Documents
beehiiv Customer Data Protection Addendum
Date last modified: April 30, 2026
This Data Protection Addendum (“DPA”) forms part of the terms entered into by and between you (“Customer”) and beehiiv Inc. (“beehiiv”) pursuant to the Terms of Use or other ordering agreement under which beehiiv provides Services to you (the “Agreement”). beehiiv and Customer may each be referred to as a “Party” and or collectively referred to as the “Parties”.
Definitions
In this DPA:
“Applicable Law” means all laws, regulations and other legal requirements applicable to either (i) beehiiv as provider of the Services or (ii) Customer as user of the Services. For example, to the extent applicable, this includes the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); equivalent requirements in the United Kingdom including the Data Protection Act 2018 and the UK General Data Protection Regulation (“UK Data Protection Law”); the Swiss Federal Act on Data Protection (“Swiss FADP”); the California Consumer Privacy Act, as amended by the California Privacy Rights Act and together with associated regulations (“CCPA”); as well as U.S. state laws similar to the CCPA, such as the Virginia Consumer Data Protection Act; the Colorado Privacy Act and related regulations; the Connecticut Act Concerning Personal Data Privacy and Online Monitoring; the Utah Consumer Privacy Act; Texas Data Privacy and Security Act; the Oregon Consumer Privacy Act; Florida Digital Bill of Rights; Montana Consumer Data Privacy Act, the Iowa Consumer Privacy Act; Tennessee Information Protection Act; the Indiana Consumer Data Protection Act, the New Jersey Privacy Act, the New Hampshire Privacy Act; Delaware Personal Data Privacy Act, Kentucky Consumer Data Protection Act, Nebraska Data Privacy Act, Minnesota Consumer Data Privacy Act, Maryland Online Data Privacy Act, and Rhode Island Data Transparency and Privacy Protection Act (together with the CCPA, as they become effective, the “U.S. State Privacy Laws”).
“Designated Contact Address” means Customer's administrative email address provided when entering into the Agreement.
“Personal Data” means any information relating to an identified or identifiable individual, within the meaning of the GDPR (regardless of whether the GDPR applies), any information that qualifies as “personal information” under the CCPA (regardless of whether the CCPA applies) and any other information defined as “personal information,” “personal data,” or an analogous term in Applicable Law, in each case that is processed on behalf of the Customer to provide the Service.
“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, disclosure or other Processing of, or access to, Personal Data.
“Process” and “Processing” mean any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Services” has the meaning ascribed to such term in the Agreement.
“Standard Contractual Clauses” refers to the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.
“Subprocessor” means a subcontractor engaged by beehiiv for the Processing of Personal Data.
“UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of 24 June 2025 at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf), completed as described in the “Data Transfers” section below.
For ease of reading, some other terms are defined later in the DPA.
Scope, Relationship of the Parties, and Data Use Limitations
This DPA applies only to the Personal Data the Services receive from or on behalf of Customer through Customer's use of the Services in compliance with the Agreement.
For such Personal Data, Customer is (or represents that it is acting with full authority on behalf of) the Controller, and beehiiv is Customer's Processor. If Customer is acting on behalf of a Controller (or on behalf of intermediaries such as other Processors of the Controller), then, to the extent legally permissible:
- Customer will serve as the sole point of contact for beehiiv with regard to any such third parties;
- beehiiv need not interact directly with any such third party in matters relating to this DPA; and
- Where beehiiv would otherwise be required to provide information, assistance, cooperation, or anything else to such third party, beehiiv may provide it solely to Customer; but
- beehiiv is entitled to follow the instructions of such third party with respect to such third party's Personal Data instead of Customer's instructions if beehiiv reasonably believes this is legally required under the circumstances.
Unless required by Applicable Law, beehiiv will Process the Personal Data only to (i) provide and ensure the proper operation of the Services consistent with the Agreement (such as for the detection and prevention of spam and other fraud); and (ii) carry out Customer's reasonable written instructions that are consistent with the Agreement. Without limiting the foregoing, beehiiv:
- shall not “sell” the Personal Data, as such term is defined in the U.S. State Privacy Laws (regardless of whether such laws apply);
- shall not “share” the Personal Data, as such term is defined in the CCPA (regardless of whether the CCPA applies) or otherwise disclose it for targeted advertising purposes;
- shall not retain, use, or disclose any such data outside of the direct business relationship between Customer and beehiiv, or for any purpose (including any commercial purpose) other than the limited business purposes specified in this DPA and as permitted by Applicable Law;
- shall comply with any applicable restrictions under Applicable Law on combining the Personal Data that beehiiv receives from, or on behalf of, Customer with Personal Data that beehiiv receives from, or on behalf of, another person or persons, or that beehiiv collects from any other interaction between beehiiv and a data subject;
- shall provide the same level of protection for the Personal Data subject to the CCPA as is required of businesses under the CCPA; and
- hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.
If Applicable Law requires beehiiv to engage in Processing not permitted by the above, beehiiv will first inform Customer of the relevant legal requirement unless Applicable Law prohibits such notification. beehiiv will notify Customer as soon as legally permissible if, for any other reason, beehiiv determines that beehiiv can no longer meet its obligations under Applicable Law.
Customer has the right to take reasonable and appropriate steps to (a) exercise its rights under the Compliance Verifications and Audits section of this DPA to ensure that beehiiv is using the Personal Data consistent with Customer's obligations under Applicable Law, and (b) stop and remediate unauthorized use by beehiiv of the Personal Data by terminating the Agreement pursuant to its provisions for termination for cause and by requesting deletion of the Personal Data and certification of such deletion pursuant to the Data Return and Destruction section of this DPA.
Customer is responsible for providing any legally required notices to the individual, obtaining any legally required consents from the individual, and taking any other steps required by Applicable Law, to enable Customer to lawfully use the Services, including as set forth in the Agreement. Customer shall not provide the Services with any Personal Data that is not reasonably necessary for Customer's use of the Services.
For the Personal Data, Customer is a “Controller” and beehiiv Processes it for Customer as a “Processor” as such terms are defined in the U.S. State Privacy Laws and in the GDPR, and, to the extent the CCPA applies, Customer is the “business” and beehiiv is Customer's “service provider” as such terms are defined in the CCPA.
Confidentiality and Training
beehiiv will ensure that the persons beehiiv authorizes to Process the Personal Data are contractually required to maintain the confidentiality of such data.
Security
beehiiv will comply with its security obligations under Applicable Law. beehiiv will assist Customer in Customer's compliance with such obligations by implementing the measures set forth in Schedule B. beehiiv may, without notice to Customer, make future replacements or updates to the measures that do not materially lower the level of security provided for the Personal Data. beehiiv is not responsible for any losses that arise from Customer's failure to use optional security features or optional security configurations of the Services.
Subprocessors
beehiiv may subcontract the collection or other Processing of Personal Data (i) only in compliance with Applicable Law regarding subprocessing, (ii) only with Customer's consent and (iii) only if beehiiv has imposed contractual obligations on the Subprocessor that are substantially the same as, or more restrictive than, those imposed on beehiiv under this DPA.
Current Subprocessors are listed at subprocessors.beehiiv.com/sub-processor-list. Customer consents to all Subprocessors on such list as of the date this DPA is entered into between the Parties. Unless exigent circumstances require the use of a new Subprocessor with the earlier Processing of Personal Data, beehiiv will notify Customer (“Subprocessor Notification”) at least 15 days prior to giving the Subprocessor access to the Personal Data (the “Subprocessor Notification Period”) by (i) updating that webpage and (ii) if Customer has subscribed on that page to email notifications, by emailing a notification to the email address supplied there by Customer.
Customer's sole recourse if it objects to a Subprocessor will be to terminate Customer's subscription to the Services within ten (10) days from the date of the Subprocessor Notification. Following such termination, Customer will be entitled to a refund of unused prepaid fees only if (a) beehiiv breached its obligation to maintain the requisite contract provisions with the Subprocessor, (b) beehiiv breached its obligation to conduct an annual security review of the Subprocessor, or (c) the Agreement otherwise provides for a refund. This is without prejudice to any right Customer may have under the Agreement to termination for breach of contract. Customer is deemed to consent to the new Subprocessor if Customer does not terminate the subscription as set forth above.
beehiiv remains liable for its Subprocessors' acts and omissions to the same extent beehiiv is liable for its own, consistent with the limitations of liability set forth in the Agreement.
Assistance Responding to Individuals' Requests to Exercise Rights
Customer authorizes beehiiv to honor individuals' requests to unsubscribe from Customer's mailing lists that are operated through the Services. beehiiv shall reflect the unsubscribe action within the Services. Nothing herein shall require beehiiv to send an email to an individual whom beehiiv reasonably believes has unsubscribed from such email.
Other than routine unsubscribe requests, which beehiiv may handle as set forth in the preceding section, if beehiiv receives a request from an individual or their representative for Customer to honor Personal Data-related rights under Applicable Law (a “Data Subject Request”), such as rights to access, correct, or delete their Personal Data, or a Personal Data-related complaint from an individual or their representative, and the communication identifies Customer, beehiiv will forward the communication to Customer at the Designated Contact Address:
- as soon as commercially practicable; but
- no later than within 5 days of receipt if the communication arrives via [email protected] or any other contact method specified in the privacy policy on beehiiv's website.
Customer will be responsible for lawfully addressing the Data Subject Request, and beehiiv will provide prompt, reasonable cooperation to Customer, taking into account the nature of the Services, and the information available to beehiiv.
Personal Data Breach Notification
beehiiv will comply with the Personal Data Breach-related obligations applicable to it under Applicable Law. beehiiv will assist Customer in complying with those applicable to Customer by informing Customer of a confirmed Personal Data Breach without undue delay and in any event within 72 hours of becoming aware and by otherwise complying with this “Personal Data Breach Notification” section of the DPA.
beehiiv will provide such notification to Customer at the Designated Contact Address.
Such notification is not an acknowledgement of fault or responsibility. The notification will include beehiiv's then-current assessment of the following:
- The nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
- The likely consequences of the Personal Data Breach; and
- Measures taken or proposed to be taken by beehiiv to address the Personal Data Breach including, where applicable, measures to mitigate its possible adverse effects.
Assistance with DPIAs and Consultation with Supervisory Authorities
beehiiv will provide reasonable assistance to and cooperation with Customer, taking into account the nature of the Services and information available to beehiiv for (i) Customer's performance of any data protection impact assessment of the Processing or proposed Processing of the Personal Data involving beehiiv, and (ii) related consultation with supervisory authorities.
Data Return and Destruction
beehiiv will destroy all Personal Data within 30 days after the termination of this Agreement except to the extent Applicable Law requires storage of the Personal Data.
In the event of legally required retention, (i) beehiiv will retain Personal Data only as required by Applicable Law and will retain it only as long as is required, (ii) during the retention period, beehiiv will refrain from Processing the Personal Data other than as required by Applicable Law and will continue to comply with this DPA with respect to the Personal Data, to the extent permitted by Applicable Law, and (iii) beehiiv will promptly destroy the Personal Data when Applicable Law no longer requires its retention.
beehiiv will provide certification of the destruction upon request.
Compliance Verification and Audits
beehiiv will make available to Customer all information necessary to demonstrate compliance with the audit and information obligations imposed on processors under Article 28 of GDPR (“Article 28 Requirements”). To this end, beehiiv will provide written responses to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm beehiiv's compliance with Article 28 Requirements, provided that Customer may not exercise this right more than once during any twelve (12) month period. If the requested audit scope is addressed in an industry-standard report issued by an independent third party auditor or security tester within the then-prior 12 months, and beehiiv provides a summary of such report to Customer and confirms that there are no known material changes in the controls audited or tested, Customer agrees to accept the findings presented in the summary report in lieu of requesting an audit of the same controls covered by the report. Nothing herein will require beehiiv to disclose or make available: (i) any data of any other customer of beehiiv; (ii) access to systems; (iii) beehiiv's internal accounting or financial information; (iv) any trade secret of beehiiv; (v) any information or access that, in beehiiv's reasonable opinion, could (a) compromise the security of beehiiv systems or premises; or (b) cause beehiiv to breach its obligations under applicable law or applicable contracts; or (vi) any information sought for any reason other than the good faith fulfilment of Customer's obligations under Applicable Law to audit compliance under this DPA.
Any information that Customer receives under this Section is Confidential Information of beehiiv.
Data Transfers
Customer authorizes beehiiv to make international transfers of the Personal Data only if (i) Applicable Law for such transfers is respected and (ii) the transfer is otherwise permitted by this DPA.
To the extent legally required, the Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and, except as set forth further below in this Section, they will be deemed completed as follows:
- Customer, the exporter, acts as a controller and beehiiv, the importer, acts as Customer's processor with respect to the Personal Data subject to the Standard Contractual Clauses, and its Module 2 applies. Their contact information is set forth in Schedule A.
- Clause 7 (the optional docking clause) is included.
- Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is set forth at subprocessors.beehiiv.com/sub-processor-list, and beehiiv shall update that list at least 5 days in advance of any intended additions or replacements of sub-processors.
- Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
- Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of Ireland.
- Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
- Annexes I and II of the Standard Contractual Clauses are set forth in Schedule A of the DPA.
- Annex III of the Standard Contractual Clauses (List of subprocessors) is available at subprocessors.beehiiv.com/sub-processor-list.
With respect to Personal Data for which UK Data Protection Law governs the transfer, to the extent legally required, the UK SCC Addendum forms part of this DPA and takes precedence over the rest of this DPA to the extent of any conflict and shall be deemed completed as follows (with capitalized terms not defined elsewhere having the definition set forth in the UK SCC Addendum):
- Table 1 of the UK SCC Addendum: The Parties, their details, and their contacts are those set forth in Schedule A.
- Table 2 of the UK SCC Addendum: the “Approved EU Standard Contractual Clauses” shall be the Standard Contractual Clauses as set forth in the preceding Section of this DPA.
- Table 3 of the UK SCC Addendum: Annexes I(A), I(B), and II are in Schedule A of the DPA, and Annex III is at subprocessors.beehiiv.com/sub-processor-list.
- Table 4 of the UK SCC Addendum: neither party may exercise the right set forth in Section 19 of the UK SCC Addendum.
With respect to Personal Data for which the Swiss FADP governs the transfer, the Standard Contractual Clauses have the following differences to the extent required by the Swiss FADP:
- References to the GDPR in the Standard Contractual Clauses are to be understood as references to the Swiss FADP insofar as the data transfers are subject exclusively to the Swiss FADP and not to the GDPR.
- The term “member state” in Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.
- Under Annex I(C) of the Standard Contractual Clauses (Competent supervisory authority):
- Where the transfer is subject exclusively to the Swiss FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
- Where the transfer is subject to both the Swiss FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the Swiss FADP, and the supervisory authority is as set forth in the Standard Contractual Clauses insofar as the transfer is governed by the GDPR.
Schedule A
Annexes I and II of the Standard Contractual Clauses
ANNEX I
LIST OF PARTIES
MODULE TWO: Transfer controller to processor
Data exporter(s):
- Name: Customer, as specified in the Agreement.
- Address: as provided by Customer in connection with entering into the Agreement.
- Contact person's name, position and contact details: as set forth in the Agreement.
- Activities relevant to the data transferred under these Clauses: Use of the importer's Services.
- Signature and date: as set forth in the Agreement.
- Role (controller/processor): Controller.
Data importer(s):
- Name: beehiiv Inc.
- Address: 228 Park Avenue S. # 29976, New York, New York 10003.
- Contact person's name, position and contact details: [email protected].
- Activities relevant to the data transferred under these Clauses: The importer will provide the Services.
- Signature and date: as set forth in the Agreement.
- Role (controller/processor): Processor.
DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
- Categories of data subjects whose personal data is transferred: Customer's readers, listeners, website visitors, email list members and/or others to whom Customer sends content using the Services (“Customer's Users”).
- Categories of personal data transferred: The personal data of Customer's Users may include name, email address, IP address, geo-location, device data, acquisition sources/attribution data, opens and clicks, avatar images and the responses to polls/surveys conducted by Customer using the Services. It is understood that Customer and Customer's Users are not permitted to and shall not transfer sensitive personal information, such as social security numbers, protected health information, payment information and similar information into the Services.
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Not applicable.
- The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous.
- Nature of the processing: beehiiv provides Services as that term is defined in the purchasing agreement to which this DPA is attached.
- Purpose(s) of the data transfer and further processing: Provision of the Services to Customer.
- The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The duration of the data processing under this DPA is during the term of the Agreement and 30 days thereafter.
- For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Provision of the Services to Customer as set forth in the DPA.
COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
Identify the competent supervisory authority/ies in accordance with Clause 13: The parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons: See Schedule B immediately below.
Schedule B
Information Security Addendum
beehiiv has established and agrees to maintain a written information security and privacy program (the “Information Security Program”) designed to comply with this Information Security Addendum and Applicable Law.
As part of its Information Security Program, beehiiv has implemented and agrees to maintain administrative, technical, and physical security safeguards designed to protect the confidentiality, integrity, and availability of Personal Data, including but not limited to:
Administrative and Organizational Safeguards
beehiiv maintains policies and procedures for the security of Personal Data, including the following:
- Written information security policies that set forth beehiiv's procedures with regard to maintaining the safeguards set forth in this Information Security Addendum.
- An incident response plan, which sets forth beehiiv's procedures to investigate, mitigate, remediate, and otherwise respond to security incidents.
- beehiiv conducts regular assessments of the risks and vulnerabilities to the confidentiality and security of Personal Data.
- beehiiv regularly tests and monitors the effectiveness of its Information Security Program, including through security audits, and will evaluate its Information Security Program and information security safeguards in light of the results of the testing and monitoring and any material changes to its operations or business arrangements.
- beehiiv has appointed an individual to oversee and manage its Information Security Program and lead the response to any Personal Data Breach.
- beehiiv maintains role-based access restrictions for its systems, including restricting access to only those beehiiv staff members that require access to perform the beehiiv Services or to facilitate the performance of such beehiiv Services, such as system administrators, consistent with the concepts of least privilege, need-to-know, and separation of duties.
- beehiiv periodically reviews its access lists to ensure that access privileges have been appropriately provisioned and regularly reviews and terminates access privileges for beehiiv staff that no longer need such access.
- beehiiv assigns unique usernames to authorized beehiiv staff and requires that beehiiv staff's passwords satisfy minimum length and complexity requirements.
- beehiiv regularly provides training to staff, as relevant for their roles, on confidentiality and security.
- beehiiv requires relevant beehiiv staff to acknowledge beehiiv's Information Security Program annually.
- beehiiv has a policy in place to address violations of its Information Security Program.
Technical Security
- beehiiv logs certain system activity—including authentication events, changes in authorization and access controls.
- beehiiv maintains network security measures, including but not limited to firewalls, to segregate its internal networks from the internet, risk-based network segmentation, and anti-virus and malware protection software.
- beehiiv has implemented workstation protection policies for its systems, including automatic logoff after a period of inactivity and locking the system after a defined number of incorrect authentication attempts.
- beehiiv requires multi-factor authentication on key systems for workforce members acting as administrative users.
- beehiiv conducts periodic vulnerability scans and assessments on systems storing, processing, or transmitting Personal Data to identify potential vulnerabilities and risks to Personal Data.
- beehiiv remediates identified vulnerabilities in a risk-prioritized manner, including manufacturer- and developer-recommended security updates and patches to systems and software storing, transmitting, or otherwise Processing Personal Data.
Physical Security
beehiiv manages software on its computers and tracks the location of its equipment. beehiiv evaluates and assesses the physical security controls implemented by its sub-processors that supply critical infrastructure in physical spaces. These assessments are conducted through review of third-party audit reports, independent penetration testing results, facility architecture diagrams, and other documentation evidencing the physical security posture of such sub-processors' facilities.