Data Processing Addendum (DPA)
- You (the Customer) are typically the Controller for Prospect/lead data you upload.
- Mailly is your Processor and will process Personal Data only on documented instructions.
- This DPA includes cross-border transfer safeguards, including EU SCCs and (if needed) the UK Addendum.
1. Definitions
Capitalized terms not defined here have the meaning in the Terms & Conditions. In this DPA:
- “Controller”, “Processor”, “Personal Data”, “Processing” have the meanings in the GDPR.
- “Customer” means the entity or person using the Service under a Subscription Plan (Controller unless stated otherwise).
- “Data Protection Laws” means applicable laws relating to data protection and privacy, including (where applicable) GDPR, UK GDPR, Swiss FADP, and relevant implementing laws.
- “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- “Subprocessor” means a Processor engaged by Mailly to Process Personal Data on behalf of Customer.
- “SCCs” means the EU Standard Contractual Clauses adopted by the European Commission (2021/914 or successor).
- “UK Addendum” means the UK International Data Transfer Addendum to the EU SCCs (or successor instrument).
2. Scope & Relationship
This DPA applies to Processing of Personal Data by Mailly on behalf of Customer in connection with providing the Service. Customer is the Controller of Customer Personal Data (including Prospect data uploaded to the Service), and Mailly is the Processor, except where Customer acts as Processor for a third party Controller, in which case Customer warrants it has authority to enter into this DPA.
3. Processing Instructions
3.1 Documented Instructions
Mailly will Process Personal Data only on documented instructions from Customer, including as necessary to provide the Service, as set out in the Terms, Subscription Plan, Customer configurations, and this DPA, unless required to do otherwise by applicable law. If Mailly is required by law to Process Personal Data outside Customer’s instructions, Mailly will (to the extent legally permitted) inform Customer.
3.2 Customer Responsibilities
Customer is responsible for: (a) determining lawful basis for Processing, (b) providing required notices to Data Subjects, (c) honoring Data Subject rights requests, (d) ensuring the legality of outreach activities (including spam/e-privacy laws), and (e) the accuracy, quality, and legality of Customer Personal Data provided to Mailly.
4. Confidentiality
Mailly will ensure persons authorized to Process Personal Data are subject to confidentiality obligations and receive appropriate privacy/security training.
5. Security Measures
5.1 Technical and Organizational Measures
Mailly will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against Security Incidents, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing. Such measures include, as appropriate:
- Access controls (least privilege), authentication, and role-based access management
- Encryption in transit and security controls for data at rest where appropriate
- Logging and monitoring for abnormal access patterns
- Vulnerability management and patching practices
- Backup and recovery procedures for Service continuity (where applicable)
- Segregation of Customer environments where feasible
5.2 Customer Security
Customer is responsible for securing its own systems, credentials, devices, and integrations used to access the Service, including ensuring authorized users maintain strong passwords and appropriate access controls.
6. Subprocessors
6.1 Authorization
Customer grants Mailly a general authorization to engage Subprocessors to provide the Service. Mailly will impose data protection obligations on Subprocessors that are no less protective than those in this DPA.
6.2 Subprocessor List & Changes
A current list of key Subprocessors may be provided within the Service, on our website, or upon request at privacy@mailly.io. Mailly may add or replace Subprocessors. Where required by Data Protection Laws, Mailly will provide reasonable notice of material Subprocessor changes and allow Customer to object on reasonable grounds. If Customer objects and the parties cannot resolve the objection, Customer may terminate the affected Service portion without penalty for the remainder of the then-current Subscription Period (to the extent required by law).
7. Data Subject Rights Assistance
Considering the nature of Processing, Mailly will provide reasonable assistance to Customer to respond to Data Subject requests (access, deletion, correction, restriction, portability, objection), to the extent Customer cannot address such requests independently. If Mailly receives a request directly from a Data Subject relating to Customer Personal Data, Mailly will (where legally permitted) redirect the Data Subject to Customer.
8. Assistance with Compliance (Art. 32–36 GDPR)
Upon Customer’s reasonable request and taking into account the nature of Processing and information available to Mailly, Mailly will provide reasonable assistance with:
- security obligations (Art. 32)
- Security Incident notifications (Art. 33–34)
- data protection impact assessments (DPIAs) (Art. 35)
- prior consultations with supervisory authorities (Art. 36)
Such assistance may be subject to additional fees if it requires substantial effort beyond standard support.
9. Security Incident Notification
Mailly will notify Customer without undue delay after becoming aware of a confirmed Security Incident involving Customer Personal Data. Mailly’s notification will include, where available: (a) nature of the incident, (b) categories and approximate number of affected Data Subjects and records, (c) likely consequences, and (d) measures taken or proposed to address the incident. Mailly will take reasonable steps to mitigate and remediate the incident.
Customer is responsible for any required notifications to supervisory authorities and Data Subjects, unless otherwise required by law.
10. Deletion or Return of Personal Data
Upon termination or expiry of the Service, Mailly will, at Customer’s option and to the extent available in the Service: (a) delete Customer Personal Data, or (b) return it to Customer in a commonly used format, unless law requires continued retention. Mailly may retain limited Personal Data (e.g., logs, billing records) as required by law or for legitimate purposes such as security and fraud prevention.
11. Audits & Compliance Reports
Mailly will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Where required by Data Protection Laws, Customer may conduct an audit of Mailly’s Processing of Customer Personal Data, subject to: (a) reasonable advance notice, (b) scope limited to data protection controls relevant to the Service, (c) confidentiality obligations, (d) minimal disruption, and (e) no more than once per 12 months unless a Security Incident or regulator request justifies more. Mailly may satisfy audit requests by providing third-party security documentation or summaries where appropriate.
12. International Data Transfers
12.1 Transfers from EEA/UK/Switzerland
Where Data Protection Laws restrict cross-border transfers, the parties agree that the SCCs (and, where applicable, the UK Addendum and/or Swiss addendum) apply to transfers of Customer Personal Data from the EEA/UK/Switzerland to countries not recognized as providing adequate protection.
12.2 EU Standard Contractual Clauses (SCCs)
The SCCs are incorporated by reference and apply as follows (to the extent the SCCs are required):
- Module: Module Two (Controller to Processor) applies where Customer is Controller and Mailly is Processor.
- Optional Clauses: Docking clause (Clause 7) applies; Clause 9 (Use of Subprocessors) uses Option 2 (general authorization); Clause 11 (Redress) is not selected; Clause 17 (Governing law) is Ireland; Clause 18 (Forum) is Ireland.
- Annexes: The SCC Annexes are completed by Annex 1 (Details of Processing), Annex 2 (TOMs), and Annex 3 (Subprocessors) below.
12.3 UK Addendum
For transfers subject to UK GDPR, the UK Addendum is incorporated and forms part of this DPA. The SCCs are amended as required by the UK Addendum.
12.4 Swiss Transfers
For transfers subject to Swiss law, the SCCs apply with modifications as required under Swiss data protection requirements (e.g., references to GDPR include Swiss FADP where applicable and the competent authority is the Swiss FDPIC).
13. Regional Terms
13.1 CCPA/CPRA (California) – Service Provider
To the extent Customer Personal Data includes “personal information” under CCPA/CPRA and Mailly acts as a “service provider” or “contractor”, Mailly will not: (a) sell or share such personal information, (b) retain, use, or disclose it for purposes other than providing the Service, or as otherwise permitted by CCPA/CPRA. Mailly will comply with applicable CCPA/CPRA obligations for service providers/contractors.
13.2 HIPAA / Special Categories
Unless expressly agreed in writing, the Service is not designed for Processing of HIPAA-regulated PHI or Special Categories of data (GDPR Art. 9), such as health data, biometric identifiers, or data about minors. Customer will not upload such data unless explicitly authorized in writing by Mailly.
14. Order of Precedence
If there is a conflict between this DPA and the Terms, this DPA controls with respect to Processing of Personal Data. If there is a conflict between this DPA and the SCCs (where applicable), the SCCs control for international transfers.
15. Liability
Liability related to this DPA (including the SCCs) is subject to the limitations of liability in the Terms, to the extent permitted by applicable law. Nothing in this DPA limits liability that cannot be limited under Data Protection Laws.
16. Contact
For privacy and data processing questions, contact privacy@mailly.io.
Annex 1 – Details of Processing (SCC Annex I)
A. List of Parties
| Data Exporter |
Customer (as identified in the applicable Subscription Plan / account). Role: Controller (or Processor acting on behalf of a Controller). Contact: Customer account admin / DPO (if applicable). |
|---|---|
| Data Importer |
UnderBoss Media LLC (Mailly.io) Casper, Wyoming, United States Role: Processor Contact: privacy@mailly.io |
B. Description of Transfer
| Categories of Data Subjects | Customer users and administrators; Customer business contacts/prospects/leads; Customer employees/contractors who use the Service. |
|---|---|
| Categories of Personal Data | Identification and contact data (name, work email, job title, company); campaign and outreach metadata; system logs and usage data; user account data; support communications; analytics identifiers (cookies/IDs, IP addresses). Customer controls what is uploaded. |
| Sensitive Data | Not intended. Customer will not upload Special Categories of data unless expressly agreed in writing. If uploaded, Customer is responsible for lawful basis and additional safeguards. |
| Frequency of Transfer | Continuous during the Subscription Period, based on Customer usage and integrations. |
| Nature of Processing | Hosting, storage, analysis, generation of AI-assisted outputs, security monitoring, support troubleshooting, and transmission as requested by Customer through the Service. |
| Purpose(s) of Processing | Provide and maintain the Service; generate requested outputs (e.g., email drafts, sequencing suggestions, ICP analysis); ensure security and performance; customer support; billing and account administration. |
| Duration of Processing | For the Subscription Period, plus a limited post-termination retention window (typically up to 30 days) to enable export and deletion, unless legally required to retain longer. |
C. Competent Supervisory Authority
Annex 2 – Technical and Organizational Measures (SCC Annex II)
Mailly maintains a security program appropriate for the Service and risk profile. Measures include, as applicable:
- Access control: role-based access, least-privilege permissions, account lifecycle controls
- Authentication: secure authentication mechanisms; optional enhanced controls where available
- Network security: segmentation and firewalling at hosting layer; secure endpoints
- Encryption: encryption in transit (TLS); encryption at rest where appropriate in storage layers
- Logging/monitoring: audit logs for key events; monitoring for suspicious activity
- Vulnerability management: patching and dependency management; incident response procedures
- Backups: operational backups and recovery practices (best-effort; no guarantee of completeness)
- Confidentiality: staff confidentiality obligations and security awareness practices
- Subprocessor controls: contractual data protection terms and due diligence measures
Annex 3 – Subprocessors (SCC Annex III)
Key categories of Subprocessors (actual providers may vary by region and Customer configuration):
| Subprocessor | Purpose | Location(s) |
|---|---|---|
| Cloud Hosting / Infrastructure (e.g., AWS or equivalent) | Hosting, storage, compute, network security | May include United States and other regions used to provide the Service |
| Payment Processing (e.g., Stripe) | Billing and subscription payments | United States and other regions (per provider) |
| Website Hosting (e.g., Webflow) | Marketing website hosting and content delivery | United States and other regions (per provider) |
| Analytics (e.g., Google Analytics, Microsoft Clarity) | Website/product analytics (as configured) | United States and other regions (per provider) |