Data Processing Agreement (DPA)

This Data Processing Agreement (hereinafter “DPA”) is entered into between:

Controller (Client):
The respective user (hereinafter “Customer”) who registers with emlyx and uses the Service.

Processor (Contractor):
PROXALY OÜ
Sepapaja tn 6, 15551 Tallinn, Estonia
Email: info@proxaly.com
(hereinafter “Provider”)

Customer and Provider are hereinafter individually referred to as a “Party” and collectively as the “Parties”.

This DPA supplements the General Terms and Conditions and the Privacy Policy of emlyx and becomes part of the contract upon the Customer's registration.

1.1 The Provider processes personal data on behalf of the Customer in the course of providing the email sending service “emlyx”. The Provider acts as a processor within the meaning of Art. 28 GDPR.

1.2 The duration of data processing corresponds to the term of the main contract (use of the Service pursuant to the Terms and Conditions). This DPA automatically terminates upon termination of the main contract, without prejudice to any deletion obligations pursuant to Section 9 of this DPA.

2.1 The processing serves exclusively the provision of the email sending service, in particular:

• Acceptance and forwarding of the Customer's emails to the email delivery service
• Storage of email logs and delivery status information
• Provision of the dashboard for management and viewing of email data
• Optional: Open/click tracking (if activated by the Customer)

2.2 The processing is carried out exclusively in accordance with the Customer's instructions (see Section 5) and does not serve any purpose of the Provider's own.

3.1 The following categories of personal data are processed in the course of data processing:

• Email addresses of recipients
• Sender information (name, email address)
• Email subject
• Email content (HTML body)
• Delivery status (delivered, failed, bounced, etc.)
• Timestamps (sending time, delivery time)
• Optional: Open/click tracking data (opening time, clicked links, IP address, user agent)

3.2 Special categories of personal data within the meaning of Art. 9 GDPR are not subject to processing. The Customer is obligated to ensure that no special categories of personal data are processed via the Service, unless they have a sufficient legal basis and appropriate safeguards in place.

4.1 The following persons are affected by the processing:

• Recipients of emails sent by the Customer via the Service (e.g., the Customer's customers, newsletter subscribers, website visitors, business partners)

4.2 The specific determination of the data subjects is the responsibility of the Customer as the controller.

5.1 The Customer is responsible for compliance with data protection provisions within the scope of this DPA, in particular for the lawfulness of data processing and the protection of the rights of data subjects (Art. 12–22 GDPR).

5.2 The Customer issues instructions to the Provider regarding the nature, scope, and method of data processing. The instructions are set out in this DPA and in the Terms and Conditions. Individual instructions that go beyond the processing specified in this DPA require written form (email is sufficient).

5.3 The Customer has the right to verify the Provider's compliance with the provisions of this DPA and with data protection regulations (see Section 8).

5.4 The Customer shall inform the Provider immediately if they identify errors or irregularities in the processing of personal data.

6.1 Obligation to Follow Instructions

The Provider shall process personal data only on documented instructions from the Customer (Art. 28(3)(a) GDPR), unless required to do so by Union or Member State law. In such a case, the Provider shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

If the Provider is of the opinion that an instruction from the Customer violates data protection regulations, it shall immediately notify the Customer. The Provider is entitled to suspend the execution of the relevant instruction until confirmation or amendment by the Customer.

6.2 Confidentiality

The Provider shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).

6.3 Technical and Organizational Measures

The Provider shall implement all technical and organizational measures required pursuant to Art. 32 GDPR to protect the personal data processed. The specific measures are described in Annex 1 (Technical and Organizational Measures) to this DPA.

The Provider shall regularly review the effectiveness of these measures and adapt them to the state of the art as needed. Changes are permissible provided that the level of protection is not reduced.

6.4 Sub-processors

The engagement of sub-processors is governed by Section 7 of this DPA.

6.5 Assistance with Data Subject Rights

The Provider shall assist the Customer, insofar as possible, with appropriate technical and organizational measures in fulfilling the Customer's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (Art. 28(3)(e) GDPR), in particular with regard to requests for access, rectification, erasure, and data portability.

If a data subject addresses a request directly to the Provider, the Provider shall forward the request to the Customer without undue delay.

6.6 Assistance with Data Protection Obligations

The Provider shall assist the Customer, taking into account the nature of the processing and the information available to it, in ensuring compliance with the obligations set out in Art. 32–36 GDPR, in particular with regard to:

• Ensuring the security of processing (Art. 32 GDPR)
• Notification of personal data breaches to the supervisory authority (Art. 33 GDPR)
• Notification of data subjects (Art. 34 GDPR)
• Data protection impact assessments (Art. 35 GDPR)

The Provider shall inform the Customer without undue delay upon becoming aware of a personal data breach.

6.7 Deletion and Return of Data

The deletion and return of personal data is governed by Section 9 of this DPA.

6.8 Audit and Information Rights

The Customer's audit and information rights are governed by Section 8 of this DPA.

7.1 The Customer hereby grants the Provider general written authorization to engage additional processors (sub-processors) for the fulfillment of its contractual obligations (Art. 28(2) GDPR).

7.2 At the time of concluding this DPA, the Provider uses the following sub-processors:

7.3 The Provider shall inform the Customer of any intended changes regarding the addition or replacement of sub-processors. The notification shall be made by email or via the dashboard at least 14 days before the intended change.

7.4 The Customer has the right to object to the intended change within 14 days of receiving the notification. The objection must be substantiated (in particular, data protection concerns). If the Customer raises a substantiated objection, the Parties shall endeavor to reach an amicable solution. If this is not possible, the Customer has a special right of termination at the time of the intended change.

7.5 The Provider shall ensure that a contract is concluded with each sub-processor that imposes at least the same data protection obligations as those set out in this DPA (Art. 28(4) GDPR). The Provider shall be liable to the Customer for compliance with data protection obligations by the sub-processor.

8.1 The Provider shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and shall allow for and contribute to audits – including inspections – conducted by the Customer or an auditor mandated by the Customer (Art. 28(3)(h) GDPR).

8.2 On-site inspections are possible under the following conditions:

• The Customer gives at least 30 days' written notice of the inspection
• The inspection takes place during normal business hours and must not disproportionately disrupt business operations
• The auditor is bound by confidentiality obligations
• Inspections are limited to once per calendar year, unless there is a specific reason (e.g., a data protection incident, a request from a supervisory authority)

8.3 The Provider may alternatively present current certifications, audit reports, or attestations from independent bodies, provided these sufficiently demonstrate compliance with the obligations under this DPA.

8.4 The costs of an inspection shall be borne by the Customer, unless the inspection reveals material violations by the Provider of this DPA.

9.1 During the term of the contract, data processed on behalf of the Customer shall be stored for the entire duration of the contractual relationship. This includes in particular:

• Email logs (delivery status, metadata): until account deletion
• Email content (HTML body): until account deletion
• Open/click tracking data: until account deletion

9.2 After termination of the main contract, the Provider shall delete all personal data processed on behalf of the Customer within 30 days, unless a legal obligation to retain the data exists (Art. 28(3)(g) GDPR).

9.3 The Customer has the option to export their data via the dashboard before the end of the contract. The Provider shall endeavor – where technically possible – to grant the Customer a period of at least 7 days after the end of the contract for data export.

9.4 The deletion also covers data held by sub-processors. The Provider shall ensure that sub-processors are obligated to delete data in a timely manner.

9.5 The Provider shall confirm the complete deletion to the Customer upon request in writing.

10.1 A transfer of personal data to a third country (outside the EEA) or to an international organization shall only take place on the basis of one of the conditions set out in Art. 44–49 GDPR.

10.2 Insofar as the sub-processor Resend (USA) is used, the data transfer to the USA is based on the following grounds:

• Primary: Adequacy decision of the European Commission for the EU-US Data Privacy Framework (Art. 45 GDPR)
• Supplementary / Fallback: EU Standard Contractual Clauses (Standard Contractual Clauses, SCC) pursuant to Art. 46(2)(c) GDPR in the version of Implementing Decision (EU) 2021/914

10.3 The Provider shall ensure that an adequate level of data protection in accordance with the GDPR is guaranteed for data transfers to third countries. Supplementary measures (e.g., encryption, pseudonymization) shall be taken as needed.

10.4 Should an adequacy decision be revoked or lose its validity, the Provider shall immediately ensure alternative safeguards pursuant to Art. 46 GDPR or cease the data transfer.

11.1 This DPA is governed by the law of the Federal Republic of Germany, unless mandatory data protection provisions of Union law take precedence.

11.2 In the event of conflicts between this DPA and the Terms and Conditions or other agreements between the Parties, the provisions of this DPA shall prevail with regard to the protection of personal data.

11.3 Should individual provisions of this DPA be or become invalid or unenforceable, the validity of the remaining provisions shall remain unaffected. The Parties shall replace the invalid provision with a provision that comes closest to the data protection purpose of the invalid provision.

11.4 Amendments and additions to this DPA require written form (email is sufficient). There are no oral side agreements.

11.5 This DPA takes effect upon the Customer's registration with emlyx.

1. Confidentiality (Art. 32(1)(b) GDPR)

1.1 Access Control

• API token-based authentication for access to email sending
• Role-based access control in the dashboard
• Password protection with bcrypt hashing
• API tokens are stored with AES-256 encryption

1.2 Separation Control

• Tenant separation through unique project IDs
• Logical separation of customer data at the database level

2. Integrity (Art. 32(1)(b) GDPR)

2.1 Transfer Control

• TLS encryption for all data transfers (HTTPS)
• Encrypted communication with sub-processors

2.2 Input Control

• Logging of email sending operations with timestamps
• Traceability via the dashboard (email logs)

3. Availability and Resilience (Art. 32(1)(b), (c) GDPR)

• Hosting with Hetzner Cloud (data centers in Germany)
• Automatic database backups
• System availability monitoring

4. Regular Review Procedures (Art. 32(1)(d) GDPR)

• Regular review and updating of technical and organizational measures
• Adaptation to the state of the art