This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and Emport ("Processor") for the use of our services, pursuant to Article 28 of the GDPR.
Your data is processed in-memory only during active sessions — we do not permanently store your contact data
We use OAuth 2.0 exclusively — we never see, store, or have access to your HubSpot password
All data in transit is encrypted with TLS 1.2+ and data at rest with AES-256
We notify you of any data breach within 48 hours (stricter than the 72-hour GDPR requirement)
You retain full audit rights and can request certified data deletion at any time
"Controller" means you, the customer, who determines the purposes and means of processing Personal Data by using Emport's services.
"Processor" means Emport (operated by Oguz Ozgul Marketing, KVK: 95052992), which processes Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Standard Contractual Clauses" ("SCCs") means the contractual clauses adopted by the European Commission for international data transfers pursuant to Article 46(2)(c) of the GDPR.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
The Processor processes Personal Data solely for the purpose of providing the Emport service: importing, cleaning, transforming, and mapping contact data from CSV/Excel files into the Controller's HubSpot CRM account.
Processing is carried out on the basis of Article 28 of the GDPR. The Controller is responsible for ensuring a valid lawful basis (e.g., consent, legitimate interest, or contractual necessity) exists for the Personal Data uploaded to the service.
The Processor shall:
Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law.
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement and maintain appropriate technical and organizational security measures as described in Section 6 of this DPA.
Respect the conditions for engaging Sub-processors as set out in Section 4 of this DPA.
Assist the Controller in responding to Data Subject requests for exercising their rights under Chapter III of the GDPR, taking into account the nature of the processing.
Maintain a record of all categories of processing activities carried out on behalf of the Controller in accordance with Article 30(2) of the GDPR.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits.
The Controller provides general authorization for the Processor to engage the following Sub-processors:
CRM API integration, OAuth authentication, and contact data import to Controller's HubSpot account
Application hosting, CDN, and serverless function execution
Authentication, database hosting, user account management, and Gemini AI-powered data features
Payment processing and subscription management (PCI DSS Level 1 certified)
The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of Sub-processors, providing the Controller with the opportunity to object to such changes. If the Controller objects on reasonable grounds, the parties shall negotiate in good faith to resolve the matter.
The Processor shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.
Pursuant to Article 32 of the GDPR, the Processor implements the following measures:
TLS 1.2+ encryption for all network communications. HTTPS enforced on all endpoints.
AES-256 encryption for all stored data. OAuth tokens encrypted with application-level keys.
The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests under Articles 15–22 of the GDPR, including:
Right of Access
Confirm whether Personal Data is being processed and provide a copy
Right to Rectification
Correct inaccurate or incomplete Personal Data
Right to Erasure
Delete Personal Data when no longer necessary for processing
Right to Data Portability
Provide Personal Data in a structured, machine-readable format
Right to Restriction
Restrict processing in certain circumstances
Right to Object
Object to processing based on legitimate interest
The Processor shall respond to Controller requests regarding Data Subject rights within 10 business days. Where technically feasible, the Processor shall enable the Controller to directly manage Data Subject requests through the service interface.
48-Hour Notification Commitment
We commit to notifying the Controller within 48 hours of becoming aware of a Personal Data breach — exceeding the 72-hour requirement under Article 33 of the GDPR.
The notification shall include:
The Processor shall cooperate fully with the Controller in investigating, mitigating, and remediating any breach. The Processor shall not inform any third party of any breach without first obtaining the Controller's written consent, unless required by applicable law.
Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure that adequate safeguards are in place:
The Controller has the right to conduct one audit per calendar year to verify the Processor's compliance with this DPA. The Controller shall provide at least 30 days' written notice prior to any audit.
Audits may be conducted by the Controller or a qualified, independent third-party auditor appointed by the Controller, subject to reasonable confidentiality obligations.
The Processor shall cooperate fully with any audit and provide access to all relevant information, systems, and personnel. Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations.
Where the Processor obtains relevant third-party certifications or audit reports (e.g., SOC 2 Type II), the Processor may provide these to the Controller as an alternative to a direct audit, subject to the Controller's agreement.
CSV/Excel contact data is processed in-memory and automatically purged when the import session ends. No contact data is persisted to permanent storage.
Import metadata (row counts, error summaries, timestamps) is retained for 90 days for troubleshooting purposes, then automatically deleted.
Upon termination of the service agreement, or upon the Controller's written request, the Processor shall within 30 days:
The Processor may retain Personal Data to the extent required by applicable Union or Member State law, provided that the Processor ensures the confidentiality of such data and processes it only for the purposes mandated by law.
Each party shall be liable for damages caused by processing that infringes the GDPR in accordance with Article 82 of the GDPR.
The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed at processors, or where it has acted outside of or contrary to the Controller's lawful instructions.
The Processor shall indemnify the Controller against all claims, liabilities, costs, and expenses arising from any breach of this DPA by the Processor, subject to the limitations of liability set forth in the underlying service agreement.
This DPA shall commence on the date the Controller first uses the Emport service and shall remain in effect for the duration of the Controller's use of the service ("Term").
Upon termination or expiration of the service agreement, the Processor shall comply with Section 10 (Data Retention & Deletion) of this DPA.
Sections 5 (Security Measures), 7 (Data Breach Notification), 9 (Audit Rights), 10 (Data Retention & Deletion), and 11 (Liability) shall survive termination of this DPA.
For questions regarding this DPA, to exercise audit rights, or to report a data protection concern:
Data Protection Contact: dpa@emport.io
General Inquiries: contact@emport.io
Entity: Oguz Ozgul Marketing, KVK: 95052992
Response Time: Within 10 business days
Governing Law: This DPA shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of laws provisions. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of the Netherlands.