Data Processing Agreement

Last updated: May 29, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between MailVeriQ Technologies ("Processor", "we", "us") and the customer organization ("Controller", "you") for the provision of the MailVeriQ Gateway service. This DPA sets forth the terms and conditions under which the Processor shall process Personal Data on behalf of the Controller.

1. Definitions

For the purposes of this DPA, the following definitions apply:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor in the course of providing the MailVeriQ Gateway service.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Applicable Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR (Regulation (EU) 2016/679), UK GDPR, CCPA, and any other applicable data protection legislation.

2. Scope and Purpose of Processing

The Processor shall process Personal Data solely for the purpose of providing the MailVeriQ Gateway service as described in the principal agreement, including:

• Receiving, scanning, and routing outbound email messages through the DLP gateway
• Applying data loss prevention policies configured by the Controller
• Quarantining flagged email messages and managing approval workflows
• Generating audit logs, compliance reports, and analytics
• Providing technical support and maintaining service availability

The categories of Personal Data processed may include email addresses, names, email content, attachment content, metadata (timestamps, IP addresses), and any personal data contained within outbound email messages processed through the gateway.

3. Controller and Processor Roles

The Controller determines the purposes and means of processing Personal Data. The Controller is responsible for ensuring that it has a lawful basis for processing and that appropriate notices have been provided to Data Subjects.

The Processor shall process Personal Data only on documented instructions from the Controller, except where required to do so by applicable law. The Processor shall promptly inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.

4. Confidentiality

The Processor shall ensure that all personnel authorized to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who require it for the performance of the services.

5. Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include, at a minimum:

• AES-256-GCM encryption for all Personal Data at rest
• TLS 1.3 encryption for all Personal Data in transit
• Database-level tenant isolation using PostgreSQL Row-Level Security
• Role-based access control with least-privilege principles
• Multi-factor authentication for all personnel with access to production systems
• Regular vulnerability assessments and penetration testing
• Immutable audit logging of all data access and processing operations
• Automated monitoring and alerting for anomalous access patterns

6. Sub-Processors

The Controller provides general authorization for the Processor to engage Sub-Processors to assist in providing the service. The Processor shall:

• Maintain a current list of Sub-Processors and make it available to the Controller upon request
• Notify the Controller at least 30 days in advance of any intended changes to Sub-Processors
• Enter into written agreements with each Sub-Processor imposing data protection obligations no less protective than those set forth in this DPA
• Remain fully liable to the Controller for the performance of each Sub-Processor's obligations

If the Controller objects to a new Sub-Processor on reasonable data protection grounds, the parties shall discuss the concern in good faith. If the objection cannot be resolved, the Controller may terminate the affected service without penalty.

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Applicable Data Protection Law. The Processor shall:

• Promptly notify the Controller if it receives a request from a Data Subject directly
• Not respond to Data Subject requests without the Controller's prior written authorization, unless required by law
• Provide reasonable technical and organizational assistance to enable the Controller to fulfill access, rectification, erasure, portability, and restriction requests

8. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed on behalf of the Controller, the Processor shall:

• Notify the Controller without undue delay and in no event later than 72 hours after becoming aware of the breach
• Provide the Controller with sufficient information to enable the Controller to meet its notification obligations under Applicable Data Protection Law, including the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate the breach
• Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
• Document all Data Breaches, including the facts, effects, and remedial actions taken

9. Data Return and Deletion

Upon termination or expiration of the principal agreement, the Processor shall, at the Controller's election:

• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format within 30 days of the request
• Delete all Personal Data from the Processor's systems, including backups, within 90 days of termination, unless retention is required by applicable law
• Provide written certification of deletion upon the Controller's request

During the transition period, the Processor shall continue to apply all protections required by this DPA.

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law. The Controller (or an independent third-party auditor appointed by the Controller) may conduct audits, subject to the following conditions:

• Audits shall be conducted no more than once per calendar year, unless a Data Breach or regulatory investigation necessitates additional review
• The Controller shall provide at least 30 days' written notice prior to an audit
• Audits shall be conducted during normal business hours with minimal disruption to the Processor's operations
• The Controller shall bear the costs of the audit, unless the audit reveals material non-compliance by the Processor
• The Processor may satisfy audit requests by providing the Controller with copies of relevant third-party audit reports (SOC 2, ISO 27001) where applicable

11. International Data Transfers

The Processor shall not transfer Personal Data to a country outside of the Controller's designated processing region without the Controller's prior written consent. Where international transfers are necessary, the Processor shall ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission, as applicable
• Adequacy decisions recognized by the relevant data protection authority
• Any other transfer mechanism permitted under Applicable Data Protection Law

Enterprise customers may designate specific AWS regions for data processing and storage during tenant onboarding. The Processor shall ensure that data remains within the designated region unless explicitly authorized otherwise.

12. Term and Termination

This DPA shall remain in effect for the duration of the principal agreement. The obligations of the Processor with respect to the protection of Personal Data shall survive the termination of this DPA for as long as the Processor retains any Personal Data processed on behalf of the Controller.

13. Contact

For questions about this Data Processing Agreement or to request a signed copy:
Email: legal@mailveriq.com
MailVeriQ Technologies
Legal & Privacy Team