All Collections
Regulations, privacy, and security
What we’re doing as an organisation to help customers comply with the PDPA
What we’re doing as an organisation to help customers comply with the PDPA

Privacy compliance is an ongoing exercise and we are constantly reviewing and updating our practices.

Gareth Burroughes avatar
Written by Gareth Burroughes
Updated over a week ago

General information

1. Is Dotdigital compliant with the PDPA?

We have taken steps to ensure that we comply with the requirements of the PDPA as an intermediary. These are primarily set out in our data processing addendum (adopted into our terms via


  • We have implemented appropriate security measures to meet the requirements of the Protection Obligation, guaranteed in our contract

  • In accordance with our DPA (Data Processing Agreement), we only engage sub-processors (other organisations we use in order to provide you with the services) with client authorisation and ensure the same obligations are imposed with any sub-processor. This includes ensuring that reasonable steps are taken to ensure the transferred personal data will be afforded the same standard of protection and to safeguard international data transfers (see more detail below).

  • The processing we undertake is governed by a written contract, documenting client instructions and ensuring the confidentiality of data, as well as ensuring compliance with the PDPA (relating to Notification Obligation and Security Obligation as well as assistance with broader compliance)

2. Can we search for personal information on your systems?

Dotdigital holds the data that our users have uploaded with the platform in a database. Our users have full control and access to their data, including the ability to search, import, export, delete and modify the data as needed.

3. Are you maintaining data processing records?

While the PDPA does not prescribe a requirement to maintain processing records, all data uploaded with the platform is kept within the Dotdigital platform and clients have full control of the data within the platform, as outlined above.

4. Who has access to our data?

Clients must maintain their own procedures as to who can access the Dotdigital platform and the data held there.
If you have users that you manage, then you'll probably want to restrict their access within your account. You can do this by editing their permissions.

Dotdigital staff have access to your account to provide support and assist in the provision of the services.

Deletion of data

5. For how long does Dotdigital keep data?

All data is kept until either:

  • You delete it, via the app or the API (see below); or

  • You close your account, where any remaining data is held for 90 days before deletion
    You can optionally choose to expire pending contacts 30 days after our last contact attempt.

6. Can we delete personal information from your systems?

Yes, you can delete data in your account at any time (including when responding to a request from a contact to be deleted).

In December 2017, Dotdigital made changes to how contacts are exported and deleted within the platform, making it easier for clients to comply with requests to access data by individuals and requests from individuals to be deleted.

7. Deletion at the end of a contract

At the end of a contract, all client accounts are terminated, and associated data and personal information about contacts is deleted after 90 days. The platform enables clients to delete data during the term of the contract through the platform and in response to a request to be deleted at no extra cost.

8. How is data deleted?

When deleting a contact, the contact will be placed in the account's recycle bin for 30 days (unless manually removed from the recycle bin or in relation to a suppressed contact, which is immediate), after which time they're deleted permanently.

Access to Data

9. What will Dotdigital do if it receives a request to access data from one of our clients?

If we receive a request from one of your contacts under the Access and Correction Obligation, to access the personal information held about them, we will pass on any request to you so that you can manage the request. We may identify you as the organisation controlling that individual’s data.

In December 2017, Dotdigital made changes to how contacts are exported and deleted within the platform, making it easier for clients to comply with requests to access data by individuals and requests from individuals to be deleted.

Data Processing Agreement

10. Do your standard contract terms include privacy provisions?

We have updated our terms and conditions to incorporate our data processing agreement (available for review here: This ensures that the processing that we undertake on your behalf is clearly documented by way of a written contract. Our document has been drafted to reflect the bespoke nature of the processing activities that Dotdigital undertakes as an intermediary on your behalf and at your instruction.

11. Does Dotdigital have a Data Processing Agreement?

Yes, we have updated our terms and conditions to incorporate our data processing agreement (available for review here:

If you require a separate hard copy version of this document, please reach out to your account manager or contact

12. I have a Data Processing Agreement – can Dotdigital agree to that?

We understand that our clients have undergone due diligence and may have prepared their own Data Processing Agreements for their suppliers to sign.

However, given the nature of the services Dotdigital provides our clients and the need for processing activities to be documented, we require clients to use Dotdigital’s Data Processing Agreement, as this has been prepared to cover the specific services Dotdigital provides.

Data breach

13. Do you have a documented breach notification process?

Our process for reporting breaches concerning the data of individuals in accordance with the APPs is addressed in our Data Processing Agreement and more specifically addressed in our Incident Reporting Policy.

14. What will Dotdigital do in the event of a data breach?

In relation to the data our clients store with us in our role as an intermediary, we will notify any affected organisation who is a client of a notifiable data breach as soon as practically possible, and in any event, within 24 hours of discovering the breach.

In the event of data breach of data relating to our direct clients, we will report any data breach within 72 hours to the PDPC if a breach is likely to result in a high risk to the rights and freedoms of individuals.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, Dotdigital will also inform those individuals without undue delay.

Data Protection Officer (DPO)

15. Does Dotdigital have a DPO?

Yes, in accordance with APP 1.2 and recommendations by the Privacy Commissioner.

Dotdigital’s nominated Data Protection Officer is Stephenson Law Limited. Any request may be addressed to them via post or via email:

Stephenson Law Limited,
Desklodge House,
Redcliffe Way,


Third-Party Intermediaries

16. Do any other organisations (including sub-contractors, contractors or consultants) process any of the data provided by our clients on our behalf?

Yes, Dotdigital works with third-party providers/sub-processors for providing the services we offer or storing your data (personal data). Dotdigital uses sub-processors to perform various functions as explained in our Trust Centre.

A sub-processor is a third-party intermediary engaged by Dotdigital, including entities from within the Dotdigital Group, who has or may have access to, or process, client data. Third parties that do not have access to, or process, client data but who are used to provide the services as “subcontractors” are not sub-processors.

17. What steps do you take to safeguard the processing of our data by third-party organisations?

Further to the above, Dotdigital carries out a selection process where we evaluate the data processing practices of any proposed sub-processor that might have access to client data – this includes reviewing their security and privacy practices.

Data protection laws permit sub-processors to be engaged, provided that the equivalent safeguards from client agreements are reflected with these sub-processors and that reasonable steps are taken to ensure any overseas recipient (where applicable) maintain comparable protection in relation to that disclosed personal information.

Dotdigital has entered into contracts with the organisations listed on our Trust Centre to ensure the safeguarding of personal data, including entering into Data Processing Agreements reflecting the obligations we agree under our DPA, passing down the obligations of the PDPA to ensure that all client data is protected.

18. How does Dotdigital replace or designate a new sub-processor?

The procedure to replace or appoint a new sub-processor is covered within our Data Processing Agreement with our clients.

We will provide you with advance notice of any changes or additions and give you the right to object (provided these are reasonable). Dotdigital will always ensure the safeguarding of personal data, including entering into Data Processing Agreements reflecting similar obligations under our DPA and that reasonable steps are taken to ensure any overseas recipient (where applicable) processes data with a comparable level of protection as required under the PDPA.

Storage of data/international data transfer

19. Where is our data stored?

To safeguard the confidentiality, integrity and availability of data, the core Dotdigital platform is hosted on high-security Microsoft Azure data centres. Data for our Singapore clients is held in the Australia East region, with data being backed up to the Australia South East region. All Azure facilities meet a broad set of compliance standards.

The Google Cloud platform is also used for some of Dotdigital’s more processing-intensive features such as Insight data. Client data remains in the same region as the Dotdigital account, i.e. for Dotdigital accounts hosted in our Australia region, the data stored on Google's infrastructure is located in Sydney. Find out more about Google's regions.

In addition to our virtualised infrastructure hosted on Microsoft Azure and the Google Cloud platform, Dotdigital has a physical data centre located in Australia. This connects to Azure via a Virtual Private Network, and is used to send your email campaigns out to the internet. This too holds various accreditations including ISO 27001 and 22301.

Regarding transfers, we commit to clients based in Singapore (in our terms) that data will be hosted and stored at rest within hosting facilities in Australia. Our Trust Centre and DPA outlines our use of sub-processors and any access required from organisations outside of Australia, and our DPA specifies that any processing carried out by sub-processors shall be done so in accordance with appropriate safeguards.

Access to data from outside of Australia is required for two principal reasons: i) for Dotdigital support/technical staff to provide support outside of business hours, and ii) for certain elements of the service (as further specified in our Trust Centre).

20. Dotdigital development and testing platforms

Dotdigital is frequently updating our platform with feature enhancements and additions. We do this in development, testing and staging environments separate to the main platform. No client data is stored in our testing or development environments.

Right to audit Dotdigital

21. To what extent can clients audit Dotdigital's systems?

Dotdigital will facilitate client requests for audits and inspections. The terms of such audits can be found in the Data Processing Agreement in addition to our terms and conditions.

Technical and organisational security measures

22. What security certification do you hold?

Dotdigital maintains Cyber Essential Plus certification and ISO 27001 certification. Full details can be found on our Trust Centre.

23. What technical and organisational security measures does Dotdigital have in place?

Please see our Trust Centre for high-level information on how we protect the confidentiality, integrity and availability of the Dotdigital services and the data held on our platform.

Details of our technical and organisational security measures are provided at:

Business continuity and disaster recovery

24. What business continuity and disaster recovery policies and systems does Dotdigital maintain?

The Dotdigital platform is built using redundancy and load balancing at every level, meaning a single component failure should not result in a service disruption.

Data is backed up to a secondary location, hundreds of miles away, yet still in the same region complying with data protection obligations. In the event of a catastrophic event at the primary facility, the service will be restored in the secondary location.

Did this answer your question?