Data Processing Agreement

“Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.

“Processing” means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

“Sub-processor” means any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2.1. The Data Processor processes Personal Data on behalf of the Data Controller solely for the purpose of providing the Service, which includes:

• Receiving, storing, and delivering email messages
• Managing email accounts and domain configurations
• Providing spam and virus filtering
• Managing user authentication and account security
• Providing email migration services

2.2. The categories of data subjects include the Customer's employees, contractors, clients, and any other individuals who send or receive email through the Service.

2.3. The types of Personal Data processed include names, email addresses, email content and attachments, IP addresses, and authentication credentials.

The Data Processor shall:

• Process Personal Data only on documented instructions from the Data Controller, unless required to do so by applicable law.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
• Implement appropriate technical and organizational security measures as described in Section 5.
• Assist the Data Controller in fulfilling data subject requests (access, rectification, erasure, portability, etc.).
• Assist the Data Controller in ensuring compliance with data protection impact assessments and prior consultations with supervisory authorities where required.
• Delete or return all Personal Data to the Data Controller upon termination of the Service, at the Controller's choice, unless retention is required by applicable law.
• Make available to the Data Controller all information necessary to demonstrate compliance with this DPA and allow for audits.

4.1. The Data Controller provides general authorization for the Data Processor to engage Sub-processors. The Data Processor shall maintain a list of current Sub-processors, available upon request.

4.2. The Data Processor shall notify the Data Controller of any intended changes to Sub-processors at least 30 days before the change takes effect. The Data Controller may object to such changes within 14 days of notification.

4.3. The Data Processor shall impose data protection obligations on Sub-processors that are no less protective than those set out in this DPA.

4.4. The Data Processor remains fully liable for the acts and omissions of its Sub-processors.

4.5. Current Sub-processors include:

• Infrastructure hosting provider — server hosting and data storage
• Stripe — payment processing
• Cloudflare — CDN, DNS, and security services

The Data Processor implements the following security measures to protect Personal Data:

• Encryption in transit: TLS 1.2+ for all connections to and from the Service.
• Encryption at rest: AES-256 encryption for stored data.
• Access controls: Role-based access controls with principle of least privilege. Multi-factor authentication for administrative access.
• Network security: Firewalls, intrusion detection, and DDoS protection.
• Monitoring: Continuous monitoring of systems and automated alerting for security events.
• Backups: Regular automated backups with encryption.
• Incident response: Documented incident response procedures with defined roles and escalation paths.

6.1. The Data Processor shall not transfer Personal Data outside the European Economic Area (EEA) unless appropriate safeguards are in place as required by Chapter V of the GDPR.

6.2. Where transfers to third countries are necessary, the Data Processor shall ensure they are covered by:

• An adequacy decision by the European Commission
• Standard Contractual Clauses (SCCs) as approved by the European Commission
• Other legally recognized transfer mechanisms under the GDPR

6.3. The Data Processor shall conduct transfer impact assessments where required and implement supplementary measures as necessary.

7.1. The Data Processor shall notify the Data Controller without undue delay after becoming aware of a Data Breach, and in any event within 48 hours.

7.2. The notification shall include:

• The nature of the Data Breach, including categories and approximate number of data subjects and records affected
• The name and contact details of the Data Processor's data protection point of contact
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to address the breach, including mitigation measures

7.3. The Data Processor shall cooperate with the Data Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

8.1. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and the GDPR.

8.2. The Data Controller may conduct audits, including inspections, to verify the Data Processor's compliance. Audits shall be conducted with reasonable prior notice (at least 30 days) and during normal business hours, and shall not unreasonably disrupt the Data Processor's operations.

8.3. The Data Processor may provide the Data Controller with relevant certifications or audit reports from independent third parties to satisfy audit requirements.

9.1. This DPA shall remain in effect for the duration of the Data Processor's processing of Personal Data on behalf of the Data Controller.

9.2. Upon termination of the Service, the Data Processor shall, at the Data Controller's choice, delete or return all Personal Data within 30 days, unless retention is required by applicable law.

9.3. The Data Processor shall provide certification of deletion upon request.

This DPA shall be governed by and construed in accordance with the same governing law as the Terms of Service, without prejudice to the mandatory provisions of the GDPR.

For questions about this DPA, contact us at:

Velocity Digital Labs
Email: dpa@justemails.app
Website: velocitydigitallabs.com