Privacy & Compliance

GDPR & Data Processing

How EngageIQ supports your GDPR compliance as both a controller and a processor — lawful bases, data subject rights, the DPA, international transfer mechanisms, and how to reach our DPO.

Effective June 12, 2026
Last updated June 12, 2026
01

Overview & Applicability

The General Data Protection Regulation (EU) 2016/679 ("GDPR") and the equivalent UK GDPR set out comprehensive rules for how personal data must be collected, used, stored, and transferred. This page explains how those rules apply to EngageIQ — both as a data controller in our own right and as a data processor acting on behalf of our customers.

This page applies if you are:

  • A customer of EngageIQ who is subject to the GDPR or UK GDPR.
  • An individual in the EU or UK whose data EngageIQ processes.
  • A legal, compliance, or procurement professional evaluating EngageIQ.

Requesting a Data Processing Addendum (DPA)

If you need a signed DPA to satisfy your own GDPR obligations, email legal@engageiq.com. We will send you our standard DPA within 2 business days. For Enterprise plans with custom terms, contact your account manager.
02

Key Terms

Personal Data
Any information relating to an identified or identifiable natural person (a 'data subject').
Processing
Any operation performed on personal data — including collection, storage, use, disclosure, and deletion.
Controller
The entity that determines the purposes and means of processing personal data. Controllers make the key decisions about what is processed, why, and how.
Processor
An entity that processes personal data on behalf of and under the instructions of a controller.
Sub-processor
A third party engaged by a processor to carry out specific processing activities on behalf of the controller.
Data Processing Addendum (DPA)
A contract between a controller and processor that governs the processor's handling of personal data, as required by GDPR Art. 28.
Standard Contractual Clauses (SCCs)
Model contract terms approved by the European Commission for lawfully transferring personal data from the EEA to third countries.
Data Subject
The identified or identifiable natural person whose personal data is processed.
03

EngageIQ's Roles Under the GDPR

EngageIQ operates in two distinct roles depending on the category of personal data and the context of processing:

EngageIQ as Data Controller

EngageIQ is the controller for personal data we collect and use for our own purposes, including:

  • Account and registration data (name, work email, company, role) of our direct customers and workspace members.
  • Billing and payment data required to process subscriptions.
  • Usage and log data collected automatically when customers use our platform.
  • Support and communications data when customers contact us.

Our Privacy Policy governs this processing. Our lawful bases as a controller are described in §03 below.

EngageIQ as Data Processor

EngageIQ is a processor for the personal data our customers upload, send, or generate through the platform — including contact profiles, end-user event data, and the content of campaigns. In this role:

  • The customer is the controller and determines the purpose and means of processing.
  • EngageIQ processes data only on documented instructions from the customer.
  • Our Data Processing Addendum (DPA) governs this relationship and satisfies GDPR Art. 28.
  • We assist customers in meeting their obligations including DSR responses and breach notification.

Who is responsible for end-recipient data?

If you use EngageIQ to send emails to your own customers or users, you are the controller of that contact data. You must have a lawful basis for processing their personal data and for contacting them. EngageIQ processes it on your behalf.
04

Lawful Bases for Processing

Where EngageIQ acts as controller, we rely on the following lawful bases under GDPR Art. 6:

Processing activityLawful basis (Art. 6)Details
Providing the Services and your accountContract (Art. 6(1)(b))Processing is necessary to perform the contract with you.
Billing and payment processingContract (Art. 6(1)(b))Necessary to fulfill subscription and billing obligations.
Security monitoring, fraud detection, abuse preventionLegitimate interests (Art. 6(1)(f))Protecting platform integrity, customers, and third parties. Interest outweighs data-subject impact given minimal intrusiveness.
Product improvement and analyticsLegitimate interests (Art. 6(1)(f))Aggregated usage data used to improve features and performance. No profiling for external purposes.
Marketing communications to prospectsConsent (Art. 6(1)(a)) or Legitimate interestsWe rely on consent where required and legitimate interests for B2B soft opt-in, always with a clear unsubscribe.
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))e.g., record-keeping, responding to lawful authority requests.

Special category data

EngageIQ does not intentionally collect or process special category data (Art. 9) such as health data, biometric data, or data revealing racial or ethnic origin. If a customer's use case involves special category data, the customer as controller is responsible for establishing an appropriate Art. 9 basis and implementing additional safeguards.

05

Data Subject Rights

The GDPR grants individuals specific rights over their personal data. The table below explains each right and how it applies to EngageIQ's processing activities.

RightArticleHow to exerciseEngageIQ response time
Right of access (Subject Access Request)Art. 15Email privacy@engageiq.com or use Settings → Privacy in the dashboardWithin 30 days (up to 90 days for complex requests)
Right to rectificationArt. 16Update account details in the dashboard or email usWithin 30 days
Right to erasure ('right to be forgotten')Art. 17Submit deletion request via dashboard or email privacy@engageiq.comWithin 30 days; data removed from backups within 90 days
Right to restriction of processingArt. 18Email privacy@engageiq.com with reasonWithin 30 days; processing restricted pending resolution
Right to data portabilityArt. 20Use Settings → Export in the dashboard or email usData provided in machine-readable format within 30 days
Right to objectArt. 21Email privacy@engageiq.com; for direct marketing, use unsubscribe linkImmediate for marketing; otherwise within 30 days
Rights re: automated decisionsArt. 22Email privacy@engageiq.comWithin 30 days

Identity verification

To protect your data, we verify the identity of all requesters before acting on a DSR. For account holders, this typically involves authenticating via the account associated with the request. For non-account holders or third-party requests, additional verification may be required. We will never charge a fee for a first DSR; repeated or manifestly unfounded requests may be subject to a reasonable fee or refusal.

Right to lodge a complaint

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with your local data protection supervisory authority. For EU residents, contact the supervisory authority in your EU member state. For UK residents, contact the Information Commissioner's Office (ICO).

06

Data Processing Addendum (DPA)

GDPR Art. 28 requires that controllers only use processors who provide sufficient guarantees, and that the relationship is governed by a binding contract — the DPA. Our DPA covers:

  • The subject matter, duration, nature, and purpose of the processing.
  • The type of personal data processed and categories of data subjects.
  • Our obligations and rights as processor, including instructions compliance.
  • Confidentiality and access restrictions for EngageIQ personnel.
  • Technical and organizational security measures (Article 32).
  • Sub-processing arrangements and prior notice obligations.
  • Assistance with data subject rights, security breaches, and DPIAs.
  • Data deletion or return upon termination of the Services.
  • Audit rights and provision of information demonstrating compliance.
  • Standard Contractual Clauses for international data transfers.

How to obtain a signed DPA

Email legal@engageiq.com with the subject line "DPA Request" and include your company name, registered address, and the name and title of your authorized signatory. We will send a pre-signed copy within 2 business days. Enterprise customers can negotiate custom DPA terms via their account manager.

DPA self-service

We are working on a self-service DPA signing flow in the dashboard. Until then, email requests are the primary route. We aim to execute DPAs within 2 business days.
07

International Data Transfers

EngageIQ's primary infrastructure is located in the United States (AWS us-east-1). When EngageIQ processes personal data from the EEA or UK, this constitutes a transfer of personal data to a third country. We rely on the following transfer mechanisms:

EU Standard Contractual Clauses (SCCs)

Our DPA incorporates the EU SCCs (Commission Implementing Decision (EU) 2021/914 — Module 2: controller to processor) for transfers from the EEA to the United States. These SCCs have been assessed against the legal framework of the United States and include the supplementary measures required by the EDPB following the Schrems II ruling.

UK International Data Transfer Agreement (IDTA)

For transfers from the United Kingdom, our DPA incorporates the UK IDTA (or UK Addendum to EU SCCs) as approved by the Information Commissioner's Office.

Data residency options

Enterprise customers may request data residency in AWS EU regions (eu-west-1 or eu-central-1) to keep personal data within the EEA. This requires a dedicated deployment. Contact sales@engageiq.com to discuss availability and pricing.

Transfer originDestinationMechanismStatus
EEAUSA (AWS us-east-1)EU SCCs — Module 2 (C2P)Active
United KingdomUSA (AWS us-east-1)UK IDTA / UK AddendumActive
SwitzerlandUSA (AWS us-east-1)Swiss SCCsActive
EEA/UK (Enterprise)AWS EU regionsWithin-adequacy; SCCs not requiredAvailable on request
08

Sub-processors

As a processor, EngageIQ may engage sub-processors to assist in delivering the Services. We have executed data-processing agreements with all sub-processors and require them to maintain security and privacy standards at least equivalent to our own. Our full sub-processor list is maintained at engageiq.com/subprocessors.

We notify customers of new or changed sub-processors by email and via the subprocessors page at least 30 days before the change takes effect. Customers who have executed a DPA with us may object to a new sub-processor in writing within that 30-day window. If we are unable to accommodate the objection, the customer may terminate the affected Services without penalty.

09

Technical & Organizational Measures (TOMs)

GDPR Art. 32 requires that processors implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Our TOMs include:

  • Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256, AWS KMS).
  • Pseudonymization of personal data where technically feasible and appropriate.
  • Ongoing confidentiality, integrity, availability, and resilience of processing systems.
  • Regular testing and evaluation of technical and organizational security measures.
  • Ability to restore availability and access to data following a physical or technical incident.
  • Role-based access control (RBAC) with least-privilege principles.
  • Multi-factor authentication mandatory for all personnel with system access.
  • Annual penetration testing by independent third parties.
  • Formal incident response plan with breach notification procedures.

Full details of our security program are available on our Security page. Enterprise customers can request our security questionnaire responses and TOMs annex by contacting security@engageiq.com.

10

Data Breach Notification

In the event of a personal data breach, EngageIQ will:

  • Notify affected customers without undue delay and in any event within 72 hours of becoming aware of the breach (where feasible), so that customers can meet their own GDPR Art. 33 notification obligations to supervisory authorities.
  • Provide sufficient information to enable customers to assess the breach — including the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
  • Cooperate fully with customers throughout the investigation and remediation process.
  • Maintain a breach register as required by GDPR Art. 33(5).

Customers should designate a primary security contact in their EngageIQ account settings to receive breach notifications. Breach notifications are sent to the account email address and the designated security contact.

11

Data Retention

We retain personal data only as long as necessary for the purposes described, or as required by law.

Data categoryRetention periodBasis
Account dataDuration of active account + 30 days grace period after closureContract, legal obligation
Contact & event data (customer-uploaded)As configured by the customer; deleted on account closure within 90 daysProcessor on customer instruction
Billing & tax records7 years from transaction dateLegal obligation (tax law)
Security & audit logs12 months (rolling)Legitimate interests (security)
Support communications3 years after last interactionLegitimate interests (dispute resolution)
Encrypted backups30 days (rolling) in a separate regionContract, security
12

DPO & Contact

EngageIQ has designated a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and ensuring compliance with the GDPR. Our DPO can be contacted directly for matters relating to personal data processing, supervisory-authority liaison, and GDPR rights.

Data Protection Officer

EngageIQ Inc.

DPO: dpo@engageiq.com

Privacy inquiries: privacy@engageiq.com

DPA requests: legal@engageiq.com

EU & UK Art. 27 Representative: Until a local representative is formally designated for your region, please contact dpo@engageiq.com and we will route your inquiry to the appropriate contact.

Read next

Subprocessors