Last Updated: September 27th 2025
Note for Creators: This Data Processing Agreement is specifically for Brands acting as Data Processors for Drop Station as Data Controller. For Podcasters using the Service, a separate Standard Data Processing Agreement for Creators (‘Creator DPA’) will be required, where Drop Station acts as the Data Processor for the Creators’ customer data.
This Standard Data Processing Agreement for Brands ("Brand DPA") is entered into between Drop Station Inc. ("Drop Station," acting as Data Processor), a corporation organized under the laws of Delaware, with its principal place of business in Tennessee, and the Brand ("Data Controller"), effective from the moment the Brand creates an account on the Drop Station platform. It governs the processing of Personal Data provided by the Brand to Drop Station for the purpose of running co-branded campaigns, solely branded campaigns, contests, communities, promo code landing pages, account setups, or other engagement activities with or without podcasters on the Drop Station platform.
This Agreement ensures compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the California Consumer Privacy Act ("CCPA/CPRA"), and other applicable data protection laws. It is an extension of Drop Station's Terms of Service and Privacy Policy, which remain in full effect unless explicitly modified herein. The Brand DPA prevails to the extent necessary to ensure compliance with Data Protection Legislation. Drop Station may act as a Data Controller for its own use of Personal Data for platform services, as outlined in the Privacy Policy.
1. Introduction
For the purposes of this Agreement, the following terms shall have the meanings set forth below:
• "Agreement": This Standard Data Processing Agreement for Brands, including its preamble and all subsequent clauses.
• "Effective Date": The date the Brand account is created, making this Agreement binding.
• "Controller" or "Brand": The Brand utilizing the Drop Station platform to run co-branded campaigns, contests, communities, or engagement activities with podcasters, determining the purposes and means of processing Personal Data for its campaign activities.
• "Data Processor" or “Drop Station”: Drop Station Inc., processing Personal Data on behalf of the Brand for co-branded campaigns and related activities, and acting as an independent Data Controller for its own platform services (including but not limited to fraud prevention, analytics, compliance, and sponsorship facilitation), as disclosed in the Privacy Policy and Terms of Service.
• "Data Protection Legislation": Includes, but is not limited to, GDPR, European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC), the CCPA, and any legislation implementing or replacing them.
• "Data Subject": An identified or identifiable natural person whose Personal Data is processed.
• "Personal Data": Any information relating to a Data Subject processed through the Drop Station platform, as defined in the Drop Station Privacy Policy, including survey responses, contest entries, sponsorship campaign data or community interaction data collected during co-branded campaigns.
• "Processing": Any operation performed on Personal Data, whether automated or not, including collection, storage, use, disclosure, or deletion.
• "Good Industry Practice": Exercising skill, expertise, and judgment equivalent to a skilled provider, complying with Data Protection Legislation and standards like ISO/IEC 27001.
• "Appropriate Technical and Organizational Measures": Measures ensuring security appropriate to the risk, as detailed in Section 6.
• "Subprocessor" : Any third party appointed by Drop Station to process Personal Data on behalf of the Brand.
2. Introduction
This Agreement outlines the terms under which Drop Station (Data Processor) processes Personal Data on behalf of the Brand (Data Controller) to facilitate co-branded campaigns, contests, communities, account setups, promo code landing pages, and sponsorship activations conducted through the Station Platform. It ensures compliance with GDPR, CCPA/CPRA, and other applicable data protection laws, protecting Data Subjects’ privacy. Drop Station may also act as a Data Controller for its own use of Personal Data for platform services (e.g., drip campaigns, analytics), as disclosed in the Privacy Policy.
For clarity, Drop Station may also act as a Data Controller for its own platform services as set forth in the Privacy Policy and Terms of Service, including but not limited to platform analytics, fraud detection, payout processing, the Station Sponsor Representative Program, the Creator Sponsorship Agreement, and user account services.
In addition to processing Personal Data for Brand campaigns, Drop Station also processes such data for the ongoing use of the associated Creator (show) and for Drop Station’s independent platform purposes, including sponsor matching, targeting, enrichment, analytics, and fraud prevention, as disclosed in the Privacy Policy.
These sponsorship and representative features are part of Station’s and the Creator’s independent Controller activities and do not create additional obligations for the Brand beyond this DPA and the Terms of Service.
3. Scope And Role Of The Parties
Roles of Drop Station: Drop Station provides the technical infrastructure and tools for Brands to run co-branded campaigns, contests, communities, or engagement activities with podcasters. As Data Processor, Drop Station processes Personal Data solely on the basis of the Brand’s documented instructions for brand-related activities. As Data Controller, Drop Station processes Personal Data for its own platform services, including but not limited to sponsorship and advertising features under the Creator Sponsorship Agreement and the Station Sponsor Representative Agreement, sponsor matching, targeting and personalization on the platform (subject to consent or opt-out where required), enrichment of demographic data, fraud monitoring, analytics, payout processing, and compliance obligations, as disclosed in the Privacy Policy and Terms of Service.
Roles of Brands: Brands act as Data Controllers, determining the purposes and means of processing Personal Data for their specific campaigns, contests, or promotions. Brands ensure lawful processing and compliance with Data Protection Legislation, and acknowledge that Personal Data collected through campaigns may also be retained and further processed by the associated Creator and Drop Station as independent Controllers for ongoing audience engagement, sponsor matching, targeting/personalization (subject to consent or opt-out), and platform services, as disclosed in the Privacy Policy.
Roles of Podcasters: Podcasters, as Data Controllers per the Standard Data Processing Agreement for Creators, determine the purposes and means of processing Personal Data for their audience in co-branded campaigns. Drop Station processes data on behalf of podcasters for these activities.
Purpose of Data Processing: To enable Brands and podcasters to run co-branded campaigns, contests, communities, or engagement activities, including processing survey responses, contest entries, or community interaction data to enhance user engagement and marketing. Drop Station may use this data for its own platform services as an independent Controller, as disclosed in the Privacy Policy.
Responsibilities of Drop Station: Implement technical and organizational measures to ensure GDPR/CCPA/CPRA compliance, maintain data security, and assist Brands with data subject requests and regulatory obligations as a Processor. As a Controller, Drop Station ensures compliance for its own processing activities.
Responsibilities of Brands: Provide lawful instructions for processing, ensure compliance with Data Protection Legislation, notify Drop Station of any changes to processing purposes for co-branded campaigns and acknowledge the non-circumvention obligations in the Station Sponsor Representative Agreement and Terms of Service (i.e., Brands may not bypass Drop Station when introduced to podcasters through the platform).
Collaboration: All parties collaborate to ensure compliance, including responding to Data Subject requests and regulatory inquiries.
Records of Processing: Drop Station maintains records of processing activities per GDPR Article 30, available to the Brand upon request.
4. Processing Instructions
1. Drop Station processes Personal Data only on the basis of the Brand’s documented instructions for co-branded campaigns, contests, communities, or engagement activities, unless required by applicable law, in which case Drop Station notifies the Brand beforehand (unless prohibited by law) or where necessary for Drop Station’s independent Controller purposes (e.g., fraud prevention, analytics, payout processing, sponsor matching, targeting and personalization on the Station Platform [subject to consent or opt-out where required], enrichment of demographic and engagement data, or compliance) as disclosed in the Privacy Policy and Terms of Service.
2. Drop Station ensures personnel processing Personal Data are bound by confidentiality obligations.
3. Drop Station limits processing to activities necessary for co-branded campaigns, contests, communities, or engagement, as instructed by the Brand, except for its own Controller activities as expressly described in the Privacy Policy, Terms of Service, or related agreements (including the Creator Sponsorship Agreement and Station Sponsor Representative Agreement).
4. If Drop Station believes instructions breach GDPR/CCPA/CPRA, it notifies the Brand immediately and awaits further instructions, but may take interim measures to ensure compliance with law, protect the rights of Data Subjects, the associated Creator, or safeguard the integrity of the Station Platform.
5. For clarity, Brands acknowledge that their instructions cannot override Drop Station’s independent Controller obligations, which include lawful platform operation, preventing fraud, sponsor matching, targeting/personalization (subject to consent or opt-out), enrichment of demographic data, complying with tax and payment obligations, and meeting applicable privacy requirements. These obligations remain with Drop Station and do not create additional responsibilities for the Brand.
5. Confidentiality
Drop Station treats Personal Data as confidential, disclosing it only as instructed by the Brand or required by law, or as necessary for Drop Station’s independent Controller activities (including platform analytics, fraud prevention, payout processing, and sponsorship facilitation) as disclosed in the Privacy Policy and Terms of Service. Access is limited to authorized personnel and subprocessors bound by confidentiality obligations. Drop Station implements Appropriate Technical and Organizational Measures to ensure confidentiality and notifies the Brand of any breaches within the timelines required under applicable Data Protection Legislation (generally within 72 hours). Confidentiality obligations survive termination, provided that Drop Station may continue to process Personal Data where it acts as an independent Data Controller, subject to the Privacy Policy.
6. Security Measures
Station implements Appropriate Technical and Organizational Measures to protect Personal Data, including:
• Control Access: Restrict access to authorized personnel with proper authentication.
• Minimize Data: Process only the Personal Data necessary for the Brand’s purposes or Station’s platform services.
• Encrypt Data: Encrypt Personal Data in transit and at rest.
• Manage Incidents: Detect, respond to, and notify the Brand of data breaches within 72 hours of becoming aware, unless prohibited by law.
• Conduct Audits: Review security measures regularly to ensure compliance.
• Train Personnel: Provide ongoing data protection and security training.
• Secure Facilities: Maintain physical controls over access to systems handling Personal Data.
• Embed Privacy by Design: Integrate data protection into systems and workflows in line with GDPR Article 25.
By implementing these measures, Station agrees to safeguard Personal Data and mitigate the risk of unauthorized access, loss, or misuse to the best of its abilities within its operational and financial capacities.
7. Sub-Processing
• Drop Station may engage Subprocessors, subject to obligations equivalent to this Agreement and consistent with applicable Data Protection Legislation.
• Drop Station maintains an updated Subprocessor list, available to the Brand upon request, referenced in the Privacy Policy or available to the Brand upon request.
• Drop Station notifies the Brand of new Subprocessors, allowing 30 days for objections. If the Brand objects to a proposed sub-processor within the 30-day period, Drop Station shall not engage that sub-processor and shall work with the Brand to find an alternative that meets the Brand’s requirements.
• Drop Station remains liable for Subprocessors’ compliance.
• The Brand may not engage Subprocessors without Drop Station’s consent, ensuring equivalent obligations.
8. Data Subject Rights
Drop Station assists the Brand in responding to Data Subject requests (e.g., access, erasure, portability) per GDPR/CCPA/CPRA for co-branded campaigns, contests, sponsorships, or community engagement data, including:
• Promptly notifying the Brand of direct requests.
• Providing relevant information to comply with requests within the timelines required by GDPR (e.g., one month for most requests), or CCPA/CPRA (45 days, extendable by law).
• Ensuring secure data transmission.
• Facilitating data portability in a machine-readable format per GDPR Article 20.
• Keeping records of all Data Subject requests and measures taken for compliance and auditing purposes.
Drop Station ensures compliance with these obligations as a Processor and acknowledges that failure to comply may subject both parties to legal and regulatory consequences. As a Controller, Drop Station handles data subject requests for its own processing activities in accordance with the Privacy Policy and applicable law.
9. Data Retention And Deletion
• Retention Periods: Drop Station retains Personal Data collected through co-branded or solely branded campaigns, including surveys, contest entries, sponsorship activations, and promo code landing pages, not only for the Brand’s campaign purposes but also for the ongoing use of the associated Creator (show) and for Drop Station’s independent platform purposes such as sponsor matching, targeting and personalization on the platform (subject to user consent or opt-out where required by law), enrichment of demographic and engagement data, analytics, and fraud prevention, as disclosed in the Privacy Policy. Personal Data is therefore not automatically deleted at the end of a campaign, but may be retained as long as necessary to support these purposes, subject to applicable law.
• Data Deletion Requirements Post-Association: Upon termination of the Brand’s account or campaign completion, Drop Station deletes or anonymizes Personal Data processed solely on behalf of the Brand within 60 days for co-branded campaigns or 30 days for solely branded campaigns, including promo code landing pages, and will certify compliance in writing upon request, unless retention is required by applicable law (e.g., for legal compliance, archiving, or fraud prevention). Drop Station may continue to retain and process Personal Data beyond these periods for the ongoing use of the associated Creator (show) and for Drop Station’s independent Controller purposes, including sponsor matching, targeting and personalization on the platform (subject to user consent or opt-out where required by law), enrichment of demographic and engagement data, analytics, and fraud prevention, as disclosed in the Privacy Policy.
• Ongoing Obligations: Retained data is securely stored and used only for lawful purposes, including future sponsor matching, audience engagement, targeted personalization (subject to user consent or opt-out), and demographic enrichment. All processing remains subject to applicable Data Protection Legislation, including GDPR rights to object or withdraw consent and CCPA/CPRA/CPRA rights to opt out of the sale or sharing of Personal Data..
10. International Data Transfers
Drop Station is headquartered in the United States. Where Personal Data is transferred from the EU/EEA, Switzerland, or the United Kingdom to the United States or another jurisdiction without an adequacy decision, Drop Station shall ensure that such transfers are conducted in compliance with applicable Data Protection Legislation through one of the following mechanisms:
• EU–U.S. Data Privacy Framework (DPF): If Drop Station has self-certified under the DPF (and the UK Extension/Swiss Framework, where applicable), such certification shall serve as the transfer mechanism.
• Standard Contractual Clauses (SCCs): If Drop Station is not certified under the DPF, or where SCCs are otherwise required, Drop Station shall implement the European Commission’s SCCs (and, where applicable, the UK’s International Data Transfer Addendum or Swiss Addendum). The SCCs shall be incorporated by reference as an annex to this Agreement.
• Other lawful mechanisms: Where neither of the above applies, Drop Station may rely on another lawful basis under GDPR/UK GDPR (e.g., explicit consent of the Data Subject, or necessity for the performance of a contract).
Drop Station:
• Maintains transfer documentation, available upon request.
• Notifies the Brand of transfers for co-branded or solely branded campaign data, including promo code landing pages.Ensures that transfers of California residents’ data comply with CCPA/CPRA, preventing unauthorized data sharing without opt-out mechanisms.
• Remains responsible for implementing lawful safeguards for international transfers; Brands remain responsible for ensuring their own use of Personal Data complies with applicable law.
Drop Station reserves the right to request additional information or documentation to verify compliance with this clause and may object to data transfers that do not meet the stipulated requirements.
11. Data Breach Notification
In the event of a Personal Data breach affecting Brand data, Drop Station shall notify the Brand without undue delay and, where feasible, within seventy-two (72) hours after becoming aware of the breach. If notification cannot be provided within 72 hours, Drop Station shall provide the reasons for the delay and deliver the required information as soon as reasonably possible:
• A description of the nature of the data breach, including categories and approximate number of Data Subjects/records affected.
• Contact details for further information.
• Likely consequences.
• Measures taken to mitigate effects.
Drop Station assists with regulatory notifications and maintains breach records. Drop Station cooperates fully with the Brand in investigating the breach, preparing notifications, and mitigating impacts. As a Controller, Drop Station handles breach notifications for its own processing activities.
12. Audits And Compliance
The Brand may audit Drop Station’s compliance with this Agreement for co-branded or solely branded campaign processing with reasonable notice. Drop Station provides documentation and access to records/personnel necessary to demonstrate compliance with applicable Data Protection Legislation for its role as a Processor. Drop Station addresses any non-compliance promptly.
The Brand may review security measures to ensure alignment with GDPR/CCPA/CPRA standards. Audits shall be conducted in a manner that minimizes disruption to Drop Station’s business operations and shall not extend to Drop Station’s independent Controller activities (e.g., sponsor matching, targeting/personalization, analytics, or fraud prevention), which are subject to oversight under the Privacy Policy and Terms of Service.
13. Indemnification
Drop Station indemnifies the Brand against claims arising from:
• Breach of this Agreement in its capacity as a Processor.
• Non-compliance with Data Protection Legislation for Processor activities performed on behalf of the Brand.
• Unauthorized data processing by Drop Station personnel or subprocessors on behalf of the Brand.
This indemnification does not apply to claims arising from:
• The Brand’s negligence, misconduct, or failure to comply with Data Protection Legislation.
• The Brand’s independent Controller activities (e.g., its own use of Personal Data outside the Service).
• Drop Station’s independent Controller activities (including sponsor matching, targeting/personalization, analytics, fraud prevention, or advertising services), which are governed by the Privacy Policy, Terms of Service, and applicable agreements.
14. Limitation Of Liability
Neither party shall be liable to the other party, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, revenue, business opportunities, goodwill, anticipated savings, or data.
Notwithstanding anything to the contrary in this Agreement, the aggregate liability of either party arising out of or in connection with this Agreement, whether in contract, tort, or under any other theory of liability, shall not exceed the greater of (a) the total fees paid or payable by the Brand to Drop Station under this Agreement in the three (3) months preceding the event giving rise to the claim, or (b) one hundred U.S. dollars (USD $100).
This limitation of liability does not exclude or limit the liability of either party for fraud, gross negligence, death or personal injury caused by its negligence, or any other liability to the extent that such liability cannot be limited or excluded under applicable law. For clarity, Drop Station’s liability under this Agreement applies only to its activities as a Data Processor; its activities as an independent Data Controller are governed exclusively by the Privacy Policy, Terms of Service, and applicable agreements.
15. Termination
Upon termination of this Agreement:
• Drop Station shall cease all processing of Personal Data on behalf of the Brand.
• Drop Station shall delete or anonymize all Personal Data processed solely for the Brand within 60 days for co-branded campaigns or 30 days for solely branded campaigns, including promo code landing pages, certifying compliance in writing, unless retention is required by applicable law (e.g., for legal compliance, archiving, or fraud prevention).
• Confidentiality obligations shall survive termination.
• Drop Station shall cooperate with the Brand to facilitate the transition of any remaining data or services, as reasonably requested by the Brand.
• Customer lists and Personal Data collected through campaigns will not be deleted, and may continue to be retained and used for the ongoing use of the associated Creator (show) and for Drop Station’s independent Controller purposes (e.g., sponsor matching, targeting/personalization subject to consent or opt-out, demographic enrichment, analytics, fraud prevention), as disclosed in the Privacy Policy.
16. Miscellaneous
a. Governing Law and Jurisdiction: This Agreement shall be governed by and construed in accordance with the laws of the State of Tennessee, without regard to its conflict of laws principles. Any disputes arising out of or in connection with this Agreement shall be resolved exclusively in the state or federal courts located in Tennessee. However, the Parties acknowledge that applicable Data Protection Legislation (including GDPR) and its supervisory authorities retain jurisdiction over data protection matters, irrespective of the governing law specified herein.
b. Amendments: This Agreement may be amended only in writing and when signed by duly authorized representatives of both parties. No modification, alteration, or waiver of any provisions hereof shall be valid unless made in writing and signed by both parties hereto.
c. Severability: If any provision of this Agreement is found to be unenforceable or invalid, such provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable.
d. Reference to Drop Station’s Privacy Policy and Terms of Service: The Brand acknowledges and agrees that their processing of Personal Data is subject to Drop Station’s Terms of Service and Privacy Policy, which are incorporated herein by reference. In the event of conflict, this Agreement shall prevail with respect to Processor obligations, while the Terms of Service and Privacy Policy govern Drop Station’s independent Controller activities.
e. Force Majeure: Neither party shall be liable for any failure or delay in performing its obligations under this Agreement if such failure or delay is due to circumstances beyond its reasonable control, including but not limited to acts of God, war, terrorism, labor disputes, or governmental actions. The affected party shall notify the other party of the force majeure event promptly and take all reasonable steps to mitigate its effects
17. Data Protection Officer (DPO)
Drop Station shall appoint a Data Protection Officer (DPO) (or, where a DPO is not legally required, a designated privacy lead) responsible for overseeing data protection compliance. Where legally required, Drop Station will also appoint an EU/UK Representative. Contact details for the DPO and, if applicable, the EU/UK Representative will be maintained in the Privacy Policy, which serves as the primary point of reference for Brands and data subjects.
18. Data Protection Impact Assessments (DPIAs)
Drop Station shall assist the Brand with DPIAs as required under GDPR Article 35, limited to co-branded or solely branded campaign processing where Drop Station acts as Processor. Assistance may include providing available information on Drop Station’s systems, security measures, and processing activities to enable the Brand to assess and mitigate risks.
Drop Station shall contribute to DPIA documentation and ensure timely cooperation for high-risk processing activities where the Brand is Controller. For clarity, DPIAs related to Drop Station’s independent Controller activities (e.g., sponsor matching, targeting/personalization, demographic enrichment, analytics, fraud prevention) shall be the sole responsibility of Drop Station and are addressed through its Privacy Policy and internal compliance program.
19. Data Subject Interaction
Drop Station does not generally communicate directly with Data Subjects for co-branded campaign data unless authorized by the Brand. However, Drop Station may contact Data Subjects directly where necessary to operate the campaign or fulfill related obligations (e.g., verifying eligibility, awarding prizes or rewards, fraud prevention, or compliance checks).
In all other cases, requests are directed to the Brand, and if authorized, Drop Station assists in responding to requests in compliance with Data Protection Legislation.
For clarity, where Drop Station acts as an independent Controller (e.g., platform account data, sponsor matching, targeting/personalization, demographic enrichment, analytics, fraud prevention), Drop Station may communicate directly with Data Subjects and fulfill their requests in accordance with the Privacy Policy and applicable law.
20. Data Localization
Where localization is legally required (e.g., certain jurisdictions mandating local storage), Drop Station will implement the necessary measures. Brands remain responsible for ensuring their own use of Personal Data complies with any localization requirements specific to their industry or region.
Annex I: Standard Contractual Clauses (SCCs)
Application of SCCs
Where Drop Station transfers Personal Data from the EU/EEA, Switzerland, or the United Kingdom to a country not deemed adequate by the relevant authority, and where Drop Station has not self-certified under the EU–U.S. Data Privacy Framework (or equivalent UK/Swiss extensions), the European Commission’s Standard Contractual Clauses (SCCs) (Controller–Processor module) and, where applicable, the UK’s International Data Transfer Addendum and the Swiss Addendum, shall apply and are hereby incorporated into this Agreement by reference.
Annex I, Section A – List of Parties
• Data Exporter (Brand):
Name: [Insert Brand Name]
Address: [Insert Brand Address]
Role: Data Controller
• Data Importer (Drop Station):
Name: Drop Station Inc.Address: 917 E 16th St, Chattanooga, TN 37408, United States
Contact: legal@dropstation.io
Role: Data Processor / Independent Controller (as described in this Agreement)
Annex I, Section B – Description of Transfer
• Categories of Data Subjects: Brand’s customers, campaign participants, contest entrants, community members.
• Categories of Personal Data: Name, contact information, survey responses, contest entries, sponsorship engagement data, community interaction data, and any other Personal Data provided in connection with Brand campaigns.
• Special Categories of Data: None anticipated.
• Frequency of Transfer: Continuous as needed for the provision of services.
• Nature of Processing: Hosting, storage, analysis, communication, sponsorship facilitation, and campaign fulfillment.
• Purpose of Transfer: To provide the services described in the Agreement.
• Retention: As specified in Section 9 of this Agreement.
Annex I, Section C – Competent Supervisory Authority
• For EU transfers: The supervisory authority in the Member State where the Brand is established.
• For UK transfers: The UK Information Commissioner’s Office (ICO).
• For Swiss transfers: The Federal Data Protection and Information Commissioner (FDPIC).
Annex II – Technical and Organizational Measures
Drop Station’s security measures are set forth in Section 6 of this Agreement, which is incorporated here by reference.
Annex III – List of Subprocessors
Drop Station’s current subprocessors are listed at https://dropstation.io/subprocessors
