packetmail
Legal · version 2026-04-12

Data Processing Addendum

Last updated April 12, 2026 · Questions? legal@packetmail.app

This Data Processing Addendum ("DPA") forms part of the agreement between Packetmail ("Processor") and you, the customer ("Controller"), for the use of Packetmail (the "Service"). It applies whenever the Service processes personal data subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, or comparable laws.

1. Definitions

Capitalised terms not defined here have the meaning given to them in Article 4 GDPR. "Customer Data" means personal data the Controller submits to the Service for processing.

2. Subject matter and duration

The Processor processes Customer Data on behalf of the Controller for the purpose of providing the Service, as described in our Terms of Service. Processing continues for the duration of the Controller's account, plus a short retention window thereafter.

3. Nature and purpose of processing

  • Transmitting email messages to the recipients specified by the Controller.
  • Recording delivery, bounce, complaint, and engagement events.
  • Maintaining suppression lists to honour unsubscribe and bounce signals.
  • Surfacing operational analytics to the Controller via dashboards and APIs.

4. Categories of data subjects and personal data

Data subjects: the Controller's customers, prospects, employees, or any other individual the Controller chooses to message via the Service.

Personal data: email addresses, names, message content, IP addresses (for engagement events), device information, and any other personal data embedded in messages by the Controller.

5. Processor obligations

The Processor will:

  • Process Customer Data only on documented instructions from the Controller, including for international transfers.
  • Ensure that personnel authorised to process Customer Data are bound by confidentiality.
  • Implement appropriate technical and organisational measures, including encryption, access controls, and audit logging.
  • Assist the Controller in meeting data subject requests and security obligations.
  • Notify the Controller of any personal data breach without undue delay (and in any case within 48 hours).
  • Delete or return Customer Data at the end of the Service relationship, except where retention is legally required.

6. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed in our Privacy Policy. The Processor will give at least 30 days' notice of any new sub-processor and provide the Controller a reasonable opportunity to object.

7. International transfers

Where personal data is transferred outside the EEA, UK, or Switzerland, the parties rely on the Standard Contractual Clauses adopted by the European Commission (Implementing Decision 2021/914) or the UK International Data Transfer Addendum, as applicable.

8. Audits

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits are subject to reasonable notice and confidentiality obligations.

9. Liability

The liability of each party under this DPA is subject to the limitation of liability provisions in the Terms of Service.

10. Acceptance

This DPA is automatically accepted on behalf of the Controller upon agreement to our Terms of Service. Enterprise customers may request a counter-signed copy by emailing legal@packetmail.app.