Data Processing Addendum

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined in this DPA have the meanings given in the Terms of Service.

• “Controller” means the entity that determines the purposes and means of Processing Personal Data.
• “Data Protection Laws” means all applicable laws relating to data protection and privacy, including GDPR, UK GDPR, CCPA, and other applicable regulations.
• “Data Subject” means an identified or identifiable natural person whose Personal Data is Processed.
• “GDPR” means the General Data Protection Regulation (EU) 2016/679.
• “Personal Data” means any information relating to an identified or identifiable natural person that is Processed by MailBeast on behalf of Customer in connection with the Service.
• “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• “Processor” means the entity that Processes Personal Data on behalf of the Controller.
• “SCCs” means the Standard Contractual Clauses approved by the European Commission for international data transfers.
• “Sub-processor” means any third party engaged by MailBeast to Process Personal Data on behalf of Customer.

2. Scope and Applicability

This DPA applies when MailBeast Processes Personal Data on behalf of Customer in connection with the Service. Customer acts as the Controller, and MailBeast acts as the Processor. This DPA does not apply to Personal Data that MailBeast Processes as a Controller (such as Customer account information), which is governed by our Privacy Policy.

Categories of Personal Data Processed

Personal Data Processed under this DPA may include:

• Contact information of email recipients (names, email addresses)
• Custom fields and personalization data provided by Customer
• Email content and metadata
• Engagement data (opens, clicks, replies)
• Unsubscribe and preference information

Data Subjects

Data Subjects may include Customer's email recipients, leads, prospects, and other individuals whose data Customer uploads or generates through the Service.

3. Processing Instructions

MailBeast shall Process Personal Data only in accordance with Customer's documented instructions, which include:

• Processing necessary to provide the Service as described in the Terms of Service
• Processing initiated by Customer through use of the Service
• Processing required to comply with applicable law (in which case MailBeast will inform Customer before Processing, unless prohibited by law)

If MailBeast believes an instruction from Customer infringes Data Protection Laws, MailBeast will promptly notify Customer and may suspend Processing until the instruction is confirmed or modified.

4. Confidentiality and Personnel

MailBeast ensures that all personnel authorized to Process Personal Data:

• Are bound by confidentiality obligations (contractual or statutory)
• Have received appropriate training on data protection requirements
• Process Personal Data only as necessary to provide the Service

5. Security Measures

MailBeast implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures include:

Technical Measures

• Encryption: AES-256 encryption at rest; TLS 1.3 encryption in transit
• Access Controls: Role-based access controls and multi-factor authentication
• Network Security: Firewalls, intrusion detection, and DDoS protection
• Credential Protection: SMTP credentials stored with additional encryption layers
• Audit Logging: Comprehensive logging of access and changes to Personal Data

Organizational Measures

• Security Team: Dedicated personnel responsible for security management
• Risk Assessments: Regular security risk assessments and vulnerability testing
• Incident Response: Documented procedures for identifying and responding to security incidents
• Business Continuity: Disaster recovery and backup procedures with 24-48 hour recovery objectives
• Vendor Management: Security assessments of Sub-processors

MailBeast may update these measures from time to time, provided that such updates do not materially decrease the overall level of protection.

6. Sub-processors

Customer provides general authorization for MailBeast to engage Sub-processors to assist in providing the Service. MailBeast will:

• Enter into written agreements with Sub-processors imposing data protection obligations consistent with this DPA
• Remain responsible for Sub-processor compliance
• Maintain a current list of Sub-processors on our website
• Provide at least 14 days' notice before engaging new Sub-processors

Current Sub-processors

Our current Sub-processors include:

• Amazon Web Services (AWS): Cloud infrastructure hosting (United States)
• Stripe: Payment processing (United States)
• OpenAI: AI-powered features such as reply classification (United States)

Objections to Sub-processors

Customer may object to a new Sub-processor by notifying MailBeast in writing within 14 days of receiving notice. If Customer has reasonable grounds for objection based on data protection concerns, the parties will work in good faith to resolve the issue. If resolution is not possible, Customer may terminate the affected portions of the Service without penalty.

7. Data Subject Rights

MailBeast will assist Customer in responding to Data Subject requests to exercise their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

• MailBeast will promptly notify Customer upon receiving a request from a Data Subject
• MailBeast will not respond directly to Data Subjects without Customer's authorization, unless required by law
• MailBeast will provide technical capabilities to enable Customer to respond to requests
• Customer is solely responsible for responding to Data Subject requests

8. Personal Data Breach Notification

In the event of a Personal Data Breach, MailBeast will:

• Notify Customer without undue delay (and in any event within 72 hours) after becoming aware of the breach
• Provide information as reasonably available about the nature of the breach, categories of data affected, approximate number of Data Subjects affected, and likely consequences
• Take reasonable steps to mitigate the effects and prevent recurrence
• Cooperate with Customer to enable Customer to fulfill its own breach notification obligations

Notification of a breach is not an acknowledgment of fault or liability.

9. Data Deletion and Return

Upon termination of the Service or upon Customer's written request:

• Customer may export Personal Data using available self-service tools within 30 days of termination
• MailBeast will delete Personal Data within 30 days of termination or request, unless retention is required by applicable law
• MailBeast may retain anonymized or aggregated data that does not identify individuals

10. Compliance Assistance

MailBeast will provide reasonable assistance to Customer with:

• Data protection impact assessments, where required
• Prior consultations with supervisory authorities
• Demonstrating compliance with Data Protection Laws

Customer will reimburse MailBeast for reasonable costs incurred in providing such assistance beyond what is included in the Service.

11. Audits

MailBeast will make available information reasonably necessary to demonstrate compliance with this DPA. Upon Customer's written request (no more than once per year), MailBeast will:

• Provide copies of relevant certifications, audit reports, or security documentation
• Respond to reasonable written questions about security and data protection practices

On-site audits may be conducted by a mutually agreed third-party auditor, subject to confidentiality obligations and reasonable advance notice. Customer will bear the costs of any such audit.

12. International Data Transfers

MailBeast may transfer Personal Data to countries outside the European Economic Area (EEA), United Kingdom, or Switzerland. For such transfers, MailBeast implements appropriate safeguards:

Standard Contractual Clauses

Where required, transfers are governed by the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), incorporated by reference:

• Module Two (Controller to Processor) applies when Customer acts as Controller
• Customer is the “data exporter”; MailBeast is the “data importer”

UK Transfers

For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs applies.

Swiss Transfers

For transfers from Switzerland, the SCCs are modified as necessary to comply with Swiss data protection requirements.

13. Customer Responsibilities

Customer represents and warrants that:

• It has a lawful basis for the Processing of Personal Data and has provided all necessary notices and obtained all necessary consents
• It will not provide Special Categories of Personal Data (sensitive data as defined in GDPR Article 9) unless expressly agreed in writing
• It will not use the Service to Process data relating to children under 16
• It will comply with all applicable Data Protection Laws in its use of the Service
• Its instructions to MailBeast will comply with Data Protection Laws

14. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. Nothing in this DPA limits either party's liability for claims by Data Subjects or regulatory enforcement actions arising from that party's own breach of Data Protection Laws.

15. General Provisions

This DPA is governed by the same law that governs the Terms of Service, unless Data Protection Laws require otherwise. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

MailBeast may update this DPA to reflect changes in Data Protection Laws or our practices. We will provide notice of material changes. Continued use of the Service after changes take effect constitutes acceptance of the updated DPA.

16. Contact

For questions about this DPA or to exercise rights under it, please contact us via MailBeast Support Chat.