LettermintLettermint
InloggenGratis startenArrow
Juridisch

Data Processing Agreement

Laatst bijgewerkt:

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Lettermint V.O.F. ("Processor", "we", "us", or "our") regarding the processing of personal data in connection with the services provided by Lettermint.

1. Definitions

In this DPA, the terms "personal data", "data subject", "processing", "controller", "processor", and "supervisory authority" have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Scope and Application

This DPA applies when we process personal data on your behalf in the course of providing our email services. By using our services, you acknowledge that you are the Controller of the personal data and that we are the Processor of such data.

3. Details of Processing

3.1 Subject Matter and Purpose

We process personal data to provide email services as described in our Terms of Service, including enabling you to send transactional and bulk emails (campaigns, newsletters, marketing, etc.) and processing inbound mail.

3.2 Duration

We will process personal data for the duration of our agreement with you. Upon termination, we will handle your data as described in Section 9 of this DPA.

3.3 Types of Personal Data

The personal data we process may include:

  • Email addresses and names of recipients
  • Email content
  • Email engagement data (opens, clicks, bounces, etc.)
  • Technical data (IP addresses, device information, browser type, email client)
  • Your account user data
  • Any other personal data you choose to include in emails or upload to our platform

3.4 Categories of Data Subjects

The data subjects may include:

  • Your subscribers, customers, contacts, and employees
  • Recipients of emails you send
  • Any other individuals whose personal data you provide to us

4. Your Obligations as Controller

You represent and warrant that:

4.1 You comply with all applicable data protection laws in relation to the processing of personal data.

4.2 You have a lawful basis for processing the personal data and for disclosing it to us.

4.3 You have provided appropriate privacy notices to data subjects regarding the processing of their personal data.

4.4 You will respond to requests from data subjects regarding their rights under applicable data protection law.

5. Our Obligations as Processor

We shall:

5.1 Process personal data only on your documented instructions, unless required by law to do otherwise.

5.2 Ensure that persons authorized to process the personal data have committed themselves to confidentiality.

5.3 Implement appropriate technical and organizational security measures as described in Section 7.

5.4 Assist you in responding to requests from data subjects and in complying with your obligations regarding security, breach notifications, impact assessments, and consultations with supervisory authorities.

5.5 At your choice, delete or return all personal data after the end of the provision of services.

5.6 Make available to you information necessary to demonstrate compliance with this DPA.

6. Sub-processors

6.1 You provide general authorization for us to engage sub-processors for the processing of personal data, provided that we:

  • Inform you of any intended changes concerning the addition or replacement of sub-processors
  • Impose data protection terms on any sub-processor that protect the personal data to the same standard provided for in this DPA
  • Remain fully liable to you for the performance of the sub-processor's obligations

6.2 We use sub-processors in the following categories:

  • Cloud infrastructure providers for hosting services
  • Email delivery and routing services
  • Analytics and monitoring services
  • Anti-spam and security service providers

6.3 We maintain an up-to-date list of our sub-processors on our website at lettermint.co/subprocessors.

7. Security Measures

We implement and maintain appropriate technical and organizational measures to protect personal data, including:

7.1 Encryption of personal data in transit and at rest

7.2 Systems to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems

7.3 Measures to restore availability and access to personal data in a timely manner in the event of an incident

7.4 Regular testing and evaluation of security measures

7.5 Access controls and authentication mechanisms

7.6 Regular security assessments and vulnerability testing

7.7 Staff training on data protection and security

8. International Data Transfers

8.1 We will not transfer personal data outside the European Economic Area (EEA) or the UK unless:

  • The transfer is to a country or organization that ensures an adequate level of protection
  • The transfer is subject to appropriate safeguards, such as Standard Contractual Clauses
  • A derogation under Article 49 of the GDPR applies

8.2 Where required by applicable law, we will conduct and document transfer impact assessments for international transfers.

9. Data Deletion and Return

9.1 Following the end of the provision of services, we will delete or return all personal data to you, at your choice, and delete existing copies unless storage is required by law.

9.2 Unless instructed otherwise by you in writing, we will delete all personal data within 90 days after the termination of our agreement.

10. Data Subject Rights

10.1 We will promptly notify you of any request received directly from a data subject regarding their personal data and will not respond unless authorized by you.

10.2 We will assist you in fulfilling your obligations to respond to data subject requests, taking into account the nature of the processing.

11. Personal Data Breaches

11.1 We will notify you without undue delay after becoming aware of a personal data breach.

11.2 We will provide you with sufficient information to allow you to meet any obligations to report the breach to supervisory authorities or data subjects.

11.3 We will take reasonable steps to mitigate the effects of and to minimize any damage resulting from the personal data breach.

12. Audit Rights

12.1 We will make available to you information necessary to demonstrate compliance with this DPA.

12.2 Upon reasonable request, we will provide you with:

  • Information about our security practices and measures
  • Relevant certifications or third-party audit reports, if available
  • Responses to reasonable security assessment questionnaires

12.3 Any on-site audits must be conducted during regular business hours, with reasonable advance notice, and subject to our security and confidentiality requirements.

13. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in our Terms of Service.

14. Term and Termination

14.1 This DPA will remain in effect as long as we process personal data on your behalf under our agreement.

14.2 The obligations relating to personal data will survive the termination of this DPA for as long as we retain any personal data.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of the Netherlands, and any disputes shall be subject to the exclusive jurisdiction of the courts of the Netherlands.

16. Amendments

We may update this DPA from time to time. If we make material changes, we will notify you by email or through our service. Your continued use of our services after such notice constitutes your acceptance of the updated DPA.

17. Contact Us

If you have any questions about this DPA, please contact us at legal@lettermint.co.

By using Lettermint's services, you agree to the terms of this Data Processing Agreement. If you wish a signed copy, please contact us on help@lettermint.co.