← All legal documents

Data Processing Agreement

Last updated: 2026-02-18

EuroMail ("Processor") Customer ("Controller") Effective Date: 2026-02-18 Last Updated: 2026-02-18

This Data Processing Agreement ("DPA") forms part of the EuroMail Terms of Service and governs the processing of personal data by EuroMail on behalf of the Customer pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

  • Personal Data - Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
  • Processing - Any operation performed on Personal Data, as defined in GDPR Article 4(2).
  • Data Subject - The identified or identifiable natural person to whom the Personal Data relates.
  • Subprocessor - Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • Data Breach - A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Purpose

2.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller solely to provide the EuroMail transactional email delivery service as described in the Terms of Service.

2.2 Categories of Data Subjects

  • Recipients of emails sent by the Controller through the Service
  • Contacts referenced in email content (e.g., CC/BCC recipients)

2.3 Types of Personal Data

  • Email addresses (sender and recipient)
  • Names (if included in email addresses or content)
  • Email content (subject, body, attachments)
  • Template variables and personalization data
  • Delivery metadata (timestamps, status, bounce/complaint records)
  • IP addresses (of email recipients interacting with tracked emails)

2.4 Duration

Processing continues for the duration of the service agreement. Upon termination, data is handled as described in Section 11.

3. Processor Obligations

The Processor shall:

a) Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside the EU/EEA, unless required by EU or Finnish law

b) Ensure that persons authorized to process Personal Data have committed to confidentiality or are under statutory obligation of confidentiality

c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 7)

d) Comply with the conditions for engaging subprocessors (see Section 5)

e) Assist the Controller in responding to data subject requests (see Section 6)

f) Assist the Controller in ensuring compliance with data protection impact assessments and prior consultation obligations

g) At the choice of the Controller, delete or return all Personal Data after the end of the provision of services (see Section 11)

h) Make available all information necessary to demonstrate compliance with GDPR Article 28 obligations

4. Controller Obligations

The Controller shall:

a) Ensure that the processing instructions comply with applicable data protection law

b) Ensure a legal basis exists for the processing of Personal Data (e.g., consent, legitimate interest, contract performance)

c) Inform data subjects about the processing as required by GDPR Articles 13 and 14

d) Ensure email content complies with applicable laws and the EuroMail Acceptable Use Policy

e) Maintain the accuracy of Personal Data and promptly update or delete inaccurate data

5. Subprocessors

5.1 Current Subprocessors

The Controller authorizes the engagement of the following subprocessors:

SubprocessorPurposeLocationSafeguards
UpCloud LtdInfrastructure (compute, database, storage)FinlandEU company, ISO 27001
Stripe, Inc.Payment processingUSAEU SCCs, PCI DSS Level 1
GitHub, Inc.CI/CD, container registryUSAEU SCCs

5.2 Notification of Changes

The Processor shall notify the Controller at least 30 days before adding or replacing a subprocessor. Notification will be sent to the account email address.

5.3 Objection Right

The Controller may object to a new subprocessor within 14 days of notification. If the Processor cannot reasonably accommodate the objection, the Controller may terminate the affected services without penalty.

5.4 Subprocessor Agreements

The Processor shall impose the same data protection obligations on subprocessors as set out in this DPA, via a written contract. The Processor remains liable for the acts and omissions of its subprocessors.

6. Data Subject Rights

6.1 Assistance

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under GDPR Articles 15-22, including:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)

6.2 Direct Requests

If the Processor receives a data subject request directly, it will:

a) Promptly redirect the request to the Controller (within 5 business days) b) Not respond to the request directly unless instructed by the Controller or required by law

6.3 Technical Capabilities

The Service provides the following tools for data subject request fulfillment:

RightAPI EndpointDashboard
Access / PortabilityGET /v1/account/exportSettings > Export Data
ErasureDELETE /v1/accountSettings > Delete Account
Suppression (stop processing)POST /v1/suppressionsSuppressions > Add

7. Security Measures

7.1 Technical Measures

The Processor implements the following security measures:

Encryption:

  • TLS 1.2+ for all API communications
  • STARTTLS for SMTP delivery
  • Encrypted storage volumes for databases
  • DKIM signing for email authentication

Access Control:

  • API key authentication with argon2 hashing
  • JWT session tokens with configurable expiration
  • Tenant isolation at the database level (row-level filtering)
  • Principle of least privilege for infrastructure access

Application Security:

  • CSRF protection (double-submit cookie)
  • Security headers (CSP, HSTS, X-Frame-Options)
  • Input validation and sanitization
  • SSRF protection for webhook URLs
  • Rate limiting (global and per-account)
  • Constant-time comparison for cryptographic operations

Monitoring:

  • Audit logging for all account changes
  • OpenTelemetry distributed tracing
  • Prometheus metrics and alerting
  • Automated dependency vulnerability scanning

Data Minimization:

  • Email body content deleted after 30 days
  • Email metadata partitioned and pruned after 6 months
  • No unnecessary data collection

7.2 Organizational Measures

  • Confidentiality obligations for all personnel with access to Personal Data
  • Regular security reviews and dependency audits
  • Incident response procedures (see Section 8)

8. Data Breach Notification

8.1 Notification to Controller

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting the Controller's Personal Data.

8.2 Notification Contents

The notification shall include, to the extent available:

a) Nature of the breach, including categories and approximate number of data subjects and records affected

b) Name and contact details of the Processor's point of contact

c) Likely consequences of the breach

d) Measures taken or proposed to address the breach and mitigate its effects

8.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

8.4 Controller Obligations

The Controller remains responsible for notifying the supervisory authority (within 72 hours per GDPR Article 33) and affected data subjects (per GDPR Article 34) where required.

9. International Transfers

9.1 Primary Processing

All primary data processing occurs within the European Union (Finland, Helsinki datacenter).

9.2 Subprocessor Transfers

Where subprocessors are located outside the EU/EEA (see Section 5.1), transfers are safeguarded by:

  • EU Standard Contractual Clauses (SCCs) per European Commission Decision 2021/914
  • Supplementary measures as required by the CJEU Schrems II decision

9.3 No Additional Transfers

The Processor shall not transfer Personal Data outside the EU/EEA except as described in this Section or as instructed by the Controller in writing.

10. Audits

10.1 Right to Audit

The Controller has the right to audit the Processor's compliance with this DPA, subject to reasonable notice (at least 30 days) and during normal business hours.

10.2 Audit Scope

Audits may include:

  • Review of security measures and documentation
  • Review of subprocessor agreements
  • Review of data breach procedures
  • Review of access controls and logs

10.3 Third-Party Audits

The Controller may engage a qualified third-party auditor, provided the auditor is bound by confidentiality obligations.

10.4 Costs

Each party bears its own costs for audits. If an audit reveals a material breach, the Processor bears reasonable audit costs.

10.5 Certifications

Where available, the Processor may provide relevant certifications or audit reports (e.g., SOC 2, ISO 27001) to satisfy audit requirements.

11. Data Return and Deletion

11.1 During the Agreement

The Controller may export all account data at any time via GET /v1/account/export.

11.2 Upon Termination

Upon termination of the service agreement:

a) The Controller has 30 days to export their data

b) After 30 days, the Processor will delete all Personal Data unless EU or Finnish law requires retention

c) Deletion includes:

  • Account information
  • Email content and metadata
  • Templates and template data
  • Domain configurations
  • Webhook configurations
  • API keys
  • Suppression lists

d) Exceptions to deletion:

  • Billing records retained for 7 years (Finnish Accounting Act)
  • Anonymized, aggregated statistics (no Personal Data)
  • Data required by law enforcement or court order

11.3 Certification

The Processor shall certify deletion in writing upon the Controller's request.

12. Liability

Liability under this DPA is subject to the limitations set out in the Terms of Service, except that:

  • The Processor is liable for damage caused by processing that does not comply with GDPR obligations specifically directed at processors, or that is outside or contrary to the Controller's lawful instructions
  • Liability limitations do not apply where prohibited by GDPR Article 82

13. Term and Amendments

13.1 Term

This DPA is effective for the duration of the service agreement and any period during which the Processor retains Personal Data.

13.2 Amendments

This DPA may be amended to reflect changes in data protection law. The Processor shall notify the Controller at least 30 days before material changes take effect.

14. Governing Law

This DPA is governed by the laws of Finland. Disputes shall be resolved in the courts of Helsinki, Finland, without prejudice to the rights of data subjects under GDPR Article 79.

15. Contact