MailSenpai, represented by its Legal Representative, pro tempore (“MailSenpai” or the “Processor”), and the Client, represented by its Legal Representative, pro tempore (“Controller” or the “Client”), have entered into a Software as a Service (SaaS) license agreement for the provision of marketing and transactional communication services and other related services of the Processor, which involves the processing of personal data (hereinafter, the “Agreement”).
This Data Processing Agreement (including its attachments, hereinafter the “DPA”) sets forth the provisions of Article 28 of the General Data Protection Regulation (GDPR) as interpreted by the European Data Protection Board (EDPB) in Opinion 14/2019.
The DPA is entered into between MailSenpai and the Client and serves as an addendum to the Agreement. It shall become effective and supersede any previous agreement between the Parties related to the same subject matter (including any amendments or data processing addendums regarding the Processor’s Services), from the Effective Date and shall remain in force for the entire Term of the Agreement.
By signing this DPA on behalf of the Client, you warrant that:
(a) You have the authority to bind the Client to this Data Processing Agreement; and
(b) You are signing this DPA on behalf of the Client.
If you do not have the legal authority to bind the Client to this DPA, please do not sign this agreement and forward it to the appropriate authorized representative.
1. Introduction
The Data Processing Agreement (DPA) reflects the agreement between the parties regarding the processing of the Client’s Personal Data as regulated by European and national legislation.
2. Definitions
2.1 In this DPA, all capitalized terms shall have the following meanings:
Supervisory Authority – means a “supervisory authority” as defined under the GDPR.
MailSenpai – refers to the party providing the service under the Agreement.
Effective Date – means the date on which MailSenpai has signed or otherwise agreed to the effectiveness of the Agreement or the DPA.
Client’s Personal Data – refers to the Client’s personal data processed by MailSenpai in the provision of its services.
Security Documentation – means the documentation made available by MailSenpai regarding the Processor’s Services, as referenced in Appendix 2.
Term – means the period from the Effective Date until the termination of the services provided by MailSenpai under the Agreement.
GDPR – means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, regarding the protection of individuals concerning personal data processing and the free movement of such data, repealing Directive 95/46/EC.
Incident – means a security breach within MailSenpai, resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the Client’s Personal Data on systems managed or otherwise controlled by MailSenpai.
Notification Email Address – means the email address entered by the Client in the designated section of the privacy contact form, as specified in Article 5.3 of this Agreement.
Additional Instructions – means additional instructions reflecting the parties’ agreement on further conditions governing the processing of certain data concerning specific Processor Services.
European and National Legislation – means the GDPR and the applicable national law of the EU Member State governing the processing of the Client’s Personal Data.
Transfer Mechanisms – means a binding decision issued by the European Commission, allowing the transfer of personal data from the EEA to a third country with an adequate level of data protection. In the absence or ineffectiveness of such a decision, the term includes the Standard Contractual Clauses (SCCs) approved by the European Commission, as well as Binding Corporate Rules (BCRs).
Security Measures – refers to the measures specified in Section 7.1.1 (Security Measures on MailSenpai’s Systems).
EEA – means the European Economic Area.
Processor Services – refers to the services offered under the Agreement, as described in Appendix 1.
Sub-processors – means third parties authorized under this DPA to process the Client’s Personal Data to provide part of the Processor Services and/or any related technical support.
2.2 The terms “Personal Data,” “Data Subject,” “Processor,” “Controller,” and “Processing” have the meanings assigned to them in the GDPR.
2.3 The terms “include” and “including” are illustrative and do not limit the scope of the concept described.
2.4 Any reference to a law, regulation, statute, or other legislative act includes any amendments or updates to such acts over time.
2.5 If this DPA is translated into another language and there is a discrepancy between the Italian text and the translated text, the Italian version shall prevail.
3. Duration
This DPA shall remain in effect for the entire Term and until the Processor deletes all of the Client’s Personal Data.
4. Scope of Application
4.1 Application to Processor Services
This DPA applies only to the services for which the parties have agreed to its application, as specified in the Agreement.
4.2 Application of Additional Instructions
During the Term, the Controller may provide MailSenpai with Additional Instructions, which MailSenpai shall not unreasonably refuse if such instructions are necessary for the Controller to comply with obligations under European and National Legislation.
In all other cases, MailSenpai reserves the right to negotiate with the Controller regarding the content of the Additional Instructions, and will not be required to implement them until an agreement is reached. Once both Parties have confirmed the Additional Instructions, they shall be considered an integral part of this DPA.
4.3 Costs Related to the Implementation of Additional Instructions
The Additional Instructions and/or their integration, modification, or reduction shall not impose additional costs on MailSenpai. If they do, the Controller acknowledges and agrees that any costs arising directly or indirectly from MailSenpai’s compliance with the Additional Instructions shall be solely borne by the Controller.
5. Data Processing
5.1 Roles, Responsibilities, and Instructions
5.1.1 The parties acknowledge and agree that:
(a) Appendix 1 describes the subject and details of the processing of the Client’s Personal Data;
(b) MailSenpai acts as a Processor for the Client’s Personal Data under European and National Legislation;
(c) The Client acts as either a Controller or Processor, as applicable, of the Client’s Personal Data under European and National Legislation;
(d) Each party shall comply with its respective obligations under European and National Legislation in relation to the processing of the Client’s Personal Data.
5.1.2 Authorization by Third-Party Controller
If the Client acts as a Processor on behalf of an Affiliate or a different Controller, the Client represents and warrants to MailSenpai that the instructions and actions of the Client regarding the Client’s Personal Data, including the appointment of MailSenpai, have been authorized by the respective Controller.
5.2 Controller’s Instructions
Under this Data Processing Agreement (DPA), the Controller instructs MailSenpai to process the Client’s Personal Data:
(a) Only in compliance with applicable laws;
(b) Only for the provision of the Processor Services and any related technical support;
(c) As further specified by the Client through the use of the Processor Services (including modifications to settings and/or functionalities of the Processor Services) and any related technical support;
(d) As documented in the Agreement, including this DPA;
(e) To ensure an appropriate level of security relative to the risk, by conducting automated screening checks against predefined control lists, using automated systems capable of detecting contacts acquired or maintained in violation of industry best practices, to detect potential abuses and automatically unsubscribe them;
(f) As further documented in any written instruction provided by the Controller to MailSenpai as an additional instruction under this DPA.
5.3 MailSenpai’s Compliance with Instructions
MailSenpai shall comply with the instructions specified in Section 5.2 (Controller’s Instructions) unless European or National Legislation to which MailSenpai is subject requires it to perform different or additional processing of the Client’s Personal Data (e.g., transferring personal data to a third country or an international organization). In such cases, MailSenpai shall promptly inform the Client via the Notification Email Address, unless such legislation prohibits MailSenpai from doing so for important public interest reasons.
6. Data Deletion and Export
6.1 Deletion and Export During the Duration
6.1.1 Processor Services with Export Functionality
To the extent that the Processor Services include functionality that allows the Controller to independently export the Client’s Personal Data in an interoperable format, MailSenpai commits, to the extent possible, to ensuring that this operation remains available throughout the Duration, and in compliance with any additional specific provisions contained in the Agreement.
6.1.2 Processor Services with Deletion Functionality
To the extent that the Processor Services include functionality that allows the Client to independently delete its Personal Data, MailSenpai commits, to the extent possible, to ensuring that this deletion remains available throughout the Duration, unless European and National Legislation requires a longer retention period. In such cases, MailSenpai will process the Client’s Personal Data solely for the purposes and duration defined by such legislation. Any additional specific provisions contained in the Agreement shall remain applicable.
6.2 Deletion Upon Expiration of the Duration
Upon expiration of the Duration, the Client instructs MailSenpai to delete all Client’s Personal Data (including any existing copies) from MailSenpai’s systems in accordance with applicable law. MailSenpai shall execute this instruction as soon as reasonably possible, unless European and National Legislation requires retention, in accordance with Section 6.3 below.
6.3 Method of Deleting Client’s Data
After 10 (ten) days from the Expiration Date or Termination of the Agreement for any reason, MailSenpai shall have the right to delete the data stored on behalf of the Client within the MailSenpai platform, including any remaining credits as specified in the Agreement.
The Client will be able to view and download this data within the above timeframe using the standard functionalities of the MailSenpai Platform.
If access to the MailSenpai platform is suspended due to administrative irregularities, the Client may only regain access after resolving the issue that caused the block.
Notwithstanding the right to delete data, longer retention periods may be required due to circumstances beyond this Agreement, especially in the case of investigations by Law Enforcement Authorities or Regulatory Entities responsible for compliance inspections.
7. Data Security
7.1 Security Measures and Assistance by MailSenpai
7.1.1 Security Measures on MailSenpai’s Systems
MailSenpai will implement and maintain technical and organizational measures to protect the Client’s Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Appendix 2.
Considering the state of the art, implementation costs, and the nature, scope, context, and purposes of processing within the Processor Services, as well as the risk probability and severity for the rights and freedoms of natural persons, Appendix 2 shall include at all times security measures designed to:
(a) Encrypt personal data;
(b) Ensure the confidentiality, integrity, availability, and resilience of MailSenpai’s systems and services;
(c) Restore personal data promptly in case of an incident;
(d) Periodically test the effectiveness of these measures.
MailSenpai reserves the right to update or modify its Security Measures, provided that such changes do not reduce the overall security level of the Processor Services.
7.1.2 Security Measures for MailSenpai Personnel
MailSenpai will adopt appropriate measures to ensure compliance with Security Measures by all individuals acting under its authority, including employees, agents, contractors, and Subprocessors, as applicable to their role. This includes ensuring that all persons authorized to process the Client’s Personal Data are bound by confidentiality obligations, in accordance with European and National Legislation.
MailSenpai will also manage all obligations related to the appointment of system administrators responsible for the management and maintenance of the Processor Services, in compliance with the Supervisory Authority’s decision of November 27, 2008.
7.1.3 Data Security Assistance by MailSenpai
MailSenpai will assist the Controller in ensuring compliance with the Controller’s obligations regarding data security and personal data breaches, including (where applicable) the Controller’s obligations under Articles 32 to 34 GDPR, by:
(a) Implementing and maintaining Security Measures in accordance with Section 7.1.1 (Security Measures on MailSenpai’s Systems);
(b) Executing the provisions set forth in Section 7.2 (Data Incidents); and
(c) Providing the Controller with Security Documentation in compliance with Section 7.5.1 (Review of Security Documentation) and other relevant information included in this Data Processing Agreement.
7.2 Data Incidents
7.2.1 Professional Diligence
MailSenpai will apply professional diligence in monitoring the security of the Client’s Personal Data processed through the Processor Services.
7.2.2 Incident Notification
If MailSenpai becomes aware of a Data Incident, it will:
(a) Promptly notify the Controller of the Incident without undue delay;
(b) Take reasonable steps to mitigate damages and protect the Client’s Personal Data;
(c) Provide cooperation to the Controller in investigating the causes and severity of the Incident.
7.2.3 Incident Details
Notifications made under Section 7.2.2 (Incident Notification) will describe, as far as MailSenpai is aware (including follow-up updates), details of the Incident, including:
The categories and approximate number of affected Data Subjects and records of Personal Data involved;
Potential risks for the Data Subjects;
Measures taken or recommended to the Controller to address the Incident and mitigate its effects.
If specific details cannot be provided within the required timeframe, MailSenpai will notify the Controller of the reason for the delay and provide an initial summary of the breach.
7.2.4 Notification Delivery
MailSenpai will send notifications of any Incident to the Controller’s Designated Notification Email Address.
7.3 Responsibility and Security Assessment by the Controller
7.3.1 Controller’s Responsibility for Security
Without prejudice to MailSenpai’s obligations under Sections 7.1 (Security Measures and Assistance by MailSenpai) and 7.2 (Data Incidents), the Controller acknowledges that it is solely responsible for the use of the Processor Services, including:
Protecting authentication credentials,
Securing systems and devices used to access the Processor Services.
7.4 Security Certification
To evaluate and ensure the continuous effectiveness of Security Measures, MailSenpai may, at its sole discretion, supplement Security Measures and Security Documentation by obtaining certifications, codes of conduct, and/or certification mechanisms.
7.5 Audits and Inspections
7.5.1 Review of Security Documentation
To demonstrate compliance with this Data Processing Agreement, MailSenpai will make available to the Controller all relevant information on technical, organizational, and security measures adopted, including any available Security Documentation, necessary for the Controller’s legal compliance, upon formal written request by the Controller.
7.5.2 Right to Audit by the Controller
The parties agree that:
(a) MailSenpai will contribute to audits and inspections requested by the Controller, either directly or through a designated third party;
(b) Such audits must be conducted without disrupting MailSenpai’s normal operations;
(c) Any information obtained during the audit must be protected by a confidentiality agreement before access is granted.
7.5.3 Additional Conditions for Audits
For conducting an audit:
(a) The Controller must submit an audit request at least 30 (thirty) business days in advance, in accordance with Section 12.1 (MailSenpai’s Contacts). Audits cannot be performed more than once per year and must be spaced at least 12 months apart;
(b) MailSenpai and the Controller must agree in advance on the date, scope, duration, and confidentiality safeguards applicable to the audit;
(c) MailSenpai will not be required to disclose:
(i) Data belonging to any other MailSenpai client;
(ii) Internal accounting or financial information of MailSenpai;
(iii) MailSenpai’s trade secrets and know-how;
(iv) Any information that could compromise the security of MailSenpai’s systems or premises or cause MailSenpai to violate legal or security obligations;
(v) Any information unrelated to ensuring GDPR compliance.
(d) Audits are subject to a specific confidentiality agreement between all involved parties.
7.5.4 Cost Responsibility
The Controller acknowledges and agrees that all costs related to audits conducted under Section 7.5 (Audits and Inspections)—including those of its employees or consultants—shall be borne entirely by the Controller.
8. Impact Assessments and Prior Consultation
MailSenpai agrees (considering the nature of the processing and the information available to it) to provide reasonable assistance to the Controller to ensure compliance with any obligations regarding data protection impact assessments and prior consultation, including the Controller’s obligations under Articles 35 and 36 GDPR.
9. Data Subject Rights
9.1 Responses to Data Subject Requests
MailSenpai ensures adequate protection of Data Subject rights, supporting the Client in fulfilling its obligation to respond to Data Subject requests regarding the exercise of their rights, even if such requests are received directly by MailSenpai.
In such cases, MailSenpai will inform the Data Subject to direct the request to the Controller. In any event, the Controller remains solely responsible for responding to the Data Subject’s request.
9.2 Assistance by MailSenpai for Data Subject Requests
MailSenpai agrees (considering the nature of the processing of Client’s Personal Data) to provide reasonable assistance to the Controller in complying with its obligations regarding Data Subject rights under Chapter III GDPR through:
(a) Making available specific functionalities within the Processor Services, where applicable;
(b) Complying with the commitments set forth in Section 9.1 (Responses to Data Subject Requests).
10. Data Transfers
10.1 Data Storage and Processing Facilities
The Controller acknowledges and authorizes MailSenpai to process (including through Subprocessors) the Client’s Personal Data both within and outside the EEA, provided such processing is supported by appropriate Transfer Mechanisms, as specified in Appendix 3.
11. Subprocessors
11.1 Authorization for the Use of Subprocessors
The Controller grants general authorization for the engagement of Subprocessors for the provision of the Processor Services.
11.2 Information on Subprocessors
MailSenpai agrees to maintain an updated list of its Subprocessors, including relevant details, in Appendix 3 of this Data Processing Agreement.
11.3 Requirements for Engaging Subprocessors
When engaging a Subprocessor, MailSenpai shall:
(a) Ensure through a written contract or other legally binding act that:
(i) The Subprocessor accesses and processes Client’s Personal Data only to the extent necessary to fulfill its subcontracted obligations, in compliance with the Contract (including this Data Processing Agreement) and Transfer Mechanisms;
(ii) The Subprocessor is bound by equivalent data protection obligations as those under Article 28(3) GDPR.
(b) Remain fully responsible for all obligations subcontracted to the Subprocessor.
11.4 Right to Object to Subprocessor Changes
The parties agree that:
(a) During the Term, MailSenpai will notify the Controller at the Notification Email Address of its intention to engage new Subprocessors for processing the Client’s Personal Data. This notification will include the name, activity, country of establishment of the Subprocessor, and the applicable Transfer Mechanism (if relevant).
(b) The Controller may object to the Subprocessor’s engagement if it reasonably and duly justifies that the Subprocessor is not suitable for processing the Client’s Personal Data. The Controller must submit its objection to MailSenpai within 10 days from the notification of the Subprocessor’s engagement.
(c) If an objection is raised, MailSenpai may:
(i) Decide not to engage the Subprocessor for processing the Client’s Personal Data; or
(ii) Terminate the Contract, notifying the Client within 30 days from the Subprocessor’s engagement notification, provided that the Client remains obligated to pay all fees due under the Contract.
(d) If the Controller does not object as per Section 11.4(b), MailSenpai will send the updated Appendix 3 to the Notification Email Address, which will become an integral part of this Data Processing Agreement.
12. MailSenpai’s Contact Information
12.1 Contacting MailSenpai
The Controller may contact MailSenpai regarding any matter in this Data Processing Agreement, using one of the following, in order of precedence:
(a) The email/PEC address specified in the Contract by MailSenpai;
(b) The contact email that MailSenpai uses to receive notifications from the Controller related to this Data Processing Agreement.
13. Conflicts
13.1 Conflicts Between Agreements
In case of conflict or inconsistency between the Contract, this Data Processing Agreement, and Additional Instructions, the following order of precedence applies (unless otherwise specified herein):
(a) Additional Instructions;
(b) Remaining provisions of this Data Processing Agreement;
(c) Remaining provisions of the Contract.
Unless this Data Processing Agreement is amended, the Contract remains fully valid and effective.
13.2 Conflicts with Laws or Regulations
Any provision of the Contract, this Data Processing Agreement, and/or Additional Instructions that conflicts with European and National Legislation shall be deemed omitted and replaced by the applicable legal provision, if it cannot be waived by agreement between the parties.
14. Jurisdiction
In the event of disputes concerning the interpretation or execution of this Data Processing Agreement, the exclusive jurisdiction shall be as specified in the Contract, expressly overriding any different provisions established by laws or international agreements.
Appendix 1 – Data Processing: Scope and Details
Scope
Provision of a platform that enables the User to independently manage marketing campaigns and online communications through messaging channels, as further defined in the Contract.
Duration of Processing
The processing shall last for the Duration plus the period necessary for the deletion of all Client’s Personal Data by MailSenpai, in compliance with the Data Processing Agreement and the Contract provisions.
Nature and Purpose of Processing for the Processor Services
MailSenpai will process Client’s Personal Data for the purpose of providing the Processor Services, in compliance with the instructions set forth in the Data Processing Agreement.
Depending on the Processor Services selected in the Contract, the Client’s Personal Data may include the following.
Types of Data Subjects Involved
Recipients of communications sent by the Client via the Processor Services.
Personal Data Processed
Data collected through tracking technologies and devices (if not disabled by the Client).
Common identifying data (e.g., name, surname, address, email, phone number).
Other data that cannot be determined in advance.
The parties may update the list of personal data types processed in the Processor Services from time to time.
Appendix 2 – Security Measures
Starting from the Effective Date, MailSenpai implements and maintains Security Measures, accessible at the following link: Infrastructure and Security.
MailSenpai may periodically modify or update these Security Measures, provided that such modifications or updates do not deteriorate the overall security of the Processor Services or reduce the agreed level of security.
Appendix 3 – Subprocessors
Certain activities enabling MailSenpai to provide the Processor Services are delegated to Subprocessors:
Cloudflare
Provides network support services and storage for images uploaded by clients, including CDN (Content Delivery Network) and Web Proxy services.
Location: European Union
Transfer Mechanism (if applicable): N/A
Aruba
Provides servers on which the Processor Services are hosted.
Location: European Union
Transfer Mechanism (if applicable): N/A
Hetzner
Provides servers on which the Processor Services are hosted.
Location: European Union
Transfer Mechanism (if applicable): N/A
Register
Provides servers on which the Processor Services are hosted.
Location: European Union
Transfer Mechanism (if applicable): N/A
