Data Processing Agreement (DPA)

Subject matter: SmartMailing processes personal data of the Customer's subscribers (the "Customer Personal Data") in connection with providing the Service — namely, an email-marketing platform that lets the Customer collect, organize, segment, and email subscribers.

Nature of processing: storage, organization, structuring, retrieval, consultation, transmission (sending of emails on Customer's instruction), erasure, and destruction.

Purpose of processing: performing the Service Customer subscribed to. SmartMailing does not process Customer Personal Data for its own purposes.

Duration: for as long as the Customer's account is active, and for up to 30 days afterwards to permit return / deletion (see Section 11).

Data subjects: individuals who have subscribed (or whom the Customer claims have subscribed) to the Customer's mailing lists; recipients of emails the Customer sends through the Service; visitors to the Customer's hosted subscribe form.

Categories of data:

• Contact data: email address, name (if provided), language preference
• Subscription metadata: list memberships, custom fields the Customer defines, opt-in source, IP address at signup (if captured), user agent
• Consent records: text shown to the data subject, source, date, IP, attestation by the Customer
• Email engagement data: send / delivery / open / click / bounce / complaint events with timestamps
• Suppression entries: addresses the Customer must never email (unsubscribed, bounced, complained, GDPR-deleted)

SmartMailing does not knowingly process special-category data (Article 9 GDPR) on behalf of the Customer. The Customer agrees not to upload such data through the Service.

• Maintain a lawful basis (Article 6 GDPR) for every subscriber added to the Service. For subscriber lists migrated from another platform, the Customer must attest to prior consent and provide the original consent text via SmartMailing's import flow.
• Provide all required notices to data subjects (privacy notice, opt-in language, unsubscribe mechanism) and respond to data-subject requests directed to the Customer.
• Use Double Opt-In (DOI) where required by applicable law (notably the GDPR ePrivacy framework as transposed in DACH and most of the EU).
• Process only personal data the Customer is authorized to process.
• Issue instructions to SmartMailing only through the documented features of the Service (API, dashboard, etc.). Out-of-band instructions are not effective.

SmartMailing will:

• Process Customer Personal Data only on the Customer's documented instructions, including with regard to transfers outside the EEA — except where required by EU or Member State law (in which case SmartMailing informs the Customer in advance unless prohibited from doing so).
• Ensure persons authorized to process the data are bound by confidentiality.
• Implement appropriate technical and organizational measures (see Section 7).
• Assist the Customer in responding to data-subject requests (Articles 15–22 GDPR) using built-in features and, where needed, technical support.
• Assist the Customer in complying with Articles 32–36 GDPR (security, breach notification, impact assessments, prior consultation), taking into account the nature of processing and the information available to SmartMailing.
• At the Customer's choice, delete or return all Customer Personal Data after the end of the Service (see Section 11).
• Make available all information necessary to demonstrate compliance with Article 28 GDPR.

The Customer authorizes SmartMailing to engage sub-processors to provide the Service. The current list (with location and transfer mechanism) is maintained in the SmartMailing Privacy Policy, Section 3.

SmartMailing will give the Customer at least 14 days' advance notice (by email or in-app notification) before adding or replacing a sub-processor that processes Customer Personal Data. If the Customer objects on reasonable data-protection grounds, the Customer may terminate the affected portion of the Service.

Each sub-processor is bound by data-protection obligations no less protective than those set out in this DPA, by written contract or by reference to applicable framework agreements (e.g. Supabase DPA, Resend DPA, OpenAI Enterprise DPA, Stripe DPA).

Customer Personal Data is processed primarily in Switzerland (covered by the EU adequacy decision) via Supabase. Where data is transferred to processors outside the EEA without an adequacy decision (notably the United States via Resend, OpenAI, Anthropic, Stripe, Cloudflare, Vercel, and Hostinger), SmartMailing relies on the European Commission's Standard Contractual Clauses (Decision 2021/914) supplemented by technical and organizational safeguards (TLS in transit, encryption at rest, access controls, signed webhooks).

SmartMailing has carried out an internal Transfer Impact Assessment per the EDPB's recommendations following Schrems II. A summary is available to the Customer on request.

SmartMailing implements and maintains the following technical and organizational measures:

• TLS 1.2+ for all data in transit
• Encryption at rest for stored personal data
• Database row-level security (RLS) enforcing strict isolation between customers — data of one customer is never accessible to another, even under privileged queries
• Bcrypt/argon2-hashed authentication credentials (managed by Supabase Auth)
• HMAC-SHA256 signature verification on inbound webhooks
• API keys stored only as SHA-256 hashes; plaintext shown to the customer once at creation
• Audit logging of consent events, suppressions, GDPR deletions, and webhook events
• Role-based access controls; service-role credentials are restricted to server-side code with strict scope
• Rate limiting and abuse prevention on public endpoints
• Regular review of dependencies for known vulnerabilities

Detailed security descriptions are reviewed at least annually and updated as the Service evolves.

SmartMailing notifies the Customer without undue delay — and where feasible within 48 hours — of becoming aware of a personal-data breach affecting Customer Personal Data. The notification includes: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed, and contact details for further information.

The Customer is responsible for notifying its data subjects and the competent supervisory authority where required by Articles 33–34 GDPR; SmartMailing will provide reasonable assistance.

SmartMailing provides built-in features that let the Customer self-serve most data-subject requests:

• Access — the dashboard exposes each subscriber's data, consent records, list memberships, and engagement history
• Rectification — editable fields on each subscriber row
• Erasure — "GDPR Delete" button on each subscriber, which cascades deletion + writes a suppression entry
• Restriction of processing — manual suppression with note
• Portability — subscriber export and full account export endpoints
• Object — every email contains a one-click unsubscribe link, and the preference center allows granular opt-outs

Where a request cannot be self-served, SmartMailing assists the Customer at no additional charge for reasonable volumes.

Once per calendar year, and at the Customer's expense, the Customer may audit SmartMailing's compliance with this DPA by requesting a written self-attestation accompanied by relevant documentation (privacy policy, security overview, sub-processor list, breach history). On-site audits are not necessary given the scale of the Service and the use of audited sub-processors; if the Customer's own regulator demands one, the parties will agree on scope in good faith.

Upon termination of the Service or at the Customer's written request, SmartMailing will:

• Make Customer Personal Data available for export (JSON format) for 30 days following termination
• After 30 days, delete all Customer Personal Data from active systems within 14 days, except where retention is required by law (e.g. billing records, Austrian §132 BAO 7-year retention) or where the data is on the suppression list (retained indefinitely to honor opt-outs)
• Confirm deletion in writing on Customer request

Backups containing Customer Personal Data are retained for up to 30 days after the active-system deletion and are overwritten in the regular backup-rotation cycle.

Each party's liability under this DPA is limited as set out in the Terms of Service. Nothing in this DPA limits either party's liability for damages arising from breach of its data-protection obligations to the extent prohibited by law.

This DPA is governed by Austrian law, excluding conflict-of-laws rules. The competent forum is the courts of Vienna, Austria, to the extent permitted by law.

For data-protection inquiries under this DPA, contact [email protected].