Alternative Physical Address Ideas
Suggestions on alternate ways to include a physical address for your email campaigns to be compliant with the CAN-SPAM ACT.
Get the job done with a pro
From training to full-service marketing, our community of partners can help you make things happen.
If you’re a Mailchimp customer located in the European Economic Area (EEA), the United Kingdom or Switzerland (which we'll refer to collectively as “Europe”), or you use our platform to process data about your contacts in Europe, our Data Processing Addendum (DPA) has been drafted to enable you to transfer European personal data to Mailchimp in the United States and to permit Mailchimp to lawfully process that data on your behalf.
The DPA is incorporated directly into our Standard Terms of Use and doesn’t require a signature. By using Mailchimp or signing up for an account, you’re agreeing to these terms. Under Mailchimp's Standard Terms of Use and Data Processing Addendum, each user promises that their use will be compliant with all applicable laws.
The Rocket Science Group LLC d/b/a Mailchimp is a covered entity under Intuit’s Data Privacy Framework program and has certified its compliance to both the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. You may view our listing by searching “Intuit” here, and read the Intuit Data Privacy Framework certification page here.
In addition, should the Data Privacy Framework be invalidated, Mailchimp contractually commits to transfer and process all of its customers’ European data in compliance with the Standard Contractual Clauses (the “SCCs”), which continue to give our customers the ability to lawfully transfer data that is subject to applicable data protection laws (including the GDPR) outside of Europe to Mailchimp in the United States. The SCCs automatically apply in accordance with Mailchimp's Data Processing Addendum.
We know that our customers may have questions about data transfer compliance, including the impact of the 2020 CJEU’s ruling regarding data transfers and the European Commission’s adoption of the new SCCs on June 4, 2021. In this section, we'll provide some common questions and answers.
Yes. Mailchimp’s headquarters are in the United States and our servers are also located in the United States. This means data we process may be transferred to, stored, or processed in the United States. In addition, we leverage third-party vendors who process personal data on our behalf, to provide services to Mailchimp, and their servers may be located outside of Europe.
You can view the full list of sub-processors we use to process our customers’ data, along with details of their location. We take steps to ensure that our vendors offer appropriate safeguards to protect personal data they process on our behalf, and contractually obligate them to process such data in compliance with applicable data protection laws.
Mailchimp has put a number of measures in place to ensure that European data remains protected when it’s transferred outside of Europe.
Contractual commitments
In addition to certifying our compliance to both the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, the SCC’s are directly incorporated into our Data Processing Addendum. We also specify our commitments to security, confidentiality of processing, limitations on international transfers of personal data, cooperation with data subject rights, notice of security incidents, and more.
Importantly, Mailchimp does not sell, rent, or trade user data.
Security measures
Mailchimp treats the privacy and security of our users’ data with paramount importance. Our security and privacy program is outlined in detail on our Security page.
Here’s a summary of some of the important and specific technical and organizational measures we have implemented (and will continue to implement) to safeguard against unauthorized access to user data:
(1) Encryption
Mailchimp has, where and to the extent technically feasible, implemented encryption technologies across its infrastructure to help protect user data from unauthorized access when it’s processed internally by Mailchimp. For example, all Mailchimp production pages use transport layer security (TLS), a secure encryption protocol, and Mailchimp's internal wireless network utilizes 128bit WPA2 encryption. Further, Mailchimp email (256bit), all VPN connections (256bit), and the internal chat application (256bit) are also encrypted. Login pages use TLS and have brute-force attack protection. This also applies to mobile Mailchimp applications and the Mailchimp API.
(2) Access controls
Mailchimp restricts third-party access to its internal tooling and infrastructure. Our Legal team evaluates all requests for access, ensures that the request is appropriate for the work to be performed, and ensures that the third-party follows all security and privacy provisions outlined in their contract. Once approved, Mailchimp only grants access through controlled accounts to clearly-defined portions of the system.
Mailchimp remains committed to maintaining the highest levels of privacy and security for our users. If you have questions about our security and privacy program, please submit your questions here.
Vendor Agreements
We take all steps necessary to ensure that our agreements with our third-party international vendors (including sub-processors) contain appropriate commitments from such third parties regarding the transfer and processing of European data outside Europe and that we implement an appropriate and lawful data transfer mechanism (such as the Standard Contractual Clauses) and additional safeguards as necessary. Up-to-date details of the sub-processors we use to process our members’ data is available.
Data Privacy Framework
The Rocket Science Group LLC d/b/a Mailchimp comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union (EU), the United Kingdom (and Gibraltar)(UK), and Switzerland to the United States.
We carefully consider all requests for information, and as a policy, don’t provide third parties with information from an account that doesn’t belong to them unless we are legally compelled to do so. This means we will only respond to a valid court order, subpoena, search warrant, or other proper legal process seeking information and records from a Mailchimp account. Mailchimp uses certain guidelines when responding to requests for information, whether from a government or non-government entity:
In accordance with our Data Processing Addendum, Mailchimp will provide European users with written notice of compulsory requests to access their data, unless we are prohibited by law from doing so.
In order to demonstrate our commitment to privacy and our efforts to be as transparent as possible, Mailchimp now publishes annual transparency reports to document the number and type of legal requests we receive. While there are restrictions over the level of detail we can provide, we will do our best to be as transparent as legally possible in all such reports.
At the heart of the recent CJEU ruling (and one of the main reasons the Privacy Shield was invalidated) was an expressed concern about US national intelligence and surveillance programs under Section 702, also referred to as the FISA Amendments Act, and under Executive Order 12333. As a matter of general practice, Mailchimp doesn’t voluntarily provide government agencies or authorities (including law enforcement) with access to or information about Mailchimp accounts.
However, as a B2B email marketing platform and therefore an “electronic communication service,” Mailchimp is, like nearly all US cloud service providers, the type of entity to which the US government is technically authorized to issue FISA directives under Section 702 or undertake intelligence gathering under EO 12333. This means Mailchimp can technically be served with these types of compulsory information requests.
Our annual transparency reports document the limited number and specific types of legal requests Mailchimp has received. Further, as explained above, we also have strict policies and processes in place for responding to law enforcement information requests.
The Standard Contractual Clauses (“SCCs”) are directly incorporated into our Data Processing Addendum (DPA) which automatically forms part of our Standard Terms of Use (our contract with you) and applies to customer data protected by European data protection laws (including the GDPR).
Technical Support
We're Here to Help
If you have questions about your account, contact our support team.
Suggestions on alternate ways to include a physical address for your email campaigns to be compliant with the CAN-SPAM ACT.