Mailverick ailverick
Why us Features Integration Pricing Docs Log in Start Free FR

Data Processing Agreement

Last updated: March 2026

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the agreement between Mailverick ("Processor") and the customer ("Controller") for the use of the Mailverick email delivery platform. This DPA governs the processing of personal data by the Processor on behalf of the Controller in accordance with Article 28 of the GDPR.

2. Definitions

"Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the GDPR (Regulation (EU) 2016/679).

3. Subject Matter and Duration

The Processor processes personal data on behalf of the Controller for the purpose of delivering transactional emails. Processing begins when the Controller starts using the Service and continues for the duration of the service agreement.

4. Types of Personal Data

The following categories of personal data are processed:

  • Email addresses (sender and recipient).
  • Names (when included in email headers).
  • Email metadata (subject lines, timestamps, delivery status, IP addresses).
  • Email message content, processed for delivery and, where applicable, retained for a limited period for security and abuse prevention.
  • Custom identifiers provided by the Controller (custom_id fields).

5. Obligations of the Processor

The Processor shall:

  • Process personal data only on documented instructions from the Controller.
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures.
  • Not engage sub-processors without prior written authorization from the Controller.
  • Assist the Controller in responding to data subject requests.
  • Delete or return all personal data upon termination of the service, at the Controller's choice.
  • Make available all information necessary to demonstrate compliance with GDPR obligations.

6. Data Location

All personal data is stored and processed exclusively within the European Economic Area (EEA). The Processor does not transfer personal data to third countries. Infrastructure is hosted on European-owned data centers with no exposure to the US Cloud Act.

7. Security Measures

The Processor implements the following security measures:

  • Encryption of data in transit (TLS) and at rest.
  • Access controls with role-based permissions.
  • Regular security assessments and updates.
  • Automated data retention and purging policies.
  • Incident detection and response procedures.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach, providing sufficient information for the Controller to meet its obligations under the GDPR.

9. Sub-Processors

The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. A current list of sub-processors is available upon request.

10. Audits

The Processor shall allow and contribute to audits and inspections by the Controller or an authorized auditor, subject to reasonable notice and confidentiality obligations.

11. Termination

Upon termination of the service agreement, the Processor shall delete all personal data within 30 days, unless EU law requires further storage. The Controller may request a copy of the data before deletion.

12. Contact

For DPA-related inquiries, contact us at privacy@mailverick.com.

Mailverick ailverick

Transactional email API.
Simple pricing. European-hosted.

© 2026 Mailverick. All rights reserved.

Product

Why us Features Integration Pricing Docs

Company

Contact Sales Support

Legal

Legal Notice Privacy Policy Terms of Service Refund Policy Data Processing Agreement