Last updated June 26, 2026
Data Processing Addendum
This DPA applies when Carter processes personal data for a customer as a processor, service provider, contractor, or equivalent service provider.
Roles And Instructions
The customer is the controller, business, or equivalent decision-maker for customer content and customer-controlled personal data. Carter processes that data to provide, secure, maintain, support, analyze, improve, and develop the service; run AI-assisted workflows; generate and validate outputs; maintain logs and audit records; process exports; support sender setup; comply with law; and follow the customer's use of Carter.
Customer Duties
The customer is responsible for lawful basis, notices, consents, rights requests, data accuracy, uploaded content, suppression lists, do-not-contact lists, outreach compliance, sender-account compliance, and instructions given to Carter.
Carter Duties
Carter will process personal data according to documented instructions unless law requires otherwise, use reasonable safeguards, limit personnel access to those with a business need, require confidentiality commitments, assist with legally required rights requests where feasible, and notify the customer of confirmed security incidents as required by law.
Subprocessors, Deletion, And Audits
The customer authorizes Carter to use subprocessors for hosting, storage, database, AI, authentication, email, payment, analytics, observability, security, and support. Carter may retain backups, logs, audit records, billing records, security records, de-identified data, aggregated data, and legally required records after termination. Audit rights are reasonable, limited, and subject to confidentiality, security, and non-disruption requirements.