Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between you ("Controller") and Lettermint B.V. ("Processor", "we", "us", or " our") regarding the processing of personal data in connection with the services provided by Lettermint.

1. Definitions

In this DPA, the terms "personal data", "data subject", "processing", " controller", "processor", and "supervisory authority" have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR"). "Controller Personal Data" means any personal data processed by us on your behalf as Processor under this DPA.

2. Scope and Application

This DPA applies when we process personal data on your behalf in the course of providing our email services. By using our services, you acknowledge that you are the Controller of the personal data and that we are the Processor of such data.

3. Details of Processing

3.1 Subject Matter and Purpose

We process personal data to provide email services as described in our Terms and Conditions, including enabling you to send transactional email and broadcast email ( campaigns, newsletters, marketing, etc.) and processing inbound email.

3.2 Duration

We will process personal data for the duration of our agreement with you. Upon termination, we will handle your data as described in Section 9 of this DPA.

3.3 Types of Personal Data

The personal data we process may include:

• Email addresses and names of recipients
• Email content
• Email engagement data (opens, clicks, bounces, etc.)
• Technical data (IP addresses, device information, browser type, email client)
• Your account user data
• Any other personal data you choose to include in emails or upload to our platform

3.4 Categories of Data Subjects

The data subjects may include:

• Your subscribers, customers, contacts, and employees
• Recipients of emails you send
• Any other individuals whose personal data you provide to us

4. Your Obligations as Controller

You represent and warrant that:

4.1 You comply with all applicable data protection laws in relation to the processing of personal data.

4.2 You have a lawful basis for processing the personal data and for disclosing it to us.

4.3 You have provided appropriate privacy notices to data subjects regarding the processing of their personal data.

4.4 You will respond to requests from data subjects regarding their rights under applicable data protection law.

5. Our Obligations as Processor

We shall:

5.1 Process personal data only on your documented instructions, unless required by law to do otherwise.

5.2 Ensure that persons authorized to process the personal data have committed themselves to confidentiality.

5.3 Implement appropriate technical and organizational security measures as described in Section 7.

5.4 Assist you in responding to requests from data subjects and in complying with your obligations regarding security, breach notifications, impact assessments, and consultations with supervisory authorities.

5.5 At your choice, delete or return all personal data after the end of the provision of services.

5.6 Make available to you information necessary to demonstrate compliance with this DPA.

6. Sub-processors

6.1 You provide general authorization for us to engage sub-processors for the processing of Controller Personal Data, provided that we:

• Notify you at least 10 calendar days in advance of any intended addition or replacement of a sub-processor
• Impose data protection terms on any sub-processor that protect the personal data to the same standard provided for in this DPA
• Remain fully liable to you for the performance of the sub-processor's obligations

6.2 You may object to the appointment of a new or replacement sub-processor within 7 calendar days of receiving notice. If you raise a reasonable objection, we will use commercially reasonable efforts to make available an alternative arrangement. If no alternative is available, either party may terminate the affected part of the services.

6.3 Sub-processors that process Controller Personal Data on our behalf are listed at lettermint.co/subprocessors.

6.4 We may also use service providers for our own business operations (such as payment processing, internal communication, and business analytics) that do not process Controller Personal Data. These providers are not sub-processors within the meaning of this DPA.

7. Security Measures

We implement and maintain appropriate technical and organizational measures to protect personal data, including:

7.1 Encryption of personal data in transit using TLS 1.2 or higher, and encryption at rest

7.2 Multi-factor authentication (MFA) for all administrative access

7.3 Role-based access controls limiting access to personal data to authorized personnel on a need-to-know basis

7.4 24/7 monitoring and logging of access to systems processing personal data

7.5 All processing of Controller Personal Data takes place on infrastructure located within the EU/EEA

7.6 Automated daily encrypted backups

7.7 Systems to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems

7.8 Regular testing, assessment, and evaluation of the effectiveness of security measures

7.9 Staff training on data protection and security

7.10 Detailed documentation of our security practices is available at trust.lettermint.co.

8. International Data Transfers

8.1 All processing of Controller Personal Data takes place within the EU/EEA. Our infrastructure is located in France and other EU/EEA member states.

8.2 We may use service providers for our own business operations that are located outside the EU/EEA. These providers do not process Controller Personal Data and are not sub-processors within the meaning of this DPA (see Section 6.4).

8.3 In the event that a transfer of Controller Personal Data outside the EU/EEA becomes necessary, we will ensure that:

• The transfer is to a country or organization that ensures an adequate level of protection
• The transfer is subject to appropriate safeguards, such as Standard Contractual Clauses
• A derogation under Article 49 of the GDPR applies

8.4 Where required by applicable law, we will conduct and document transfer impact assessments for international transfers.

9. Data Deletion and Return

9.1 Following the end of the provision of services, we will delete or return all personal data to you, at your choice, and delete existing copies unless storage is required by law.

9.2 You must provide instructions regarding the deletion or return of personal data within 14 days of the termination of our agreement. We will comply with such instructions within 30 days.

9.3 If no instructions are received within the 14-day period, we will delete all personal data within 30 days after the termination of our agreement.

10. Data Subject Rights

10.1 We will forward any request received directly from a data subject regarding their personal data to you within 24 hours of receipt and will not respond unless authorized by you.

10.2 We will provide reasonable assistance in fulfilling your obligations to respond to data subject requests within 5 business days of your request, taking into account the nature of the processing.

11. Personal Data Breaches

11.1 We will notify you within 24 hours of becoming aware of a personal data breach.

11.2 We will provide you with sufficient information to allow you to meet any obligations to report the breach to supervisory authorities or data subjects.

11.3 We will take reasonable steps to mitigate the effects of and to minimize any damage resulting from the personal data breach.

12. Audit Rights

12.1 We will make available to you information necessary to demonstrate compliance with this DPA.

12.2 Upon reasonable request, we will provide you with:

• Information about our security practices and measures
• Relevant third-party audit reports or certifications (ISO 27001 or equivalent, when available) in lieu of individual audits
• Responses to reasonable security assessment questionnaires

12.3 On-site audits are available to customers with a monthly spend of EUR 25,000 or more. Such audits must be:

• Requested with at least 45 calendar days advance written notice
• Conducted during regular business hours
• Subject to our security and confidentiality requirements
• Limited to once per calendar year, unless required by a supervisory authority or following a personal data breach

12.4 The costs of any on-site audit shall be borne by you, unless the audit reveals a material breach of this DPA by us.

13. Liability

13.1 Our aggregate liability arising out of or related to this DPA shall not exceed the total fees paid by you in the 12 months preceding the event giving rise to the claim, or any liability imposed by applicable law, whichever is greater.

13.2 The limitation in Section 13.1 does not apply to liability arising from:

• Intent or deliberate recklessness on the part of Lettermint and/or its management
• Breach of confidentiality obligations
• Liability that cannot be limited under applicable law

13.3 Any further limitations of liability are as set forth in our Terms and Conditions.

14. Term and Termination

14.1 This DPA will remain in effect as long as we process personal data on your behalf under our agreement.

14.2 The obligations relating to personal data will survive the termination of this DPA for as long as we retain any personal data.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of the Netherlands, and any disputes shall be subject to the exclusive jurisdiction of the courts of the Netherlands.

16. Amendments

We may update this DPA from time to time. If we make material changes, we will notify you by email or through our service at least 30 days before the changes take effect. If you do not agree with the changes, you may terminate the agreement before the new version takes effect. Your continued use of our services after the changes take effect constitutes your acceptance of the updated DPA.

17. Contact Us

If you have any questions about this DPA, please contact us at legal@lettermint.co.

By using Lettermint's services, you agree to the terms of this Data Processing Agreement. Need a signed copy? Request one below.