Legal
Data Processing Agreement
GDPR-compliant data processing terms governing how MailAfiniti processes your data.
Last updated:
This Data Processing Agreement ("DPA") forms part of the Terms of Service and is effective as of the date you accept those Terms. It governs MailAfiniti's processing of personal data on your behalf under GDPR and UK GDPR.
1. Definitions
| Term | Definition |
|---|---|
| Controller | The Customer who determines the purposes and means of processing personal data |
| Processor | MailAfiniti, acting on the Controller's instructions |
| Data Subject | Any identified or identifiable natural person whose personal data is processed |
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on personal data |
| GDPR | EU General Data Protection Regulation 2016/679 |
| UK GDPR | The UK General Data Protection Regulation as incorporated into UK law |
| SCCs | Standard Contractual Clauses adopted by European Commission Decision 2021/914 |
| Sub-processor | Any third party engaged by MailAfiniti to assist in providing the Services |
2. Scope & Role of Parties
You (Controller) determine:
- •Which personal data is processed through the Services
- •The purposes for which email accounts are used
- •Which individuals (End Users) have access to email accounts
- •Retention and deletion of Customer Data
MailAfiniti (Processor) processes data only:
- •On your documented instructions
- •As necessary to provide the Services described in the Terms of Service
- •As required by applicable law (in which case we will notify you unless prohibited)
3. Details of Processing
| Subject matter | Email hosting, delivery, and management services |
| Duration | Term of the agreement + 30-day post-termination retention |
| Nature | Storage, transmission, filtering, routing of emails |
| Purpose | Provision of email hosting Services |
| Personal data types | Email addresses, names, email content and metadata, IP addresses |
| Data subjects | Controller's employees, contractors, business contacts |
4. Processor Obligations
Instructions & Confidentiality
MailAfiniti processes personal data only in accordance with your documented instructions. All personnel with data access are subject to enforceable confidentiality obligations and receive regular data protection training.
Security Measures
We implement encryption in transit (TLS 1.2+) and at rest (AES-256), multi-factor authentication for administrative access, regular vulnerability assessments and penetration testing, intrusion detection, access logging, and physical access controls at our data centers.
Data Subject Rights
We assist you in responding to Data Subject rights requests. If we receive a request directly, we will notify you within 5 business days without responding to the Data Subject unless instructed by you or required by law.
Data Breach Notification
We will notify you without undue delay and within 48 hours of becoming aware of a personal data breach, including the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed.
Audit Rights
Upon your written request (no more than once per 12 months unless required by law), we will provide information necessary to demonstrate compliance and allow audits by you or an authorized auditor, subject to 30 days' advance notice and confidentiality requirements.
5. Controller Obligations
You warrant and represent that:
- •You have a valid legal basis to collect and transfer personal data to MailAfiniti
- •You have provided required notices to and obtained required consents from Data Subjects
- •Your instructions comply with applicable data protection laws
- •You will ensure that End Users comply with the Acceptable Use Policy
6. International Data Transfers
EU/EEA Transfers
For transfers from the EEA to non-adequate third countries, the parties are bound by Module Two (Controller to Processor) of the EU SCCs (Commission Decision 2021/914).
UK Transfers
For transfers from the UK, the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs applies as appropriate.
Adequate Countries
Where data is transferred to countries with an adequacy decision, such transfers are permitted without additional safeguards.
7. Deletion & Return of Data
Upon expiry or termination of the Services:
- •We make Customer Data available for export for 30 days
- •After 30 days, we securely delete all Customer Data (including backups) within 90 days
- •Upon request, we will certify in writing that deletion is complete
- •We may retain data as required by applicable law (you will be notified)
8. Sub-processors
MailAfiniti maintains an up-to-date list of approved Sub-processors. We will notify you at least 30 days in advance of any intended changes. We impose equivalent data protection obligations on all Sub-processors and remain liable for their compliance.
Current categories of Sub-processors:
- •Infrastructure / hosting providers
- •Email filtering / security providers
- •Payment processors
- •Customer support platforms
- •Monitoring and analytics services
Contact
For DPA-related inquiries or to exercise data subject rights:
- Privacy: [email protected]
- Support: Help & Support page
- Related policies: Privacy Policy · Terms of Service