Data Processing Agreement

• You don't have to negotiate. The DPA below is the version we sign with every customer.
• Pre-signed by Mailapp's authorised signatory; counter-signature happens by Order Form, click-through, or by you sending a signed copy to hello@mailapp.app.
• SCCs / IDTA attached as Annex IV; Module Two (Controller-to-Processor) controls by default.
• 30 days' advance notice for any new sub-processor; you can object and terminate.

This Data Processing Agreement ("DPA") is entered into between Mailapp ("Processor" or "Mailapp") and the customer identified in the applicable Order Form or click-through registration ("Controller" or "Customer") and forms part of the Master Services Agreement / Terms of Service between the parties (the "Agreement"). In the event of a conflict between this DPA and the Agreement on the subject of data protection, this DPA controls.

• Applicable Data Protection Law — GDPR (Regulation (EU) 2016/679); UK GDPR and DPA 2018; the Swiss FADP; CCPA / CPRA; LGPD; POPIA; PIPEDA; and any other privacy and data-protection laws applicable to processing under the Agreement.
• Customer Personal Data — personal data processed by Mailapp on behalf of Customer.
• SCCs — the Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• UK IDTA — the International Data Transfer Addendum to the EU SCCs (Version A1.0) issued by the UK ICO.
• Sub-processor — a third party engaged by Mailapp to process Customer Personal Data.
• Affiliate, Controller, Processor, Data Subject, Personal Data Breach, Processing — as defined in GDPR Articles 4 and 33.

This DPA applies to Mailapp's processing of Customer Personal Data on behalf of Customer for the duration of the Agreement and any post-termination period during which Mailapp retains Customer Personal Data. The subject matter, nature, purpose, duration, categories of data, and categories of data subjects are described in Annex I.

• Customer is the Controller of Customer Personal Data.
• Mailapp is the Processor.
• If Customer is itself a Processor for a third party Controller, Mailapp is the Sub-processor and Customer warrants that the third party Controller has consented to Mailapp's engagement on the terms of this DPA.
• The parties may agree in writing to act as independent Controllers for specific limited purposes (e.g., billing, account administration, fraud prevention).

Mailapp will process Customer Personal Data only on Customer's documented instructions. The Agreement (including the configuration of the Services) constitutes Customer's documented instructions. Mailapp will inform Customer if, in its opinion, an instruction violates Applicable Data Protection Law. If Mailapp is required by law to process Customer Personal Data otherwise than on Customer's instructions, Mailapp will inform Customer of that legal requirement before processing, unless prohibited by that law.

Mailapp will ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and have received privacy and security training appropriate to their role.

Mailapp will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex II, including:

• pseudonymisation and encryption of personal data, as appropriate;
• the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems;
• the ability to restore availability and access in a timely manner;
• a process for regularly testing, assessing, and evaluating the effectiveness of the measures.

Customer grants Mailapp general written authorisation to engage Sub-processors. Mailapp will:

• maintain a current list of Sub-processors at /landing/subprocessors;
• impose on each Sub-processor data-protection obligations no less protective than those in this DPA, through a written contract;
• remain fully liable to Customer for the performance of each Sub-processor's data-protection obligations;
• provide Customer with at least 30 days' advance notice of any intended changes (addition or replacement) to the list of Sub-processors; if Customer reasonably objects, the parties will work in good faith to find an alternative, failing which Customer may terminate the affected Service for a prorated refund.

For transfers of Customer Personal Data from the EEA, UK, or Switzerland to a country not deemed adequate by the relevant competent authority, the parties incorporate:

• the EU SCCs (Module Two — Controller-to-Processor; or Module Three — Processor-to-Processor where applicable), pre-signed in Annex IV;
• the UK IDTA where the UK GDPR applies; and
• the Swiss equivalence wording where the Swiss FADP applies.

Mailapp commits to the Data Privacy Framework Principles for EU-US and UK-US transfers covered by the DPF. Mailapp maintains a documented Transfer Impact Assessment and will share a redacted copy on Customer's reasonable request.

Taking into account the nature of the processing, Mailapp will assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests for exercising data-subject rights under Applicable Data Protection Law. If a data subject contacts Mailapp directly, Mailapp will redirect them to Customer (except for requests made under the GDPR Article 27 representative regime where Mailapp serves that role).

Mailapp will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Customer Personal Data. The notice will include, to the extent known:

• the nature of the breach, including categories and approximate numbers of data subjects and records concerned;
• the likely consequences;
• the measures taken or proposed to address the breach and mitigate its possible adverse effects;
• the contact point for further information.

Mailapp will cooperate with Customer to investigate, mitigate, and remediate the breach. Mailapp will not make any public statement attributing a breach to Customer without Customer's prior written consent, except where required by law.

Mailapp will provide reasonable assistance, on Customer's request, for Data Protection Impact Assessments under Article 35 GDPR and for prior consultations with supervisory authorities under Article 36 GDPR. Standard responses to typical security and privacy due-diligence questionnaires are available on the Trust Center; bespoke assistance is included for Business and Enterprise plans.

On termination or expiry of the Agreement, Mailapp will, at Customer's choice and Customer's instruction:

• return all Customer Personal Data in a structured, commonly-used, machine-readable format; or
• delete all Customer Personal Data and certify deletion in writing.

Customer has a 30-day post-termination window to export Customer Personal Data via the standard export tooling, after which Mailapp will delete remaining copies (subject to retention required by law, e.g., billing records) using cryptographic erasure of keys followed by storage media zeroisation on rotation.

• Mailapp will make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR, primarily through its Trust Center documentation and written attestations (the "Audit Materials").
• Customer may, no more than once per twelve-month period (except in response to a Personal Data Breach), request an on-site audit. Customer must provide 30 days' notice; audits will be conducted during business hours, by a qualified auditor mutually acceptable to the parties (no direct competitor of Mailapp), and at Customer's expense. The auditor will execute Mailapp's standard confidentiality terms.
• Customer will share audit findings with Mailapp and keep them confidential.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Agreement, except where Applicable Data Protection Law does not permit such limitations. Nothing in this DPA limits or excludes a data subject's rights against either party under Applicable Data Protection Law.

• Annex I — Description of processing (subject matter, duration, nature, purpose, categories of data, categories of data subjects). Available at /landing/dpa/annex-i.
• Annex II — Technical and organisational security measures. Available at /landing/security and in our SOC 2 / ISO 27001 reports.
• Annex III — Sub-processors. Live list at /landing/subprocessors.
• Annex IV — EU SCCs, UK IDTA, Swiss recognition wording. Pre-signed; download from the privacy team at hello@mailapp.app.
• Annex V — Business Associate Agreement (HIPAA). Available on Enterprise.

Execution

This DPA is pre-executed by Mailapp by Marisa Tran, General Counsel. Customer's acceptance of the Agreement, or counter-signature of an Order Form referencing this DPA, constitutes Customer's execution of this DPA. For a wet-ink or e-signed counter-signature copy, email hello@mailapp.app.