compliance.
• Training: Provide data protection training to personnel.
• Physical Security: Control access to systems handling Personal Data.
• Privacy by Design: Integrate data protection into processing systems per GDPR Article 25.
By implementing these measures, Drop Station agrees to safeguard Personal Data and mitigate the risk of unauthorized access or data breaches to the best of its abilities within its operational and financial capacities.
7. Sub-Processing
• Drop Station may engage Subprocessors, subject to obligations equivalent to this Agreement.
• Drop Station maintains an updated Subprocessor list, available to the Brand upon request.
• Drop Station notifies the Brand of new Subprocessors, allowing 30 days for objections. If the Brand objects to a proposed sub-processor within the 30-day period, Drop Station shall not engage that sub-processor and shall work with the Brand to find an alternative that meets the Brand’s requirements.
• Drop Station remains liable for Subprocessors’ compliance.
• The Brand may not engage Subprocessors without Drop Station’s consent, ensuring equivalent obligations.
8. Data Subject Rights
Drop Station assists the Brand in responding to Data Subject requests (e.g., access, erasure, portability) per GDPR/CCPA for co-branded campaign data, including:
• Promptly notifying the Brand of direct requests.
• Providing relevant information to comply with requests within the timelines required by GDPR (e.g., one month for most requests).
• Ensuring secure data transmission.
• Facilitating data portability in a machine-readable format per GDPR Article 20.
• Keeping records of all Data Subject requests and measures taken for compliance and auditing purposes.
Drop Station ensures compliance with these obligations as a Processor and acknowledges that failure to comply may subject both parties to legal and regulatory consequences. As a Controller, Drop Station handles data subject requests for its own processing activities.
9. Data Retention And Deletion
• Retention Periods: Drop Station retains Personal Data only as long as necessary for the Brand’s co-branded or solely branded campaign purposes, including but not limited to surveys, contest entries, and promo code landing pages, or as required by law. Drop Station may retain Personal Data for its own platform services (e.g., drip campaigns, analytics) as a Data Controller, per the Privacy Policy, with a lawful basis such as legitimate interests or user consent. Personal Data collected via promo code landing pages is retained only for the duration of the campaign or up to 30 days post-campaign, unless otherwise instructed by the Brand or required by law.
• Data Deletion Requirements Post-Association: Upon termination of the Brand’s account or campaign completion, Drop Station deletes or anonymizes Personal Data processed on behalf of the Brand within 60 days for co-branded campaigns or 30 days for solely branded campaigns, including promo code landing pages, certifying compliance in writing, unless retention is required by applicable law (e.g., for legal compliance, archiving, or fraud prevention). Drop Station may continue to retain and process Personal Data for its own platform services as a Data Controller, as disclosed in the Privacy Policy.
• Ongoing Obligations: Retained data is securely stored and used only as permitted.
10. International Data Transfers
Drop Station does not transfer Personal Data outside the EU/UK unless:
• The destination ensures an adequate level of protection (per EU/UK decisions), or
• Appropriate safeguards (e.g., Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs)) are in place per GDPR Article 46, or
• A GDPR Article 49 derogation applies (e.g., explicit consent).
Drop Station:
• Implements SCCs where required.
• Notifies the Brand of transfers for co-branded or solely branded campaign data, including promo code landing pages.
• Maintains transfer documentation, available upon request.
• Ensures that transfers of California residents’ data comply with CCPA, preventing unauthorized data sharing without opt-out mechanisms.
Drop Station reserves the right to request additional information or documentation to verify compliance with this clause and may object to data transfers that do not meet the stipulated requirements.
11. Data Breach Notification
Drop Station notifies the Brand of a data breach involving co-branded campaign data within 72 hours, providing:
• A's description of the nature of the data breach, including categories and approximate number of Data Subjects/records affected.
• Contact details for further information.
• Likely consequences.
• Measures taken to mitigate effects.
Drop Station assists with regulatory notifications and maintains breach records. Drop Station cooperates fully with the Brand in investigating the breach, preparing notifications, and mitigating impacts. As a Controller, Drop Station handles breach notifications for its own processing activities.
12. Audits And Compliance
The Brand may audit Drop Station’s compliance with this Agreement for co-branded or solely branded campaign processing with reasonable notice. Drop Station provides documentation and access to records/personnel. Drop Station addresses any non-compliance promptly. The Brand may review security measures to ensure alignment with GDPR/CCPA standards.
13. Indemnification
Drop Station indemnifies the Brand against claims arising from:
• Breach of this Agreement as a Processor.
• Non-compliance with Data Protection Legislation for Processor activities.
• Unauthorized data processing on behalf of the Brand.
This does not apply to claims from the Brand’s negligence or misconduct or Drop Station’s Controller activities.
14. Limitation Of Liability
Neither party shall be liable to the other party, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, revenue, business opportunities, goodwill, anticipated savings, or data. Notwithstanding anything to the contrary in this Agreement, the aggregate liability of either party arising out of or in connection with this Agreement, whether in contract, tort, or under any other theory of liability, shall not exceed the total fees paid or payable by the Brand to Drop Station under this Agreement during the twelve (12) months preceding the event giving rise to the claim. This limitation of liability does not exclude or limit the liability of either party for fraud, gross negligence, death or personal injury caused by its negligence, or any other liability to the extent that such liability cannot be limited or excluded under applicable law.
15. Termination
Upon termination of this Agreement:
• Drop Station shall cease all processing of Personal Data on behalf of the Brand.
• Drop Station shall delete or anonymize all Personal Data processed for the Brand within 60 days for co-branded campaigns or 30 days for solely branded campaigns, including promo code landing pages, certifying compliance in writing, unless retention is required by applicable law (e.g., for legal compliance, archiving, or fraud prevention).
• Confidentiality obligations shall survive termination.
• Drop Station shall cooperate with the Brand to facilitate the transition of any remaining data or services, as reasonably requested by the Brand.
• Drop Station shall not retain or use any Personal Data for its own platform activities or any other purpose after termination, except as explicitly required by applicable law.
16. Miscellaneous
a. This Agreement shall be governed by and construed in accordance with the laws of the State of Tennessee, without regard to its conflict of laws principles. Any disputes arising out of or in connection with this Agreement shall be resolved exclusively in the state or federal courts located in Tennesee. However, the Parties acknowledge that GDPR's supervisory authorities have jurisdiction over data protection matters, irrespective of the governing law specified herein.
b. Amendments: This Agreement may be amended only in writing and when signed by duly authorized representatives of both parties. No modification, alteration, or waiver of any provisions hereof shall be valid unless made in writing and signed by both parties hereto.
c. Severability: If any provision of this Agreement is found to be unenforceable or invalid, such provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable.
d. Reference to Drop Station’s Privacy Policy and Terms of Service: The Brand acknowledges and agrees that their processing of Personal Data is subject to Drop Station’s Privacy Policy and Terms of Service, which are incorporated herein by reference. The Brand agrees to adhere to these policies at all times.
e. Neither party shall be liable for any failure or delay in performing its obligations under this Agreement if such failure or delay is due to circumstances beyond its reasonable control, including but not limited to acts of God, war, terrorism, labor disputes, or governmental actions. The affected party shall notify the other party of the force majeure event promptly and take all reasonable steps to mitigate its effects
17. Data Protection Officer (DPO)
Drop Station shall appoint a Data Protection Officer (DPO) or equivalent representative responsible for overseeing data protection compliance. Drop Station shall provide Brand with the DPO’s contact details and promptly notify Brand of any changes to this information.
18. Data Protection Impact Assessments (DPIAs)
Drop Station assists the Brand with DPIAs per GDPR Article 35 for co-branded campaign processing, providing information and support to assess and mitigate risks. Drop Station contributes to DPIA documentation and ensures timely completion for high-risk processing activities.
19. Data Subject Interaction
Drop Station does not communicate directly with Data Subjects for co-branded campaign data unless authorized by the Brand. All requests are directed to the Brand. If authorized, Drop Station assists in responding to requests in compliance with Data Protection Legislation. As a Controller, Drop Station handles interactions for its own processing activities.
20. Data Localization
Drop Station complies with data localization laws, ensuring data is stored/processed in required jurisdictions, selecting appropriate data centers and adhering to transfer provisions.
