Data Processing Agreement

Last Updated: December 9, 2024 | Effective Date: December 9, 2024

This Data Processing Agreement ("DPA") is incorporated by reference into the Terms of Service between MailSentinel and Customer and applies where MailSentinel processes Personal Data on behalf of Customer.

1. Definitions

In this DPA:

  • "Controller" means the entity that determines the purposes and means of processing Personal Data.
  • "Customer" means the entity that has entered into the Terms of Service with MailSentinel.
  • "Customer Data" means any data submitted by Customer to the Service.
  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, UK GDPR, CCPA, and other applicable regulations.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data.
  • "Processor" means the entity that processes Personal Data on behalf of the Controller.
  • "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.
  • "Sub-processor" means any third party engaged by MailSentinel to process Personal Data.

2. Scope and Roles

2.1 Scope

This DPA applies to the processing of Personal Data by MailSentinel on behalf of Customer in connection with the Service.

2.2 Roles of the Parties

For the purposes of this DPA:

  • Customer is the Controller of Customer Data.
  • MailSentinel is the Processor of Customer Data.

2.3 Customer Responsibilities

Customer shall ensure that it has all necessary rights, consents, and legal bases to transfer Personal Data to MailSentinel and to authorize the processing described in this DPA.

3. Details of Processing

3.1 Subject Matter

The subject matter of processing is the provision of email authentication monitoring services as described in the Terms of Service.

3.2 Duration

Processing will continue for the duration of the Terms of Service, plus any retention period required by law or specified in the Privacy Policy.

3.3 Nature and Purpose

MailSentinel processes Personal Data to:

  • Receive and analyze DMARC aggregate and forensic reports
  • Monitor email authentication status for Customer domains
  • Provide dashboards, analytics, and alerting services
  • Detect and prevent email spoofing and phishing attempts
  • Generate reports and insights

3.4 Types of Personal Data

Personal Data processed may include:

  • Email addresses (in DMARC forensic reports)
  • IP addresses of sending servers
  • Domain names and DNS information
  • Email authentication results
  • Email header information (in forensic reports)

3.5 Categories of Data Subjects

Data Subjects may include Customer employees, contractors, customers, and any individuals whose email addresses appear in DMARC reports.

4. Processor Obligations

MailSentinel shall:

  • Process Personal Data only on documented instructions from Customer, unless required by law.
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures.
  • Assist Customer in responding to Data Subject requests.
  • Assist Customer in ensuring compliance with security, breach notification, impact assessments, and consultation obligations.
  • Delete or return all Personal Data upon termination, unless retention is required by law.
  • Make available information necessary to demonstrate compliance with this DPA.
  • Allow for and contribute to audits and inspections conducted by Customer or its auditor.

5. Security Measures

5.1 Technical Measures

MailSentinel implements the following technical security measures:

  • Encryption of Personal Data in transit using TLS 1.2 or higher
  • Encryption of Personal Data at rest using AES-256
  • Multi-factor authentication for system access
  • Regular vulnerability scanning and penetration testing
  • Intrusion detection and prevention systems
  • DDoS protection and web application firewall
  • Automated backup systems with encryption
  • Secure development lifecycle practices

5.2 Organizational Measures

MailSentinel implements the following organizational security measures:

  • Role-based access control with least privilege principle
  • Background checks for employees with access to Personal Data
  • Regular security awareness training for all personnel
  • Documented security policies and procedures
  • Incident response and business continuity plans
  • Regular security audits and assessments
  • SOC 2 Type II certification program

6. Sub-processing

6.1 Authorization

Customer authorizes MailSentinel to engage Sub-processors to process Personal Data. MailSentinel will maintain a list of Sub-processors and make it available upon request.

6.2 Sub-processor Requirements

MailSentinel shall:

  • Enter into written agreements with Sub-processors imposing data protection obligations no less protective than this DPA
  • Conduct due diligence on Sub-processors' data protection practices
  • Remain liable for Sub-processors' compliance with this DPA

6.3 Changes to Sub-processors

MailSentinel will provide 30 days' advance notice before engaging new Sub-processors. Customer may object to new Sub-processors by notifying MailSentinel within 14 days. If a reasonable objection cannot be resolved, Customer may terminate the affected Service.

6.4 Current Sub-processors

Infrastructure:

  • Cloudflare, Inc. (USA) - CDN, DNS, edge computing
  • Neon Inc. (USA) - Database hosting
  • Vercel Inc. (USA) - Web application hosting

Services:

  • Stripe, Inc. (USA) - Payment processing
  • Resend Inc. (USA) - Transactional email

7. Data Subject Rights

7.1 Assistance with Requests

MailSentinel will assist Customer in responding to Data Subject requests to exercise their rights under Data Protection Laws, including requests for access, correction, deletion, restriction, portability, and objection.

7.2 Notification

If MailSentinel receives a Data Subject request directly, it will promptly notify Customer and will not respond to the request directly unless authorized by Customer or required by law.

7.3 Timing

MailSentinel will provide reasonable assistance within 10 business days of receiving a request from Customer.

8. Security Incidents

8.1 Notification

MailSentinel will notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Security Incident affecting Customer Data.

8.2 Notification Contents

The notification will include:

  • Description of the nature of the Security Incident
  • Categories and approximate number of affected Data Subjects
  • Categories and approximate number of affected records
  • Likely consequences of the Security Incident
  • Measures taken or proposed to address the incident
  • Contact point for further information

8.3 Cooperation

MailSentinel will cooperate with Customer and take reasonable steps to assist in investigating, mitigating, and remediating Security Incidents.

9. International Data Transfers

9.1 Transfer Mechanisms

Where Personal Data is transferred outside the EEA or UK, MailSentinel will ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Transfer to countries with adequacy decisions
  • Binding Corporate Rules (where applicable)

9.2 Standard Contractual Clauses

The EU Standard Contractual Clauses (Module 2: Controller to Processor) are hereby incorporated by reference and apply to transfers of Personal Data from the EEA to third countries. The UK International Data Transfer Addendum applies to transfers from the UK.

10. Audits and Inspections

10.1 Audit Rights

Customer (or its authorized auditor) may audit MailSentinel's compliance with this DPA, subject to reasonable notice and confidentiality obligations.

10.2 Audit Process

  • Customer shall provide at least 30 days' written notice of an audit request
  • Audits shall be conducted during normal business hours and no more than once per year
  • Customer shall bear its own costs for audits
  • Auditors must sign confidentiality agreements

10.3 Certifications and Reports

MailSentinel will make available upon request: SOC 2 Type II reports, penetration testing summaries, and other relevant security certifications.

11. Term and Termination

11.1 Term

This DPA remains in effect for the duration of the Terms of Service.

11.2 Data Return and Deletion

Upon termination of the Terms of Service, MailSentinel will:

  • Provide Customer with 30 days to export Customer Data
  • Delete all Customer Data within 90 days of termination
  • Provide written certification of deletion upon request
  • Retain data only as required by applicable law

12. Liability

Each party's liability under this DPA shall be subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits either party's liability for:

  • Death or personal injury caused by negligence
  • Fraud or fraudulent misrepresentation
  • Intentional or willful misconduct
  • Any liability that cannot be limited by law

13. General Provisions

13.1 Conflicts

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

13.2 Amendments

MailSentinel may update this DPA to reflect changes in Data Protection Laws. Material changes will be communicated with 30 days' notice.

13.3 Governing Law

This DPA shall be governed by the same law as the Terms of Service, except where Data Protection Laws require otherwise.

14. Contact Information

For questions about this DPA or to exercise rights under this agreement:

MailSentinel - Data Protection

Data Protection Officer: dpo@mailsentinel.io

Legal: legal@mailsentinel.io

Privacy: privacy@mailsentinel.io