Data Processing Agreement

1. Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between MailOdds ("Processor") and the Customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller.

MailOdds processes personal data on behalf of the Customer for the purposes of email validation, contact list management, email campaign delivery, engagement tracking, and bounce/complaint processing services.

This DPA is entered into pursuant to Article 28(3) of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Dutch Uitvoeringswet AVG ("UAVG").

2. Definitions

Terms used in this DPA have the meanings given to them in the GDPR. In addition:

• "Controller" means the Customer who determines the purposes and means of processing personal data through the use of MailOdds services.
• "Processor" means MailOdds, which processes personal data on behalf of the Controller.
• "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

3. Duration

This DPA is effective for the duration of the service agreement between the Controller and the Processor. Processing will continue until the service agreement is terminated and all personal data has been deleted or returned in accordance with Section 14 of this DPA.

4. Nature and Purpose of Processing

The Processor processes personal data on behalf of the Controller for the following purposes:

• Email address validation: Verifying the syntax, domain, and deliverability of email addresses submitted by the Controller.
• Contact list storage: Storing and managing contact records including names, email addresses, phone numbers, and addresses on behalf of the Controller.
• Email campaign delivery: Sending transactional and marketing emails on behalf of the Controller to the Controller's contacts and subscribers.
• Engagement tracking: Recording open, click, bounce, complaint, and unsubscribe events for emails sent through the platform.
• Bounce and complaint processing: Receiving and classifying inbound bounce notifications, feedback loop complaints, and auto-replies related to emails sent on behalf of the Controller.

5. Types of Personal Data

The Processor may process the following categories of personal data on behalf of the Controller:

• Email addresses
• Names (first name, last name)
• Phone numbers
• Postal addresses
• Company names
• IP addresses (from engagement tracking)
• Engagement data (email opens, clicks, timestamps)
• Bounce and complaint metadata (diagnostic codes, classifications)

6. Categories of Data Subjects

The personal data processed under this DPA relates to the following categories of data subjects:

• The Controller's contacts and subscribers
• Email recipients of the Controller's campaigns and transactional messages
• Individuals whose email addresses are submitted for validation by the Controller

7. Controller's Rights and Obligations

The Controller:

• Determines the purposes and means of processing personal data.
• Is responsible for ensuring that a lawful basis exists for the collection and processing of personal data, including obtaining any required consent from data subjects.
• Is responsible for providing any required notices to data subjects regarding the processing of their data by the Processor.
• Shall ensure that instructions given to the Processor comply with applicable data protection law.
• Retains all rights and obligations under the GDPR as the controller of the personal data.

8. Processor Obligations (Art. 28(3)(a)-(h))

The Processor shall:

(a) Documented instructions

Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country. If the Processor is required by EU or Member State law to process personal data beyond the Controller's instructions, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.

(b) Confidentiality

Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) Security measures (Art. 32)

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data at rest (AES-256) and in transit (TLS 1.2+)
• Role-based access controls and multi-factor authentication
• Regular security testing and vulnerability assessments
• Automated incident detection and monitoring
• Network segmentation and firewall protection
• Encrypted backup systems with access controls
• Logging and audit trail for data access

(d) Sub-processor requirements

Not engage another processor (sub-processor) without prior general written authorization of the Controller. The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract. The current list of sub-processors is available at /legal/sub-processors.

(e) Data subject rights

Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III of the GDPR.

(f) Assistance with compliance obligations

Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with:

• Security of processing (Art. 32)
• Notification of personal data breaches to the supervisory authority (Art. 33)
• Communication of personal data breaches to data subjects (Art. 34)
• Data protection impact assessments (Art. 35)
• Prior consultation with the supervisory authority (Art. 36)

(g) Data return and deletion

At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless EU or Member State law requires storage of the personal data.

(h) Audit and inspection

Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

9. Sub-Processors

The Controller provides general authorization for the Processor to engage sub-processors for the processing of personal data under this DPA. The current list of sub-processors is maintained at /legal/sub-processors.

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, giving the Controller the opportunity to object to such changes. If the Controller objects on reasonable grounds related to data protection, the parties shall discuss the objection in good faith. If the parties cannot resolve the objection, the Controller may terminate the affected services.

The Processor shall impose data protection obligations equivalent to those in this DPA on each sub-processor by contract. The Processor remains fully liable to the Controller for the performance of any sub-processor's obligations.

10. International Transfers

The Processor shall not transfer personal data to a country outside the European Economic Area (EEA) unless:

• The European Commission has issued an adequacy decision for the destination country; or
• The recipient is certified under the EU-US Data Privacy Framework; or
• Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) adopted by the European Commission.

Current international transfers are limited to US-based sub-processors certified under the EU-US Data Privacy Framework, and Proton AG in Switzerland (EU adequacy decision). SCCs are maintained as a supplementary transfer mechanism for all US-based sub-processors.

11. Data Subject Rights

The Processor shall promptly notify the Controller if it receives a request from a data subject to exercise their rights under the GDPR (access, rectification, erasure, restriction, portability, or objection). The Processor shall not respond to such requests directly unless instructed to do so by the Controller.

The Processor provides the following tools to assist the Controller with data subject requests:

• Data search functionality to locate all data associated with a specific email address
• Data export in machine-readable format (JSON)
• Data purge functionality for permanent deletion of data subject records
• Suppression list management for opt-out enforcement

12. Breach Notification

The Processor shall notify the Controller without undue delay, and in any event not later than 24 hours after becoming aware of a personal data breach. The notification shall include:

• A description of the nature of the personal data breach, including the categories and approximate number of data subjects and personal data records affected
• The name and contact details of the Processor's Data Protection Officer
• A description of the likely consequences of the personal data breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the data breach.

13. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the GDPR.

The Processor shall allow for and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller. The Controller shall provide reasonable advance notice (at least 30 days) for any audit, and audits shall be conducted during normal business hours without unreasonably disrupting the Processor's operations.

14. Data Return and Deletion

Upon termination of the service agreement, the Processor shall, at the Controller's choice:

• Return all personal data to the Controller in a structured, commonly used, and machine-readable format; or
• Delete all personal data and certify such deletion in writing.

The Controller may request data export at any time during the service agreement via the dashboard or API. After account deletion, the Processor retains personal data for 30 days to allow for account recovery, after which all data is permanently deleted. Billing records are retained for 7 years as required by Dutch fiscal law (AWR Art. 52).

15. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the main Terms of Service, except that no limitation applies to either party's liability for breaches of confidentiality obligations or for intentional or grossly negligent violations of this DPA.

16. Term and Termination

This DPA becomes effective upon the Controller's acceptance of the Terms of Service and remains in effect for as long as the Processor processes personal data on behalf of the Controller. This DPA shall automatically terminate when the service agreement between the parties ends, subject to the Processor's obligations regarding data return and deletion under Section 14.

17. Contact

For questions or requests related to this DPA, please contact:

• Data Protection Officer: dpo@mailodds.com
• Privacy inquiries: privacy@mailodds.com
• Address: Nassaukade 51 2, 1052CN Amsterdam, The Netherlands
• KVK: 99761246

Additional compliance documentation, including Data Protection Impact Assessments (DPIAs), our processing register, and transfer impact assessments, is available upon request to dpo@mailodds.com.