logo

Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) supplements the Terms of Service (the “Agreement”) between you (“Customer”) and Mailhub SA (Retalk.bot), 30, route de Mondorf, L-5552 Luxembourg (“Company”). By using Retalk.bot, you agree to this DPA. This DPA is effective as of your acceptance of the Agreement.

1. Definitions

  • Affiliate: Any entity controlling, controlled by, or under common control with a party, as long as such control exists.
  • Authorized Sub-Processor: A third party who needs access to Customer’s Personal Data to help Company provide the Services, and who is either (1) listed in Exhibit B or (2) subsequently authorized under Section 4.2.
  • Company Account Data: Personal data relating to Company’s relationship with Customer (e.g., account contacts, billing info).
  • Company Usage Data: Service usage data collected by Company to provide, optimize, and secure the Services.
  • Data Exporter: Customer.
  • Data Importer: Company (Mailhub SA).
  • Data Protection Laws: All applicable data protection laws, including GDPR, UK GDPR, CCPA, Swiss FADP, and others as updated.
  • Personal Data, Processing, Controller, Processor, etc.: As defined in the GDPR.
  • Standard Contractual Clauses (SCCs): The EU and UK SCCs for international data transfers.

2. Relationship of the Parties; Processing of Data

  • Customer acts as controller or processor; Company acts as processor (except for Company Account/Usage Data, see Section 9).
  • Customer is responsible for the lawfulness, quality, and accuracy of Personal Data provided to Company and for its processing instructions.
  • Company will only process Personal Data as needed to provide the Services, as described in the Agreement, this DPA, and Customer’s instructions, unless required by law.
  • After termination, Company will delete or return Personal Data unless required by law to retain it.

3. Confidentiality

  • Company ensures that anyone authorized to process Personal Data is bound by confidentiality.
  • Company may disclose Personal Data to advisors, auditors, or third parties as needed to perform its obligations.

4. Sub-Processors

  • Company may engage sub-processors to help provide the Services. Customer gives general authorization for this.
  • The current list of sub-processors is available at: retalk.bot/legal/subprocessors
  • Company will notify Customer of new sub-processors. Customer may object in writing within 10 days for data protection reasons. If no reasonable alternative is found, Customer may discontinue the affected Service.
  • Company ensures sub-processors are bound by data protection obligations at least as strict as this DPA.

5. Security of Personal Data

  • Company maintains appropriate technical and organizational measures to protect Personal Data (see Exhibit C).

6. International Data Transfers

  • Company may transfer Personal Data outside the EEA/UK/Switzerland as needed to provide the Services, using SCCs or other legal mechanisms.
  • Details of transfers and safeguards are in Exhibit B and C.

7. Data Subject Rights

  • Company will notify Customer of any data subject requests (access, rectification, erasure, etc.) and will assist Customer in responding, where possible.
  • Customer is responsible for handling data subject requests related to its data.

8. Audits and Cooperation

  • Company will provide information and assistance for Customer to demonstrate compliance with Data Protection Laws, including audits (subject to reasonable notice and confidentiality).
  • Company will notify Customer if an instruction appears to violate Data Protection Laws.
  • In case of a Personal Data Breach, Company will notify Customer without undue delay and assist as required by law.

9. Company as Controller

  • For Company Account Data and Company Usage Data, Company acts as an independent controller (for business operations, compliance, security, etc.).
  • Processing is in accordance with the Retalk.bot Privacy Policy.

10. Conflict

  • In case of conflict, the following order applies: (1) SCCs, (2) this DPA, (3) Agreement, (4) Privacy Policy.

Exhibit A: Details of Processing

  • Nature and Purpose: To provide, secure, and improve the Services as described in the Agreement and this DPA.
  • Duration: As long as needed to provide the Services, for legitimate business needs, or as required by law.
  • Categories of Data Subjects: Customer’s employees, contractors, agents, and end users.
  • Categories of Personal Data: Name, email, job title, username, device identifiers, IP address, usage data, and any data provided by Customer or its users.
  • Sensitive Data: Customers must not provide special categories of data (e.g., health, criminal history).

Exhibit B: Sub-Processors and Transfers

  • List of Sub-Processors: retalk.bot/legal/subprocessors
  • Transfers: As needed to provide the Services, as described above.
  • Supervisory Authority: The authority of the Customer’s location (e.g., CNPD Luxembourg).

Exhibit C: Security Measures

  • Encryption of data in transit and at rest
  • Access controls and authentication (MFA, SSO)
  • Regular backups and testing
  • Secure infrastructure (Vercel, Supabase, etc.)
  • Monitoring and logging
  • Data minimization and deletion on request
  • Confidentiality agreements with staff and sub-processors
  • Incident response procedures

Exhibit D: UK Addendum (if applicable)

  • For UK data transfers, the UK Addendum to the SCCs applies, governed by the laws of England and Wales.

For questions, contact help@retalk.bot.