CCPA and U.S. privacy law compliance at Exclaimer

Exclaimer meets its obligations as a service provider (Service provider under CCPA: A company that processes personal information on behalf of a business under a written contract restricting data use) under the California Consumer Privacy Act (CCPA) and as a processor (Processor: An entity that processes personal data on behalf of a controller under documented instructions) under every other comprehensive U.S. state privacy law currently in effect.

Our commitments are set out in the Exclaimer Data Processing Agreement (DPA), most recently updated in November 2025.

This page is a plain-English overview of those commitments, how our platform supports them, and where to find the underlying contracts and audit evidence.

How Exclaimer handles the California Consumer Privacy Act (CCPA)

The CCPA, as amended by the California Privacy Rights Act (CPRA), is the most established U.S. state privacy law. The CCPA sets out the obligations that apply when a business collects, uses, or shares the personal information of California residents. The law also sets out the more specific obligations that apply to the service providers processing that information on the business's behalf.

What is Exclaimer's role under the CCPA? 

The CCPA defines two main roles. A "business" is the organization that determines why and how personal information is processed. A "service provider" is the company processing that personal information on the business's behalf, under a written contract that restricts what it can do with the data.

When you use Exclaimer to manage email signatures, you are the business, and Exclaimer is the service provider. We process customer data, including directory data synced from Microsoft 365 or Google Workspace, only to deliver the email signature management service you've contracted for.

What does Exclaimer commit to as a service provider under the CCPA?

Exclaimer's contractual commitments under the CCPA are set out in our Data Processing Agreement. The four that matter most for a vendor risk review:

• No sale of personal information. Exclaimer does not sell or share customer personal information with any third party (clause 2.6).

• Processing limited to documented instructions. Exclaimer processes personal data only in accordance with your lawful instructions, and only for the purpose of providing the contracted service (clause 2.4).

• Deletion or return on termination. When your contract ends, Exclaimer deletes all personal data processed on your behalf, or returns it to you at your choice, and certifies that it has done so (clause 6.4).

• Sub-processor controls. Exclaimer provides 10 days' written notice of any new sub-processor, giving you the opportunity to object before processing begins (clause 3.8).

How Exclaimer’s commitments hold up in practice

Contractual commitments matter, but architecture is what enforces them. Exclaimer doesn't store the content of customer emails. Messages are processed in transit so the correct signature can be applied, and then delivered. No email bodies, subject lines, or attachments are persistently stored. There is no archive, no historical copy, and no facility within the service for Exclaimer personnel to browse or search customer email content.

Customer data is also logically segregated by tenant and is never combined with data we receive from other customers, in line with our service provider obligations under the CCPA.

How can customers verify Exclaimer's CCPA compliance?

As a customer, you have the right to take reasonable steps to confirm that Exclaimer uses your personal information in a manner consistent with the CCPA, and to stop and remediate any unauthorized use.

The Exclaimer Trust Portal, supporting audit reports, and our security team are the routes for that verification.

Which U.S. state privacy laws does Exclaimer comply with?

Twenty U.S. states have comprehensive consumer privacy laws currently in effect, including California. They vary in detail but share a common framework for vendors processing data on a customer's behalf: process only on documented instructions, support consumer rights requests, maintain reasonable security, control sub-processors, and delete or return data on termination. Exclaimer's Data Processing Agreement meets these obligations under every comprehensive U.S. state privacy law in effect.

The California Consumer Privacy Act labels this vendor role "service provider". Every other U.S. state privacy law follows the GDPR framework and uses the term "processor". The role is substantively the same; the statutory label differs.

Two further comprehensive state privacy laws take effect in 2027: the Oklahoma Consumer Data Privacy Act and the Alabama Personal Data Protection Act. Exclaimer will meet processor obligations under both when they come into effect.

Where does Exclaimer store and process U.S. customer data?

For U.S. customers, Exclaimer processes all customer data in Microsoft Azure datacenters located in the United States: East US (Virginia) as the primary region and West US (California) as the secondary, configured as an active/active pair with automatic failover.

Data assigned to the U.S. region does not transfer to any other regional datacenter. Under clause 2.2 of our Data Processing Agreement, customer data remains within the region where the tenancy is provisioned. The region is selected at provisioning, and customers can confirm their assigned region through their tenant configuration.

How does Exclaimer help fulfill consumer rights requests under U.S. privacy laws?

U.S. state privacy laws give consumers rights over their personal information: the right to know what's collected, to delete it, to correct it, and, under most laws, to opt out of its sale or sharing.

The business (the customer) is responsible for responding to consumer rights requests under each applicable state law. Exclaimer's role is to support the customer in fulfilling those requests. Under clause 4.2 of our Data Processing Agreement, we provide reasonable assistance to locate, export, correct, or delete personal data held in your tenant.

Customers can submit data subject requests, including requests on behalf of their consumers, to [email protected]. We respond within 30 days, faster than the 45-day window required under the CCPA.

Consumer-facing requests, including "Do Not Sell or Share My Personal Information" requests, should be directed to the business (the customer), not to Exclaimer.

Which sub-processors does Exclaimer use for U.S. customers?

Microsoft Operations Limited is the sole cloud sub-processor for Exclaimer's email signature management service.

Exclaimer provides 10 days' written notice before engaging any new sub-processor (clause 3.8 of our Data Processing Agreement), giving customers the opportunity to object before processing begins. Exclaimer's contracts with sub-processors include obligations equivalent to those Exclaimer commits to under the DPA.

The full list of Exclaimer's sub-processors, including those used for billing, customer support, and other operational functions, is available in Annex 3 of the Data Processing Agreement.

Where can I find Exclaimer's DPA and compliance documentation?

The full contractual commitments and audit evidence sit in two places.

The Exclaimer Data Processing Agreement sets out our binding commitments as a service provider under the CCPA and as a processor under the other U.S. state privacy laws. The current version is dated November 2025.

The Exclaimer Trust Portal holds the supporting documentation, including security policies, audit reports, certificates (including SOC 2 Type II and ISO/IEC 27018), and pre-completed answers to over 350 questions covering our wider security and compliance program.