Data Processing Agreement

Effective date: 07 March 2026

This Data Processing Agreement (“DPA”) forms part of the Campaignity Terms of Service and any applicable quotation, proposal, invoice, written agreement, or other agreement accepted, executed, or confirmed by the parties, including by email or through the Services by an authorised representative of the Customer (the “Agreement”), between Campaignity Technologies Ltd (“Campaignity”) and the Customer identified in the Agreement.

This DPA applies only to the extent Campaignity processes Customer Personal Data on behalf of the Customer as a Data Processor under the Agreement.

1. Definitions

Unless otherwise defined in this DPA, capitalised terms have the meanings given in the Agreement.

For purposes of this DPA:

1.1 “Applicable Data Protection Law” means any law, regulation, or legally binding requirement applicable to the processing of personal data under the Agreement, including the GDPR where applicable.

1.2 “Customer Personal Data” means personal data contained within Customer Data that Campaignity processes as a Data Processor on behalf of the Customer under the Agreement.

1.3 “Data Controller” means the entity that determines the purposes and means of processing personal data, including any equivalent term under applicable law.

1.4 “Data Processor” means the entity that processes personal data on behalf of a Data Controller, including any equivalent term under applicable law.

1.5 “Data Subject” means an identified or identifiable natural person to whom personal data relates.

1.6 “Subprocessor” means any third party authorised by Campaignity to process Customer Personal Data on Campaignity’s behalf in connection with the Services.

2. Scope and duration

2.1 Scope. This DPA applies only to the extent Campaignity processes Customer Personal Data as a Data Processor on behalf of the Customer under the Agreement.

2.2 Duration. This DPA remains in effect for as long as Campaignity processes Customer Personal Data on behalf of the Customer under the Agreement.

2.3 Excluded processing. For the avoidance of doubt, this DPA does not apply to processing activities where Campaignity acts as an independent Data Controller, including processing of Account Data and limited processing carried out for Campaignity’s own purposes as described in the Agreement and Privacy Policy, including security, fraud prevention, abuse review, legal compliance, and internal AI training and improvement for workspaces on the Default Free Plan.

3. Roles of the parties

3.1 Customer role. The Customer acts as the Data Controller, or as a processor acting on behalf of another controller, for Customer Personal Data processed under this DPA.

3.2 Campaignity role. Campaignity acts as the Data Processor for Customer Personal Data processed under this DPA.

3.3 Customer responsibility. The Customer is responsible for ensuring that its instructions for processing Customer Personal Data comply with Applicable Data Protection Law, including having an appropriate legal basis and providing required notices or obtaining required consents where necessary.

4. Processing instructions

4.1 Documented instructions. Campaignity will process Customer Personal Data only on the Customer’s documented instructions, as set out in the Agreement, this DPA, the Customer’s use and configuration of the Services, or as otherwise agreed in writing.

4.2 Permitted purposes. Campaignity may process Customer Personal Data as necessary to provide, secure, support, maintain, and troubleshoot the Services for the Customer, and as necessary to detect, prevent, or investigate security incidents, fraud, abuse, or misuse affecting the Services.

4.3 Legal requirements. Campaignity may process Customer Personal Data where required to do so by applicable law, regulation, court order, or lawful government request. Where legally permitted, Campaignity will inform the Customer before such processing.

5. Confidentiality

Campaignity will ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations.

6. Security

6.1 Security measures. Campaignity will implement appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

6.2 Customer responsibilities. The Customer remains responsible for secure configuration of its workspaces, user roles, permissions, credentials, integrations, notices, and deployment settings.

7. Subprocessors

7.1 Authorisation. The Customer authorises Campaignity to engage Subprocessors in connection with the Services.

7.2 Subprocessor obligations. Campaignity will impose data protection obligations on its Subprocessors that are substantially similar to the obligations in this DPA, to the extent applicable to the nature of the services provided by the Subprocessor.

7.3 Responsibility. Campaignity remains responsible for its Subprocessors’ processing of Customer Personal Data to the extent required by applicable law and the Agreement.

7.4 Subprocessor list. Campaignity’s current Subprocessors are described on its public Subprocessors page, which may be updated from time to time.

8. International transfers

Where Campaignity transfers Customer Personal Data internationally, Campaignity will use appropriate safeguards where required by Applicable Data Protection Law.

9. Assistance to the Customer

Taking into account the nature of the processing and the information available to Campaignity, Campaignity will provide reasonable assistance to the Customer, to the extent required by Applicable Data Protection Law, with:

  • responding to requests from Data Subjects;
  • security obligations;
  • personal data breach notifications;
  • data protection impact assessments; and
  • consultations with supervisory authorities or regulators.

10. Personal data breaches

Campaignity will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide reasonably available information necessary for the Customer to meet its obligations under Applicable Data Protection Law.

11. Deletion and return

Upon termination or expiry of the Agreement, Campaignity will delete or return Customer Personal Data in accordance with the Agreement, unless retention is required by applicable law or necessary for security, dispute, tax, backup, or other lawful retention purposes described in the Agreement or Privacy Policy.

12. Information and audit rights

Campaignity will make available to the Customer such information as is reasonably necessary to demonstrate Campaignity’s compliance with this DPA.

Where required by Applicable Data Protection Law, and subject to reasonable confidentiality, security, scope, frequency, and cost controls, Campaignity will allow and contribute to reasonable audits or inspections by the Customer or an independent auditor mandated by the Customer, provided that such audit does not unreasonably interfere with Campaignity’s business, systems, or obligations to other customers.

13. Details of processing

13.1 Subject matter

The subject matter of the processing is the provision of the Services under the Agreement.

13.2 Nature and purpose of processing

Processing may include collection, recording, organisation, storage, structuring, adaptation, retrieval, consultation, use, disclosure by transmission, making available, alignment, restriction, deletion, or destruction of Customer Personal Data as necessary to provide, secure, support, maintain, and troubleshoot the Services for the Customer.

13.3 Categories of Data Subjects

Data Subjects may include:

  • the Customer’s employees, contractors, administrators, workspace owners, billing contacts, and other authorised users;
  • the Customer’s leads, prospects, customers, students, site visitors, and end users; and
  • other individuals whose personal data the Customer submits to the Services.

13.4 Categories of personal data

Customer Personal Data may include:

  • names;
  • email addresses;
  • phone numbers;
  • identifiers;
  • job titles or organisational roles;
  • conversation content and communications metadata;
  • contact, lead, or CRM-style records;
  • uploaded documents or files;
  • knowledge-base content;
  • website URLs or page content submitted for processing; and
  • other personal data submitted by or on behalf of the Customer through the Services.

13.5 Sensitive data

The Customer is responsible for determining whether it submits any special categories of personal data or other sensitive data into the Services and for ensuring it has all rights and legal bases required to do so.

14. Contact

For questions about this DPA or Campaignity’s data protection practices, contact:

Privacy: privacy@neexa.co
Legal: legal@neexa.co
Support: support@neexa.co
Phone: +256 707 444 474
Address: LR 12, Lugonvu Road, Wakiso, Uganda

Other resources

Terms of Service: https://campaignity.com/legal/terms
Privacy Policy: https://campaignity.com/privacy
Cookie Policy: https://campaignity.com/legal/cookies