Toasty Legal

Data Processing Addendum

Effective date: July 1, 2026
Last updated: July 2, 2026

This Data Processing Addendum ("DPA") is entered into between the customer ("Customer") and [TOASTY LEGAL ENTITY], [ADDRESS] ("Provider"), the operator of Toasty. It is automatically incorporated into the Terms of Serviceand applies whenever Provider processes personal data on Customer's behalf. No signature is required; using the Service constitutes acceptance.

1. Roles and Scope

For personal data contained in Customer Data (email content from connected mailboxes, prospect records, uploaded lists, and derived enrichment), Customer is the controller (or "business" under the CCPA) and Provider is the processor (or "service provider"). This DPA does not cover data for which Provider is the controller, such as Customer's own account and billing data, which is governed by the Privacy Policy.

2. Processing Details

  • Subject matter and duration: provision of the Toasty CRM and outreach service for the term of the Customer's subscription.
  • Nature and purpose:hosting, syncing, drafting, sending, tracking, and organizing email and prospect records at Customer's direction.
  • Categories of data subjects:Customer's prospects, contacts, and correspondents.
  • Categories of personal data: names, business contact details, email content and metadata, engagement events, and inferences derived from them.

3. Provider Obligations

Provider will:

  1. Process only on instructions.Process personal data only on Customer's documented instructions, which consist of the Terms, this DPA, and Customer's configuration and use of the Service, unless required by law (in which case Provider will notify Customer unless legally prohibited).
  2. CCPA service-provider commitments. Not sell or share the personal data; not retain, use, or disclose it for any purpose other than providing the Service (or as permitted by the CCPA); not combine it with data from other sources except to provide the Service; and certify that it understands and will comply with these restrictions. Provider will notify Customer if it can no longer meet its obligations, and Customer may take reasonable steps to stop and remediate unauthorized use.
  3. Confidentiality. Ensure that every person authorized to process the data is bound by confidentiality obligations.
  4. Security. Implement appropriate technical and organizational measures, including encryption of data at rest (mailbox credentials are encrypted with AES-256-GCM), TLS for data in transit, access controls limited to personnel who need access, and logical separation of tenant data.
  5. Breach notice. Notify Customer without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data, with the information reasonably available to help Customer meet its own notification obligations.
  6. Assistance. Taking into account the nature of the processing, assist Customer in responding to data subject rights requests and in meeting its security, breach-notification, and assessment obligations. Provider will forward to Customer any rights request it receives that concerns Customer Data.

4. Subprocessors

Customer grants Provider general authorization to engage the subprocessors listed on the Subprocessors page. Provider will update that page at least 14 days before adding or replacing a subprocessor. If Customer reasonably objects on data protection grounds and Provider cannot offer an alternative, Customer may terminate the affected services and receive a pro-rated refund of prepaid fees. Provider imposes data protection obligations on each subprocessor no less protective than this DPA and remains responsible for their performance.

5. Deletion and Return

Upon termination of the Service, Provider will, at Customer's choice, delete or return all Customer Data within 30 days, except for copies retained in routine backups (which expire on a rolling schedule) or as required by law, which remain protected under this DPA until deleted.

6. Audit

No more than once per year, and on at least 30 days' written notice, Customer may audit Provider's compliance with this DPA by submitting a written security questionnaire, which Provider will answer within 30 days. Provider may also satisfy audit requests by providing existing security documentation or third-party assessments as they become available.

7. International Transfers

The Service is operated from, and Customer Data is stored in, the United States. The Service is currently offered for prospecting US-based recipients. If Customer submits personal data subject to GDPR-style transfer rules, Customer is responsible for ensuring a lawful transfer basis and should contact legal@sendtoasty.com before doing so.

8. Precedence and Term

If this DPA conflicts with the Terms, this DPA controls for data protection matters. This DPA lasts as long as Provider processes Customer Data. Liability under this DPA is subject to the limitations in the Terms.