Data Processing Agreement (DPA)

Last updated: January 21, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms & Conditions and Privacy Policy between:

Optin Biz Inc., doing business as Optimum DMA (the “Company,” “we,” “us,” or “our”) and the client (“Client”, “you,” or “your”), collectively referred to as the “Parties.”

This DPA describes the requirements and responsibilities regarding the processing of personal data when the Company processes data on behalf of the Client.

1. Definitions

“Controller” means the entity that determines the purposes and means of the processing of personal data.
“Processor” means the entity that processes personal data on behalf of the Controller.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing” means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
“Applicable Data Protection Laws” means all laws related to data protection and privacy that are applicable to the Parties, including but not limited to GDPR, CCPA, and other relevant laws.

2. Roles and Scope

For the purposes of this DPA:

• The Company (Optin Biz Inc., DBA Optimum DMA) is a Processor when processing Personal Data on behalf of the Client.
• The Client is typically the Controller of Personal Data.

This DPA applies whenever the Company processes Personal Data on behalf of the Client in connection with the services provided by the Company.

3. Processing Instructions

The Company shall process Personal Data only:

• On documented instructions from the Client;
• To provide the services outlined in the underlying agreement between the Parties;
• In compliance with Applicable Data Protection Laws;
• As necessary to fulfill the purposes agreed upon by the Parties.

The Client confirms that its instructions for processing comply with all applicable laws.

4. Duration of Processing

The Company will process Personal Data for the duration necessary to provide services under the underlying agreement between the Parties, unless otherwise required by Applicable Data Protection Laws.

5. Confidentiality

The Company will ensure that personnel authorized to process Personal Data:

• Are bound by confidentiality obligations;
• Are informed of the confidential nature of the data;
• Are trained to respect data privacy requirements.

6. Security Measures

The Company agrees to implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Security measures may include:

• Encryption of data in transit and at rest;
• Access controls and permission restrictions;
• Secure data storage;
• Regular monitoring and security reviews;
• Other safeguards as reasonably required.

7. Subprocessors

The Company may engage third-party subprocessors in connection with providing services (e.g., analytics, hosting, email services).
Before allowing a subprocessor to process Personal Data, the Company shall:

• Ensure that subprocessors are bound by data protection obligations at least equivalent to those in this DPA;
• Provide a list of subprocessors upon request.

The Company remains responsible for its subprocessors’ compliance with this DPA.

8. Data Subject Rights

The Client is responsible for responding to requests from data subjects exercising their rights under Applicable Data Protection Laws (such as access, correction, deletion, or portability).

If the Company receives any such request directly, it will promptly forward the request to the Client.

9. Breach Notification

In the event of a data breach affecting Personal Data processed on behalf of the Client, the Company shall:

• Notify the Client without undue delay;
• Provide reasonable cooperation to assist the Client in addressing the breach.

The Client is responsible for complying with any legal breach notification obligations as required by Applicable Data Protection Laws.

10. Return or Deletion of Data

Upon termination or expiration of the underlying agreement, the Company will either:

• Return Personal Data to the Client, or
• Delete all Personal Data at the Client’s written request,
unless retention is required by Applicable Data Protection Laws.

11. International Data Transfers

If Personal Data is transferred outside of the originating jurisdiction (including outside of the European Economic Area), both Parties agree to implement appropriate safeguards in accordance with Applicable Data Protection Laws.

12. Indemnification

Each Party agrees to indemnify and hold the other Party harmless from any claims, damages, fines, or costs resulting from a breach of this DPA or violations of Applicable Data Protection Laws to the extent caused by the indemnifying Party’s actions.

13. Governing Law

This DPA will be governed by and interpreted in accordance with the laws of the State of New York, USA.

14. Changes to this DPA

The Company may update this DPA at any time. Updated versions will be posted on the Company’s website with a revised “Last Updated” date.

15. Contact Information

If you have questions about this Data Processing Agreement, please contact:

Optin Biz Inc., DBA Optimum DMA
Email: nicky@optimumdma.com
Website: https://optimumdma.com