This Data Processing Agreement ("DPA") forms part of the agreement between Sound Promote, operated by Verbose Digital LLC ("Processor", "we", "us") and the customer ("Controller", "you", "your") who uses the Sound Promote platform at www.soundpromote.com. This DPA sets out the terms under which we process personal data on your behalf in connection with our music promotion services.
1. Definitions
Controller means the customer who determines the purposes and means of processing personal data through the Sound Promote platform.
Processor means Sound Promote, which processes personal data on behalf of the Controller.
Data Subject means an identified or identifiable natural person whose personal data is processed.
Personal Data means any information relating to a Data Subject that can be used to directly or indirectly identify that person.
Processing means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
Sub-processor means a third party engaged by the Processor to process personal data on behalf of the Controller.
Applicable Data Protection Laws means all laws and regulations relating to data protection and privacy applicable to the processing of personal data under this DPA, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and any national implementing legislation.
2. Scope and Purpose
This DPA applies to all processing of personal data carried out by Sound Promote on behalf of the Controller in connection with the provision of music promotion campaign services. The Processor shall process personal data solely for the purpose of delivering the services agreed upon, including the management and execution of music promotion campaigns for labels and artists.
3. Data Processing Details
The following categories of personal data may be processed under this DPA:
Contact information: Names, email addresses, and other identifiers included in contact lists uploaded by the Controller.
Music files: Uploaded music files, including associated metadata and artwork, processed and stored for the purpose of campaign delivery.
Engagement data: Metrics related to campaign interactions, including tracking of email opens via tracking pixels, tracking of link clicks within promotional emails, and recording of download and playback activity by recipients.
Campaign metadata: Information related to the scheduling, targeting, and configuration of promotion campaigns.
Account data: Information provided by the Controller during account registration and use of the platform.
Data Subjects include the contacts and recipients in the Controller's contact lists, as well as the Controller's own account users.
4. Obligations of the Processor
Sound Promote, as the Processor, shall:
Process personal data only on documented instructions from the Controller, unless required by applicable law.
Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing.
Assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under applicable data protection laws.
Assist the Controller in ensuring compliance with obligations related to security of processing, notification of data breaches, and data protection impact assessments.
At the Controller's choice, delete or return all personal data after the end of the provision of services, unless retention is required by applicable law.
Make available to the Controller all information necessary to demonstrate compliance with this DPA.
5. Obligations of the Controller
The Controller shall:
Have obtained lawful consent from all Data Subjects (contacts) before providing their personal data to the Processor. The Controller must not upload purchased, scraped, or otherwise unlawfully obtained contact lists.
Comply with the CAN-SPAM Act, the General Data Protection Regulation (GDPR), and all other applicable email marketing and data protection laws in relation to its use of the platform and the personal data it provides.
Be solely responsible for the lawfulness of the personal data provided to Sound Promote, including ensuring the accuracy and quality of such data.
Honor all opt-out and unsubscribe requests from contacts in a timely manner, in compliance with applicable law.
Provide documented instructions to the Processor regarding the processing of personal data.
6. Sub-processors
The Controller grants the Processor general authorization to engage Sub-processors for the purposes of delivering the services. The Processor shall:
The following Sub-processors are currently engaged by the Processor:
Resend — Email delivery for promotional campaigns
Google Analytics / Google Tag Manager — Website analytics and usage insights
Vercel — Web application hosting and deployment
Railway — Application infrastructure and backend services
Amazon Web Services (AWS S3) — Audio file storage
The Processor shall:
Notify the Controller at least 30 days before adding any new Sub-processors, giving the Controller the opportunity to object to such changes.
Ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
Remain fully liable to the Controller for the performance of any Sub-processor's obligations.
7. Data Security Measures
The Processor shall implement and maintain appropriate technical and organizational security measures, including but not limited to:
Encryption of personal data in transit and at rest.
Access controls to ensure that only authorized personnel can access personal data.
Regular testing and evaluation of the effectiveness of security measures.
Procedures for ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems.
Processes for restoring access to personal data in the event of a physical or technical incident.
8. Data Breach Notification
In the event of a personal data breach, the Processor shall:
Notify the Controller without undue delay and, where feasible, within 48 hours of becoming aware of the breach.
Provide the Controller with sufficient information to enable the Controller to meet its obligations to report the breach to the relevant supervisory authority and to notify affected Data Subjects, where required.
Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
9. Data Subject Rights
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object. Where a Data Subject contacts the Processor directly, the Processor shall promptly redirect the request to the Controller.
10. Data Transfers
The Processor shall not transfer personal data to a country outside the European Economic Area (EEA) or to an international organization unless appropriate safeguards are in place in accordance with applicable data protection laws. Such safeguards may include Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms.
Personal data is stored in the following locations:
Application data: United States (Vercel, Railway)
Audio files: United States (AWS S3)
Analytics data: United States (Google servers)
Email delivery data: United States (Resend)
11. Duration and Termination
This DPA shall remain in effect for the duration of the Controller's use of the Sound Promote platform. Upon termination, Processor shall delete or return all personal data within 30 days, unless applicable law requires continued storage, in which case the specific legal basis and retention period will be communicated to the Controller. The Processor shall confirm deletion in writing upon request.
12. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws. The Controller may, upon reasonable notice and no more than once per calendar year, conduct or commission an audit of the Processor's processing activities relevant to this DPA. The Processor shall cooperate with any such audit and provide reasonable assistance. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
13. Liability
Each party shall be liable for damages caused by processing that infringes applicable data protection laws. The Processor shall be liable for damage caused by processing only where it has not complied with obligations specifically directed to processors under applicable data protection laws, or where it has acted outside or contrary to the lawful instructions of the Controller. The total liability of each party under this DPA is subject to any limitations of liability set out in the underlying agreement between the parties.
14. GDPR Compliance
Both parties shall comply with the obligations applicable to them under the General Data Protection Regulation (EU) 2016/679 and any successor legislation. The Processor shall maintain a record of processing activities carried out on behalf of the Controller in accordance with Article 30(2) of the GDPR. Where the Processor believes that an instruction from the Controller infringes the GDPR or other applicable data protection law, the Processor shall promptly notify the Controller.
15. Contact Information
For any questions or requests related to this Data Processing Agreement, please contact Verbose Digital LLC, 1209 Mountain Road PL NE STE N, Albuquerque, NM 87110, United States, at hello@soundpromote.com.