Data Processing Addendum

Last Updated: 2 October 2025

This Data Processing Addendum ("DPA") forms part of and is incorporated into the Terms and Conditions (the "Agreement") between Maileroo Group Pty Ltd (ACN 691 482 836) ("Maileroo", "Processor", "we", "us", or "our") and the customer ("Customer", "Controller", or "you") for the provision of email services (the "Services").

This DPA applies where and only to the extent that Maileroo processes Personal Data on behalf of the Customer in the course of providing the Services and such processing is subject to Data Protection Laws.

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

In this DPA, the following terms shall have the meanings set out below:

"Affiliate" means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with an entity.

"Australian Privacy Law" means the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

"Control" means an ownership, voting, or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question.

"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.

"Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data, including but not limited to:

The General Data Protection Regulation (EU) 2016/679 ("GDPR")
The UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR")
The Swiss Federal Act on Data Protection ("Swiss DPA")
The Australian Privacy Act 1988 (Cth) and Australian Privacy Principles ("Australian Privacy Law")
The California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA")
Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA")
Any other applicable privacy or data protection legislation

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"EEA" means the European Economic Area.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Maileroo on behalf of Customer in the course of providing the Services, including but not limited to:

Email addresses of senders and recipients
Names and contact information
Email content, subject lines, and metadata
IP addresses and device information
Email engagement data (opens, clicks, bounces)

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, transmission, dissemination, erasure, or destruction.

"Processor" means the entity which processes Personal Data on behalf of the Controller.

"Restricted Transfer" means a transfer of Personal Data from a jurisdiction with comprehensive data protection laws (such as the EEA, UK, or Switzerland) to a jurisdiction not recognized as providing adequate protection.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries approved by the European Commission (Decision 2021/914), as may be updated from time to time.

"Sub-processor" means any Processor engaged by Maileroo to process Personal Data on behalf of Customer in connection with the Services.

"Supervisory Authority" means any local, national, or supranational agency, authority, department, official, parliament, or public or statutory body exercising authority or functions regarding data protection.

1.2 Interpretation

Terms not otherwise defined in this DPA shall have the meanings given to them in the Agreement or, if not defined in the Agreement, the meanings given in applicable Data Protection Laws. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict or inconsistency with respect to the processing of Personal Data.

2. SCOPE AND APPLICABILITY

2.1 Scope of Processing

This DPA applies to the Processing of Personal Data by Maileroo on behalf of Customer in connection with the provision of the Services. The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are further described in Annex 1 (Details of Processing) to this DPA.

2.2 Roles of the Parties

The parties acknowledge and agree that:

Customer is the Controller of the Personal Data and determines the purposes and means of Processing
Maileroo is the Processor and processes Personal Data only on behalf of and in accordance with Customer's documented instructions
Customer is solely responsible for ensuring that its instructions comply with Data Protection Laws and that it has a lawful basis for processing Personal Data
This DPA does not reduce any obligations Customer may have under Data Protection Laws

2.3 Customer Instructions

Customer instructs Maileroo to process Personal Data:

To provide the Services in accordance with the Agreement and this DPA
To comply with other documented instructions provided by Customer that are consistent with the terms of the Agreement and this DPA
As necessary to comply with applicable law to which Maileroo is subject

The parties agree that this DPA and the Agreement constitute Customer's complete and final instructions to Maileroo regarding the Processing of Personal Data. Additional instructions outside the scope of this DPA require prior written agreement between the parties.

Maileroo shall immediately inform Customer if, in Maileroo's opinion, an instruction infringes Data Protection Laws. In such cases, Maileroo may suspend performance of the relevant instruction until Customer confirms or modifies it.

3. MAILEROO'S OBLIGATIONS AS PROCESSOR

3.1 Compliance with Instructions

Maileroo shall:

Process Personal Data only in accordance with Customer's documented instructions unless required to do otherwise by applicable law
Immediately inform Customer if Maileroo becomes aware that Customer's instructions infringe Data Protection Laws
Immediately inform Customer if Maileroo is required by applicable law to process Personal Data contrary to Customer's instructions, unless prohibited by law from doing so
Not process Personal Data for any purpose other than as instructed by Customer

3.2 Confidentiality

Maileroo shall ensure that all personnel authorized to process Personal Data:

Are subject to appropriate confidentiality obligations (whether contractual or statutory)
Receive adequate training on data protection, privacy, and security
Process Personal Data only as necessary to provide the Services or as instructed by Customer
Do not access, use, or disclose Personal Data except as authorized

These confidentiality obligations shall survive the termination of employment or engagement and the termination of this DPA.

3.3 Security Measures

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to the rights and freedoms of Data Subjects, Maileroo shall implement and maintain appropriate technical and organizational measures to protect Personal Data against Personal Data Breaches, including:

Technical Security Measures:

Encryption of Personal Data in transit using TLS 1.2 or higher
Encryption of Personal Data at rest using AES-256 or equivalent
Secure authentication mechanisms, including multi-factor authentication for administrative access
Role-based access controls and the principle of least privilege
Regular security testing, including vulnerability assessments and penetration testing
Network security controls, including firewalls and intrusion detection/prevention systems
Secure data backup and disaster recovery procedures
Comprehensive logging and monitoring of system access and activities
Secure development practices and code review procedures

Organizational Security Measures:

Documented information security policies and procedures
Employee background checks for personnel with access to Personal Data
Regular security awareness training for all personnel
Incident response and breach notification procedures
Access controls limiting personnel access to Personal Data on a need-to-know basis
Secure disposal of equipment and media containing Personal Data
Regular review and update of security measures
Third-party security assessments and certifications (where available)

A detailed description of the technical and organizational security measures currently implemented by Maileroo is set out in Annex 2 (Security Measures) to this DPA. Maileroo may update or modify these measures from time to time, provided that such updates do not result in a material degradation of the overall security of the Services.

3.4 Sub-processors

Customer provides general written authorization for Maileroo to engage Sub-processors to process Personal Data, subject to the following conditions:

Current Sub-processors:

Maileroo maintains a current list of Sub-processors, including their names, locations, and services provided in Annex 3 to this DPA.

Notification of Changes:

Maileroo shall notify Customer via email at least thirty (30) days before:

Engaging a new Sub-processor to process Personal Data
Replacing an existing Sub-processor

Right to Object:

Customer may object to Maileroo's appointment or replacement of a Sub-processor on reasonable data protection grounds by notifying Maileroo in writing within fifteen (15) days of receiving notification. Such objection must include detailed reasons relating to data protection concerns.

Resolution:

If Customer objects, the parties shall work together in good faith to find a commercially reasonable solution, which may include:

Maileroo proposing an alternative Sub-processor
Implementing additional safeguards to address Customer's concerns
Customer disabling the affected functionality or features

If the parties cannot reach a resolution within thirty (30) days, Customer may terminate the affected Services without penalty by providing written notice to Maileroo.

Sub-processor Requirements:

Maileroo shall:

Impose data protection obligations on Sub-processors that are materially equivalent to those in this DPA
Ensure Sub-processors implement appropriate technical and organizational measures to protect Personal Data
Conduct appropriate due diligence on Sub-processors before engagement
Monitor Sub-processor compliance with their obligations
Remain fully liable to Customer for the performance of any Sub-processor's obligations

3.5 Data Subject Rights

Maileroo shall, taking into account the nature of the Processing and to the extent legally permitted:

Provide reasonable assistance to Customer to enable Customer to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:
- Right of access to Personal Data
- Right to rectification of inaccurate Personal Data
- Right to erasure ("right to be forgotten")
- Right to restriction of Processing
- Right to data portability
- Right to object to Processing
- Rights related to automated decision-making and profiling
Promptly notify Customer (and in any event within two (2) business days) if Maileroo receives a request directly from a Data Subject regarding their Personal Data
Not respond to such requests directly without Customer's prior written authorization, except to acknowledge receipt and inform the Data Subject to submit their request to Customer
Provide Customer with commercially reasonable cooperation and assistance in responding to Data Subject requests

Customer acknowledges that assistance provided by Maileroo beyond the functionality of the Services may be subject to additional fees based on Maileroo's then-current professional services rates. Maileroo shall provide Customer with an estimate before incurring such fees.

3.6 Personal Data Breach Notification

Maileroo shall:

Notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data
Provide Customer with sufficient information to enable Customer to meet any obligations to report or inform Data Subjects and Supervisory Authorities of the Personal Data Breach under Data Protection Laws, including:
- A description of the nature of the Personal Data Breach
- The categories and approximate number of Data Subjects affected
- The categories and approximate number of Personal Data records affected
- The likely consequences of the Personal Data Breach
- The measures taken or proposed to be taken to address the Personal Data Breach
- Measures to mitigate potential adverse effects
- Contact details for obtaining more information
Provide regular status updates (at least weekly or as otherwise reasonably requested by Customer) on the investigation and remediation of the Personal Data Breach
Cooperate with Customer and take commercially reasonable steps to investigate, remediate, and mitigate the effects of the Personal Data Breach
Preserve evidence relating to the Personal Data Breach for forensic investigation

Notification of a Personal Data Breach shall be made to the email address associated with Customer's account or to such other email address as Customer may specify in writing.

Customer acknowledges that Maileroo's notification of a Personal Data Breach does not constitute an acknowledgment by Maileroo of fault or liability with respect to the breach.

3.7 Data Protection Impact Assessments and Prior Consultation

Maileroo shall, taking into account the nature of the Processing and the information available to Maileroo, provide reasonable assistance to Customer with:

Data protection impact assessments (DPIAs) required under Data Protection Laws
Prior consultations with Supervisory Authorities where required
Assessment of the privacy and security implications of the Services

Such assistance may include:

Providing information about the Services and Maileroo's data processing practices
Providing information about security measures and safeguards
Providing information about Sub-processors and data transfers
Reviewing and commenting on draft DPIAs prepared by Customer

Customer acknowledges that assistance provided by Maileroo beyond providing standard documentation and information may be subject to additional fees based on Maileroo's then-current professional services rates.

3.8 Deletion or Return of Personal Data

Upon termination or expiration of the Agreement, or upon Customer's earlier written request (except as otherwise required by the Agreement), Maileroo shall, at Customer's election:

Delete all Personal Data (including copies) in Maileroo's possession or control; or
Return a complete copy of all Personal Data to Customer in a commonly used, machine-readable format

Following such deletion or return, Maileroo shall certify in writing to Customer that it has complied with this Section 3.8.

Exceptions:

Maileroo may retain Personal Data to the extent required by applicable law, regulation, or professional standards, provided that Maileroo shall:

Ensure the confidentiality of all such retained Personal Data
Only process such Personal Data as necessary to comply with the applicable law or regulation
Inform Customer of any such legal requirement before deletion, where possible
Continue to protect such Personal Data in accordance with this DPA

Standard Retention Periods:

Unless otherwise instructed by Customer or required by law, Maileroo applies the following retention periods:

Email content and attachments: Up to 14 days from transmission
Email metadata and delivery logs: Up to 14 days from transmission
Email analytics and engagement data: Up to 2 years or as configured in Customer's account settings
Billing and transaction records: Minimum 7 years (as required by tax and accounting regulations)
Backup data: Up to 30 days in encrypted backup systems

3.9 Audit Rights and Compliance

Maileroo shall make available to Customer, upon written request and subject to confidentiality obligations, information reasonably necessary to demonstrate compliance with this DPA and Data Protection Laws.

Documentation and Reports:

Maileroo shall provide Customer with:

Current copies of relevant security certifications (such as SOC 2 Type II, ISO 27001, or similar)
Summary audit reports from independent third-party auditors
Security and compliance documentation as reasonably requested
Attestations of compliance with this DPA upon reasonable request

On-Site Audits:

Customer may, upon reasonable written request and subject to the following conditions, conduct audits or inspections of Maileroo's data processing activities:

Customer provides at least sixty (60) days' prior written notice
Audits are conducted no more than once per year, unless:
- Required by a Supervisory Authority
- Required in response to a Personal Data Breach
- Required by applicable law
Audits are conducted during normal business hours and do not unreasonably interfere with Maileroo's operations
Customer uses an independent third-party auditor reasonably acceptable to Maileroo
The auditor is bound by appropriate confidentiality obligations
The audit scope is limited to matters relevant to Maileroo's obligations under this DPA
Customer bears all costs associated with the audit
The audit does not extend to areas where Maileroo processes data for other customers

Audit Findings:

If an audit reveals non-compliance with this DPA:

Maileroo shall work with Customer to develop and implement a remediation plan
Maileroo shall provide regular updates on remediation progress
If the non-compliance poses a material risk, Customer may exercise its termination rights under the Agreement

4. CUSTOMER'S OBLIGATIONS AS CONTROLLER

4.1 Compliance with Data Protection Laws

Customer represents, warrants, and covenants that:

It has and will maintain a lawful basis under Data Protection Laws for Processing Personal Data and for instructing Maileroo to process Personal Data on its behalf
It has provided and will provide all notices and obtained all consents and authorizations required under Data Protection Laws for the Processing of Personal Data, including for Maileroo's Processing on Customer's behalf
Its instructions to Maileroo regarding the Processing of Personal Data comply with Data Protection Laws
The Processing of Personal Data in accordance with Customer's instructions will not violate any applicable laws, regulations, or rights of Data Subjects
It has implemented and will maintain appropriate security measures for Personal Data in its possession or control

4.2 Instructions to Maileroo

Customer shall:

Provide clear, lawful, and documented instructions regarding the Processing of Personal Data
Ensure that Customer personnel and end-users who access the Services are authorized to do so and comply with this DPA
Use the Services and provide instructions in a manner consistent with applicable Data Protection Laws
Promptly notify Maileroo of any changes to instructions or any concerns regarding Maileroo's Processing activities
Not provide instructions that would cause Maileroo to violate Data Protection Laws or this DPA

4.3 Prohibited Data

Customer acknowledges that the Services are not designed or intended for the Processing of:

Special Categories of Personal Data (as defined in GDPR Article 9 or equivalent under other Data Protection Laws), including data revealing:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Health data
- Data concerning a natural person's sex life or sexual orientation
Personal Data relating to criminal convictions and offenses
Personal Data of children under the age of 16 (or such other age as may be specified by applicable law) without verified parental or guardian consent
Government-issued identification numbers (such as social security numbers, passport numbers, or driver's license numbers), except as necessary for account verification
Financial account information (such as credit card numbers or bank account numbers), except as necessary for payment processing

Customer shall not submit, upload, transmit, or otherwise process any such prohibited data through the Services without:

Prior written agreement with Maileroo
Implementation of additional safeguards as may be required
Compliance with all applicable legal requirements

If Customer transmits any prohibited data through the Services:

Customer shall immediately notify Maileroo in writing
Customer shall indemnify and hold harmless Maileroo from and against any claims, damages, costs, or liabilities arising from such transmission
Maileroo may suspend the Services until the issue is resolved
Maileroo may terminate the Agreement in accordance with its terms

4.4 Data Subject Rights Requests

Customer acknowledges and agrees that:

Customer is responsible for responding to requests from Data Subjects exercising their rights under Data Protection Laws
Maileroo provides tools and features within the Services to assist Customer in responding to such requests
Customer shall use these tools appropriately and in compliance with Data Protection Laws
Maileroo's assistance beyond the standard functionality of the Services may be subject to additional fees

5. INTERNATIONAL DATA TRANSFERS

5.1 Data Location and Transfers

Maileroo's primary data processing facilities are located in the EU. Personal Data may be transferred to, stored, and processed in Germany, Netherlands and Finland, and other countries where Maileroo or its Sub-processors maintain facilities or data centers.

Customer acknowledges and agrees that Maileroo may make such transfers as necessary to provide the Services.

5.2 Transfers from the EEA, UK, and Switzerland

For transfers of Personal Data from the EEA, UK, or Switzerland to countries that have not been deemed to provide adequate protection by the European Commission, UK authorities, or Swiss authorities (as applicable), the parties agree to rely on the following transfer mechanisms:

Standard Contractual Clauses (EU):

The parties agree to be bound by the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 as set out in Annex 4 to this DPA.

For purposes of the Standard Contractual Clauses:

Customer (and any EU/EEA Affiliate that is a Controller) is the "data exporter"
Maileroo is the "data importer"
Module Two (Controller to Processor) shall apply
The optional docking clause in Clause 7 shall apply
In Clause 9(a) (Use of sub-processors), Option 2 (General written authorisation) applies, with a notice period of thirty (30) days
In Clause 11(a) (Redress), the optional requirement for independent dispute resolution is not selected
In Clause 17 (Governing law), the law of Ireland shall apply
In Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Ireland
Annex I, Annex II, and Annex III to the Standard Contractual Clauses are completed as set out in Annexes 1, 2, and 3 to this DPA

UK International Data Transfer Addendum:

For transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022) issued by the UK Information Commissioner's Office shall apply, incorporating the Standard Contractual Clauses referenced above with the following modifications:

Table 1 (Parties): The parties' details are as set out in the Agreement
Table 2 (Selected SCCs, Modules and Selected Clauses): Module Two applies as specified above
Table 3 (Appendix Information): Information is as set out in Annexes 1, 2, and 3 to this DPA
Table 4 (Ending this Addendum when the Approved Addendum Changes): Neither party may end the UK Addendum on this basis

Swiss Data Protection Act:

For transfers from Switzerland, the parties agree that:

References to the "GDPR" in the Standard Contractual Clauses shall be interpreted as references to the Swiss Federal Act on Data Protection (FADP)
References to "EU Member State" shall be interpreted as references to Switzerland
References to the "competent supervisory authority" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC)
The Swiss FDPIC shall have jurisdiction for data protection supervision
The law of Switzerland shall govern data protection matters to the extent required by Swiss law

5.3 Additional Safeguards

In addition to the Standard Contractual Clauses and related addenda, Maileroo implements the following supplementary measures to protect Personal Data during international transfers:

Encryption of Personal Data in transit and at rest
Robust access controls and authentication mechanisms
Contractual obligations on Sub-processors regarding data protection and security
Regular security assessments and audits
Incident response and breach notification procedures
Employee training on data protection and privacy

5.4 Alternative Transfer Mechanisms

If the Standard Contractual Clauses or other transfer mechanisms referenced in this Section 5 are invalidated, replaced, or amended, or if alternative transfer mechanisms become available and appropriate, the parties agree to cooperate in good faith to:

Implement such alternative mechanisms as are necessary to ensure lawful transfers
Execute such documents and take such actions as may be required
Minimize disruption to the Services during any transition

5.5 Australian Cross-Border Disclosures

For transfers of Personal Data from Australia to overseas recipients, Maileroo agrees to:

Comply with Australian Privacy Principle 8 (Cross-border disclosure of personal information)
Take reasonable steps to ensure that overseas recipients do not breach the Australian Privacy Principles
Enter into contractual arrangements with Sub-processors requiring compliance with the Australian Privacy Principles or substantially similar standards

6. LIABILITY AND INDEMNIFICATION

6.1 Liability Allocation

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, shall be subject to the limitations and exclusions of liability set forth in the Agreement.

Nothing in this DPA shall exclude or limit either party's liability for:

Death or personal injury caused by negligence
Fraud or fraudulent misrepresentation
Gross negligence or willful misconduct
Breach of confidentiality obligations
Violations of Data Protection Laws, to the extent such limitations are prohibited by applicable law
Indemnification obligations under this DPA or the Agreement
Any other liability that cannot be excluded or limited under applicable law

6.2 Maileroo's Indemnification

Maileroo shall indemnify, defend, and hold harmless Customer and its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and costs) arising from or relating to:

Maileroo's Processing of Personal Data in material violation of this DPA
Maileroo's failure to implement and maintain security measures as required by Section 3.3
A Personal Data Breach caused by Maileroo's negligence, willful misconduct, or failure to comply with this DPA
Maileroo's breach of its obligations under Data Protection Laws or this DPA

This indemnification obligation is subject to Customer:

Promptly notifying Maileroo in writing of the claim
Giving Maileroo sole control of the defense and settlement of the claim
Providing reasonable cooperation in the defense, at Maileroo's expense

Maileroo shall not settle any claim in a manner that admits liability on behalf of Customer or imposes obligations on Customer without Customer's prior written consent.

6.3 Customer's Indemnification

Customer shall indemnify, defend, and hold harmless Maileroo and its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and costs) arising from or relating to:

Customer's Processing of Personal Data in violation of Data Protection Laws
Customer's instructions that violate Data Protection Laws or this DPA
Customer's transmission of prohibited data as specified in Section 4.3
Customer's failure to obtain necessary consents or provide required notices to Data Subjects
Customer's breach of its representations, warranties, or obligations under this DPA
Claims by Data Subjects arising from Customer's Processing activities (except to the extent caused by Maileroo's breach of this DPA)

This indemnification obligation is subject to Maileroo:

Promptly notifying Customer in writing of the claim
Giving Customer sole control of the defense and settlement of the claim
Providing reasonable cooperation in the defense, at Customer's expense

Customer shall not settle any claim in a manner that admits liability on behalf of Maileroo or imposes obligations on Maileroo without Maileroo's prior written consent.

6.4 Mitigation

Each party shall take reasonable steps to mitigate damages arising from any breach of this DPA.

7. TERM AND TERMINATION

7.1 Term

This DPA shall commence on the effective date of the Agreement and shall remain in effect until the earlier of:

Termination or expiration of the Agreement; or
Deletion or return of all Personal Data by Maileroo in accordance with Section 3.8

7.2 Effect of Termination

Upon termination of this DPA:

Maileroo shall cease all Processing of Personal Data, except:
- As necessary to comply with Section 3.8 (Deletion or Return of Personal Data)
- As required by applicable law
- To the extent Personal Data has been anonymized or aggregated such that it no longer constitutes Personal Data
Maileroo shall delete or return Personal Data in accordance with Section 3.8
The following provisions shall survive termination:
- Section 3.2 (Confidentiality)
- Section 3.8 (Deletion or Return of Personal Data)
- Section 6 (Liability and Indemnification)
- Section 8 (General Provisions)
- Any other provisions that by their nature should survive

7.3 Termination for Breach

Either party may terminate this DPA (and, if applicable, the Agreement) if:

The other party materially breaches this DPA and fails to remedy such breach within thirty (30) days of receiving written notice
The other party's Processing of Personal Data poses an immediate and serious threat to Data Subjects' rights and freedoms (in which case immediate termination may be effected upon written notice)

8. GENERAL PROVISIONS

8.1 Amendments and Updates

Maileroo may amend this DPA from time to time to:

Reflect changes in Data Protection Laws
Reflect guidance or determinations from Supervisory Authorities
Implement industry best practices
Reflect changes to the Services or Sub-processors
Address security or compliance requirements

Material changes to this DPA will be communicated to Customer:

By email to the address associated with Customer's account
Through a notice in Customer's account dashboard
By posting an updated version on our website

Customer will be given at least thirty (30) days' notice before material changes take effect. Customer's continued use of the Services after such changes constitutes acceptance of the amended DPA.

If Customer does not agree to material changes, Customer may terminate the Agreement in accordance with its terms.

8.2 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction:

The remaining provisions shall remain in full force and effect
The invalid provision shall be replaced with a valid provision that most closely approximates the intent and economic effect of the invalid provision
The parties shall negotiate in good faith to implement such replacement provision

8.3 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws specified in the Agreement, without regard to conflicts of law principles.

For the avoidance of doubt, this choice of law:

Shall not affect the protection granted to Data Subjects under Data Protection Laws that cannot be derogated from by contract
Shall not override the governing law and jurisdiction provisions in the Standard Contractual Clauses (where applicable)

8.4 Order of Precedence

In the event of any conflict or inconsistency between documents, the following order of precedence shall apply (from highest to lowest):

Standard Contractual Clauses and related addenda (where applicable)
This Data Processing Addendum and its Annexes
The Agreement (Terms and Conditions)
Other policies referenced in the Agreement

8.5 Third-Party Beneficiaries

For the Standard Contractual Clauses only, Data Subjects are third-party beneficiaries to the extent provided in the Standard Contractual Clauses. Except as expressly provided in the Standard Contractual Clauses, there are no third-party beneficiaries to this DPA.

8.6 Entire Agreement

This DPA, together with the Agreement and the Annexes to this DPA, constitutes the entire agreement between the parties regarding the Processing of Personal Data and supersedes all prior agreements, understandings, negotiations, and discussions relating to such subject matter.

8.7 Waiver

No waiver of any provision of this DPA shall be effective unless in writing and signed by the party against whom the waiver is sought to be enforced. No failure or delay by either party in exercising any right, power, or remedy shall operate as a waiver thereof.

8.8 Assignment

Neither party may assign or transfer this DPA without the prior written consent of the other party, except that Maileroo may assign this DPA:

To an Affiliate, provided that Maileroo remains liable for performance
In connection with a merger, acquisition, or sale of all or substantially all of its assets

Any attempted assignment in violation of this provision is void.

8.9 Notices

All notices under this DPA shall be in writing and shall be deemed given:

When delivered personally
When sent by confirmed email
Five (5) business days after being sent by registered or certified mail
Two (2) business days after being sent by recognized international courier

Notices to Customer shall be sent to the email address associated with Customer's account or as otherwise specified by Customer.

Notices to Maileroo shall be sent to: [email protected]

8.10 Language

This DPA is executed in English. If this DPA is translated into any other language, the English version shall prevail in the event of any conflict.

9. CONTACT INFORMATION

For questions, concerns, or requests regarding this DPA, data protection matters, or to exercise rights under this DPA, please contact:

Maileroo Group Pty Ltd
ACN 691 482 836
Level 10, 440 Collins Street
Melbourne VIC 3000
Australia

Email: [email protected]

Data Protection Officer: [email protected]

10. ACKNOWLEDGMENT AND ACCEPTANCE

By accepting the Terms and Conditions, creating an account, or using the Services, Customer acknowledges that it has read, understood, and agrees to be bound by this Data Processing Addendum.

If Customer requires a separately signed copy of this DPA for compliance purposes, please contact us at [email protected] and we will provide an electronically executable version.

ANNEX 1: DETAILS OF PROCESSING

This Annex includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR and the Standard Contractual Clauses.

A. LIST OF PARTIES

Data Exporter (Controller):

Name: Customer (as identified in the Agreement)
Address: As provided in Customer's account information
Contact person: Account administrator
Activities relevant to the data transferred: Use of Maileroo's email delivery and marketing services
Role: Controller

Data Importer (Processor):

Name: Maileroo Group Pty Ltd
Address: Level 10, 440 Collins Street, Melbourne VIC 3000, Australia
Contact person: Data Protection Officer - [email protected]
Activities relevant to the data transferred: Provision of email API, SMTP relay, email marketing platform, email validation, tracking, analytics, and related services
Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects:

Customer's employees, contractors, and authorized users of the Services
Recipients of emails sent through the Services
Individuals whose email addresses are stored in Customer's contact lists or databases
Website visitors who interact with emails sent through the Services (e.g., open, click tracking)
Subscribers to Customer's email marketing campaigns

Categories of Personal Data:

Contact information: email addresses, names (from email headers or content)
Communication data: email subject lines, message bodies, attachments, email headers, timestamps, message IDs
Technical data: IP addresses of senders and recipients, device identifiers, browser type and version, operating system
Usage data: email engagement metrics (opens, clicks, bounces, unsubscribes, spam complaints)
Location data: geographic location derived from IP addresses
Account data: usernames, account settings, preferences
Metadata: date and time information, email routing information

Sensitive Data (if applicable):

The Services are not intended for processing Special Categories of Personal Data as defined in GDPR Article 9. If Customer processes such data despite this restriction, Customer assumes full responsibility and liability.

Frequency of Transfer:

Continuous for the duration of the Agreement, as Customer uses the Services to send emails and access analytics.

Nature of Processing:

The Personal Data transferred will be subject to the following basic processing activities:

Collection and receipt of Personal Data from Customer via API, SMTP, or web interface
Storage of Personal Data on Maileroo's secure servers
Transmission of emails to recipient mail servers
Recording and tracking of email delivery status and engagement events
Analysis and aggregation of email performance metrics
Validation of email addresses for deliverability
Generation of reports and analytics dashboards
Retention of Personal Data in accordance with retention policies
Deletion or anonymization of Personal Data upon expiration of retention periods or Customer request

Purpose(s) of Processing:

To send, deliver, and track emails on behalf of Customer
To validate email addresses and improve deliverability
To provide analytics and reporting on email campaign performance
To maintain and improve email deliverability rates
To provide customer support and troubleshooting
To detect, prevent, and address fraud, spam, and abuse
To comply with legal obligations and enforce our policies
To improve and optimize the Services

Period for which Personal Data will be Retained:

Personal Data will be retained for the duration of the Agreement plus the following retention periods:

Email content and attachments: Up to 14 days from transmission
Email metadata and delivery logs: Up to 14 days from transmission
Email analytics and engagement data: Up to 2 years or as configured by Customer
Billing and transaction records: Minimum 7 years (as required by law)
Backup data: Up to 30 days in encrypted backup systems

Personal Data may be retained longer to the extent required by applicable law or regulation.

For Transfers to Sub-processors:

Subject to the conditions set out in Section 3.4 of this DPA and the current list of Sub-processors in Annex 3.

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses, which will generally be:

For data transfers from the EEA: The supervisory authority of the EU Member State where the data exporter is established or, if not established in the EEA, where the data exporter's representative is established
For data transfers from the UK: The UK Information Commissioner's Office
For data transfers from Switzerland: The Swiss Federal Data Protection and Information Commissioner

ANNEX 2: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Maileroo has implemented and maintains the following technical and organizational measures to protect Personal Data, in accordance with Article 32 GDPR and applicable Data Protection Laws:

1. PHYSICAL SECURITY

Data Center Security:

Tier III or higher certified data centers with 24/7 security monitoring
Physical access controls including biometric authentication and security badges
Video surveillance and recording systems
Visitor logs and escort requirements for non-authorized personnel
Environmental controls (fire suppression, temperature and humidity monitoring, flood detection)
Redundant power supplies (UPS and backup generators)
Redundant network connectivity
Secure equipment disposal and destruction procedures

2. NETWORK AND SYSTEM SECURITY

Network Security:

Next-generation firewalls with stateful inspection
Intrusion detection and prevention systems (IDS/IPS)
Network segmentation and isolation (DMZ, internal zones)
DDoS protection and mitigation services
Virtual Private Networks (VPNs) for remote administrative access
Regular network security scans and assessments

System Security:

Hardened server configurations following industry best practices
Regular security patches and updates (critical patches within 48 hours)
Antivirus and anti-malware software on all systems
Vulnerability scanning and remediation
Security event and information management (SIEM) systems
Automated security monitoring and alerting

3. ACCESS CONTROLS

Authentication and Authorization:

Multi-factor authentication (MFA) required for all administrative access
Role-based access control (RBAC) with principle of least privilege
Strong password policies (minimum length, complexity, expiration)
Single sign-on (SSO) capabilities for enterprise customers
Secure API authentication using API keys and OAuth 2.0
Regular access reviews and certification
Immediate revocation of access upon termination of employment or contract

Access Logging and Monitoring:

Comprehensive logging of all access to Personal Data
Centralized log management and retention (minimum 14 days)
Real-time monitoring and alerting for suspicious activities
Regular review of access logs
Audit trails for all administrative actions

4. DATA ENCRYPTION

Encryption in Transit:

TLS 1.2 or higher for all data transmissions
HTTPS enforced for all web interfaces
Secure SMTP with STARTTLS support
Perfect Forward Secrecy (PFS) enabled
Regular updates to cryptographic protocols and cipher suites

Encryption at Rest:

AES-256 encryption for all databases containing Personal Data
Full disk encryption on all servers and storage systems
Encrypted backups
Secure encryption key management with key rotation
Hardware Security Modules (HSMs) for key storage where applicable

5. APPLICATION SECURITY

Secure Development:

Security-focused software development lifecycle (SDLC)
Code reviews with security focus
Static and dynamic application security testing (SAST/DAST)
Dependency scanning for known vulnerabilities
Security testing in pre-production environments
Regular security training for developers

Application Protections:

Protection against OWASP Top 10 vulnerabilities
Input validation and output encoding
SQL injection prevention
Cross-site scripting (XSS) protection
Cross-site request forgery (CSRF) protection
Secure session management
Rate limiting and throttling to prevent abuse

6. INCIDENT RESPONSE AND BUSINESS CONTINUITY

Incident Response:

Documented incident response plan and procedures
Dedicated incident response team
24/7 security monitoring and incident detection
Defined escalation procedures
Forensic investigation capabilities
Post-incident analysis and remediation
Breach notification procedures compliant with Data Protection Laws

Business Continuity and Disaster Recovery:

Regular encrypted backups (daily incremental, weekly full)
Geographically distributed backup storage
Documented business continuity and disaster recovery plans
Redundant infrastructure and automatic failover
Regular testing of backup restoration (quarterly)
Recovery Time Objective (RTO): 4 hours for critical systems
Recovery Point Objective (RPO): 24 hours maximum data loss

7. ORGANIZATIONAL SECURITY

Personnel Security:

Background checks for all employees with access to Personal Data
Confidentiality and non-disclosure agreements for all personnel
Regular security awareness training (at least annually)
Specialized data protection and privacy training for relevant personnel
Clear separation of duties for critical functions
Offboarding procedures including immediate access revocation

Policies and Procedures:

Comprehensive information security policy
Data protection and privacy policy
Acceptable use policy
Change management procedures
Vendor management and third-party security requirements
Data classification and handling standards
Secure disposal and destruction procedures

8. COMPLIANCE AND AUDIT

Compliance Monitoring:

Regular internal security audits and assessments
Third-party security audits and penetration testing (at least annually)
Compliance with relevant security frameworks (e.g., ISO 27001, SOC 2)
Regular review and update of security measures
Documentation of security controls and procedures
Security metrics and reporting

Certifications and Standards:

Ongoing pursuit of relevant security certifications (SOC 2 Type II, ISO 27001)
Compliance with industry-specific standards where applicable
Regular assessment against NIST Cybersecurity Framework
Participation in responsible disclosure programs

9. DATA MINIMIZATION AND RETENTION

Data Minimization:

Collection of only necessary Personal Data for service provision
Regular review of data collection practices
Pseudonymization and anonymization where appropriate
Aggregation of data for analytics where possible

Data Retention and Disposal:

Defined retention periods for different categories of Personal Data
Automated deletion processes upon expiration of retention periods
Secure deletion methods ensuring data cannot be recovered
Secure physical destruction of hardware containing Personal Data
Certificates of destruction for physical media

10. CONTINUOUS IMPROVEMENT

Maileroo continuously reviews and updates its security measures to:

Address evolving security threats
Incorporate technological advances
Maintain compliance with Data Protection Laws
Implement industry best practices
Respond to audit findings and recommendations

ANNEX 3: LIST OF SUB-PROCESSORS

Maileroo engages the following Sub-processors to process Personal Data on behalf of Customer in connection with the Services:

Name	Entity Location	Purpose of Processing
Paddle.com Market Limited	United Kingdom	Subscription billing, payment processing, tax compliance, and customer invoicing
Crisp IM SAS	France	Customer support chat and messaging platform
Zendesk, Inc.	United States	Customer support ticketing system and helpdesk software
StatCounter	Ireland	Analytics and reporting services
BunnyWay d.o.o.	Slovenia	Storage and Content Delivery Network (CDN) services
IPInfo, Inc.	United States	Geolocation services
Twilio, Inc.	United States	SMS and phone verification services
Proton AG.	Switzerland	Email and collaboration services
Github, Inc.	United States	Source code repository and collaboration services
OpenRouter, Inc.	United States	LLM API services
Cloudflare, Inc.	United States	Content delivery network (CDN), DDoS, WAF services
Hetzner Online GmbH	Germany	Server hosting, data storage, and infrastructure services for the platform
The Constant Company, LLC	United States	Cloud infrastructure services including computing, storage, and networking
Contabo GmbH	Germany	Server hosting, data storage, and infrastructure services for the platform
Macarne Limited	United Kingdom	Server hosting, data storage, and infrastructure services for the platform
Google LLC	United States	Analytics services (website and application usage tracking)
Additional Sub-processors may be added subject to the notification requirements in Section 3.4 of this DPA

Notification of Changes: Customer will be notified via email at least thirty (30) days in advance of any additions or replacements to this list, in accordance with Section 3.4 of this DPA.

Sub-processor Obligations: Each Sub-processor is bound by written agreements requiring them to provide at least the same level of data protection as set out in this DPA, including:

Processing Personal Data only in accordance with documented instructions
Maintaining confidentiality of Personal Data
Implementing appropriate technical and organizational security measures
Assisting with Data Subject rights requests
Notifying Maileroo of Personal Data Breaches
Deleting or returning Personal Data upon termination
Submitting to audits and inspections

ANNEX 4: STANDARD CONTRACTUAL CLAUSES

This Annex incorporates the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679, as approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

STANDARD CONTRACTUAL CLAUSES

Module Two: Controller to Processor

For the purposes of the Standard Contractual Clauses:

Clause 7 – Docking Clause:

The optional docking clause applies. An entity not party to these Clauses may accede to them at any time by executing an addendum.

Clause 9 – Use of Sub-processors:

Option 2 (General written authorisation) applies. The data importer has the data exporter's general authorisation for the engagement of Sub-processors. The data importer shall inform the data exporter of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the data exporter the opportunity to object to such changes. The notice period is thirty (30) days.

Clause 11 – Redress:

Option 1 applies. The optional requirement for independent dispute resolution is NOT selected.

Clause 13 – Supervision:

The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 shall act as competent supervisory authority.

Clause 17 – Governing Law:

These Clauses shall be governed by the law of Ireland.

Clause 18 – Choice of Forum and Jurisdiction:

Any dispute arising from these Clauses shall be resolved by the courts of Ireland.

APPENDIX TO THE STANDARD CONTRACTUAL CLAUSES

The Appendix to the Standard Contractual Clauses is completed as follows:

Annex I (List of Parties and Description of Transfer): As set out in Annex 1 to this DPA
Annex II (Technical and Organisational Measures): As set out in Annex 2 to this DPA
Annex III (List of Sub-processors): As set out in Annex 3 to this DPA

UK INTERNATIONAL DATA TRANSFER ADDENDUM

For transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force 21 March 2022) issued by the UK Information Commissioner's Office applies, with the following specifications:

Table 1 (The Parties): As specified in the Agreement and Annex 1 to this DPA
Table 2 (Selected SCCs, Modules and Selected Clauses): The Approved EU SCCs, Module Two (Controller to Processor), with the specifications noted above
Table 3 (Appendix Information): As set out in Annexes 1, 2, and 3 to this DPA
Table 4 (Ending this Addendum when the Approved Addendum Changes): Neither party may end this Addendum on this basis

SWISS DATA PROTECTION LAW MODIFICATIONS

For transfers from Switzerland, the parties agree to the following modifications to the Standard Contractual Clauses:

References to "Regulation (EU) 2016/679" or "GDPR" shall be interpreted as references to the Swiss Federal Act on Data Protection (FADP)
References to "EU", "Union", and "Member State" shall be interpreted as references to Switzerland
References to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC) and the competent courts in Switzerland
The FDPIC shall have jurisdiction for data protection supervision
To the extent required by Swiss law, the law of Switzerland shall govern data protection matters

ACCESSING THE FULL TEXT

The full text of the Standard Contractual Clauses and related addenda can be accessed at:

EU Standard Contractual Clauses: EUR-Lex Official Journal
UK International Data Transfer Addendum: ICO Website

Copies of these documents are also available upon request by contacting: [email protected]

This Data Processing Addendum was last updated on 2 October 2025. For questions or to request a signed copy, please contact [email protected].