I was able to get quick answers from live chat and via support ticket.
Here is the general info found at:
The GDPR specifies a variety of requirements surrounding the processing of personal data. This section will explore some of the data processing requirements and provide links to relevant sections of the text of the GDPR.
Controller and Processors
A Controller is the organization that determines how personal data will be used. A Processor is the organization that processes personal data on behalf and on the instructions of the Controller. The specific responsibilities of each party are laid out in Articles 24-43.
In most cases, ActiveCampaign is a Processor and users of ActiveCampaign are Controllers. Note that it is possible for a single organization to be both a Processor and Controller.
Data processing agreements
Article 28 states that Controller must have clearly documented contracts with Processors that define the scope of processing. These contracts must be “in writing, including in electronic form.” Requirements for processing contracts can be found in the remainder of Article 28.
Data protection officers
According to Article 37, many organizations will be required to appoint a data protection officer. The specific responsibilities of a data protection officer are covered in Article 39. In general, the data protection officer is responsible for compliance with the GDPR.
Transfer of personal data to third countries or international organizations
Articles 44-50 of the GDPR cover the specific requirements for transferring personal data to third parties or international organizations. The GDPR does not require that personal data of EU citizens remain exclusively in the EU, but it does have some requirements for such transfers.
In terms of hosting data in EU servers and/or data transfers from the EU to the U.S. under GDPR, we expect that you will be able to continue to rely on our EU-U.S. PRIVACY SHIELD certification in order to transfer any lawfully obtained personal data to ActiveCampaign using our Services.
You can find more details on our Privacy Shield Certification at https://www.privacyshield.gov/participant?id=a2zt0000000GnH6AAK