Data Processing Agreement
Last updated: March 2026
1. Scope and Purpose
This Data Processing Agreement ("DPA") forms part of the agreement between Mailverick ("Processor") and the customer ("Controller") for the use of the Mailverick email delivery platform. This DPA governs the processing of personal data by the Processor on behalf of the Controller in accordance with Article 28 of the GDPR.
2. Definitions
"Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the GDPR (Regulation (EU) 2016/679).
3. Subject Matter and Duration
The Processor processes personal data on behalf of the Controller for the purpose of delivering transactional emails. Processing begins when the Controller starts using the Service and continues for the duration of the service agreement.
4. Types of Personal Data
The following categories of personal data are processed:
- Email addresses (sender and recipient).
- Names (when included in email headers).
- Email metadata (subject lines, timestamps, delivery status, IP addresses).
- Email message content, processed for delivery and, where applicable, retained for a limited period for security and abuse prevention.
- Custom identifiers provided by the Controller (custom_id fields).
5. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller.
- Ensure that persons authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures.
- Not engage sub-processors without prior written authorization from the Controller.
- Assist the Controller in responding to data subject requests.
- Delete or return all personal data upon termination of the service, at the Controller's choice.
- Make available all information necessary to demonstrate compliance with GDPR obligations.
6. Data Location
All personal data is stored and processed exclusively within the European Economic Area (EEA). The Processor does not transfer personal data to third countries. Infrastructure is hosted on European-owned data centers with no exposure to the US Cloud Act.
7. Security Measures
The Processor implements the following security measures:
- Encryption of data in transit (TLS) and at rest.
- Access controls with role-based permissions.
- Regular security assessments and updates.
- Automated data retention and purging policies.
- Incident detection and response procedures.
8. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach, providing sufficient information for the Controller to meet its obligations under the GDPR.
9. Sub-Processors
The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. A current list of sub-processors is available upon request.
10. Audits
The Processor shall allow and contribute to audits and inspections by the Controller or an authorized auditor, subject to reasonable notice and confidentiality obligations.
11. Termination
Upon termination of the service agreement, the Processor shall delete all personal data within 30 days, unless EU law requires further storage. The Controller may request a copy of the data before deletion.
12. Contact
For DPA-related inquiries, contact us at privacy@mailverick.com.