Data Processing Addendum

Last Updated: 2 October 2025

This Data Processing Addendum ("DPA") forms part of and is incorporated into the Terms and Conditions (the "Agreement") between Maileroo Group Pty Ltd (ACN 691 482 836) ("Maileroo", "Processor", "we", "us", or "our") and the customer ("Customer", "Controller", or "you") for the provision of email services (the "Services").

This DPA applies where and only to the extent that Maileroo processes Personal Data on behalf of the Customer in the course of providing the Services and such processing is subject to Data Protection Laws.

1. DEFINITIONS AND INTERPRETATION
1.1 Definitions

In this DPA, the following terms shall have the meanings set out below:

"Affiliate" means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with an entity.

"Australian Privacy Law" means the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

"Control" means an ownership, voting, or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question.

"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.

"Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data, including but not limited to:

  • The General Data Protection Regulation (EU) 2016/679 ("GDPR")
  • The UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR")
  • The Swiss Federal Act on Data Protection ("Swiss DPA")
  • The Australian Privacy Act 1988 (Cth) and Australian Privacy Principles ("Australian Privacy Law")
  • The California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA")
  • Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA")
  • Any other applicable privacy or data protection legislation

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"EEA" means the European Economic Area.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Maileroo on behalf of Customer in the course of providing the Services, including but not limited to:

  • Email addresses of senders and recipients
  • Names and contact information
  • Email content, subject lines, and metadata
  • IP addresses and device information
  • Email engagement data (opens, clicks, bounces)

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, transmission, dissemination, erasure, or destruction.

"Processor" means the entity which processes Personal Data on behalf of the Controller.

"Restricted Transfer" means a transfer of Personal Data from a jurisdiction with comprehensive data protection laws (such as the EEA, UK, or Switzerland) to a jurisdiction not recognized as providing adequate protection.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries approved by the European Commission (Decision 2021/914), as may be updated from time to time.

"Sub-processor" means any Processor engaged by Maileroo to process Personal Data on behalf of Customer in connection with the Services.

"Supervisory Authority" means any local, national, or supranational agency, authority, department, official, parliament, or public or statutory body exercising authority or functions regarding data protection.

1.2 Interpretation

Terms not otherwise defined in this DPA shall have the meanings given to them in the Agreement or, if not defined in the Agreement, the meanings given in applicable Data Protection Laws. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict or inconsistency with respect to the processing of Personal Data.

2. SCOPE AND APPLICABILITY
2.1 Scope of Processing

This DPA applies to the Processing of Personal Data by Maileroo on behalf of Customer in connection with the provision of the Services. The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are further described in Annex 1 (Details of Processing) to this DPA.

2.2 Roles of the Parties

The parties acknowledge and agree that:

  • Customer is the Controller of the Personal Data and determines the purposes and means of Processing
  • Maileroo is the Processor and processes Personal Data only on behalf of and in accordance with Customer's documented instructions
  • Customer is solely responsible for ensuring that its instructions comply with Data Protection Laws and that it has a lawful basis for processing Personal Data
  • This DPA does not reduce any obligations Customer may have under Data Protection Laws
2.3 Customer Instructions

Customer instructs Maileroo to process Personal Data:

  • To provide the Services in accordance with the Agreement and this DPA
  • To comply with other documented instructions provided by Customer that are consistent with the terms of the Agreement and this DPA
  • As necessary to comply with applicable law to which Maileroo is subject

The parties agree that this DPA and the Agreement constitute Customer's complete and final instructions to Maileroo regarding the Processing of Personal Data. Additional instructions outside the scope of this DPA require prior written agreement between the parties.

Maileroo shall immediately inform Customer if, in Maileroo's opinion, an instruction infringes Data Protection Laws. In such cases, Maileroo may suspend performance of the relevant instruction until Customer confirms or modifies it.

3. MAILEROO'S OBLIGATIONS AS PROCESSOR
3.1 Compliance with Instructions

Maileroo shall:

  • Process Personal Data only in accordance with Customer's documented instructions unless required to do otherwise by applicable law
  • Immediately inform Customer if Maileroo becomes aware that Customer's instructions infringe Data Protection Laws
  • Immediately inform Customer if Maileroo is required by applicable law to process Personal Data contrary to Customer's instructions, unless prohibited by law from doing so
  • Not process Personal Data for any purpose other than as instructed by Customer
3.2 Confidentiality

Maileroo shall ensure that all personnel authorized to process Personal Data:

  • Are subject to appropriate confidentiality obligations (whether contractual or statutory)
  • Receive adequate training on data protection, privacy, and security
  • Process Personal Data only as necessary to provide the Services or as instructed by Customer
  • Do not access, use, or disclose Personal Data except as authorized

These confidentiality obligations shall survive the termination of employment or engagement and the termination of this DPA.

3.3 Security Measures

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to the rights and freedoms of Data Subjects, Maileroo shall implement and maintain appropriate technical and organizational measures to protect Personal Data against Personal Data Breaches, including:

Technical Security Measures:
  • Encryption of Personal Data in transit using TLS 1.2 or higher
  • Encryption of Personal Data at rest using AES-256 or equivalent
  • Secure authentication mechanisms, including multi-factor authentication for administrative access
  • Role-based access controls and the principle of least privilege
  • Regular security testing, including vulnerability assessments and penetration testing
  • Network security controls, including firewalls and intrusion detection/prevention systems
  • Secure data backup and disaster recovery procedures
  • Comprehensive logging and monitoring of system access and activities
  • Secure development practices and code review procedures
Organizational Security Measures:
  • Documented information security policies and procedures
  • Employee background checks for personnel with access to Personal Data
  • Regular security awareness training for all personnel
  • Incident response and breach notification procedures
  • Access controls limiting personnel access to Personal Data on a need-to-know basis
  • Secure disposal of equipment and media containing Personal Data
  • Regular review and update of security measures
  • Third-party security assessments and certifications (where available)

A detailed description of the technical and organizational security measures currently implemented by Maileroo is set out in Annex 2 (Security Measures) to this DPA. Maileroo may update or modify these measures from time to time, provided that such updates do not result in a material degradation of the overall security of the Services.

3.4 Sub-processors

Customer provides general written authorization for Maileroo to engage Sub-processors to process Personal Data, subject to the following conditions:

Current Sub-processors:

Maileroo maintains a current list of Sub-processors, including their names, locations, and services provided in Annex 3 to this DPA.

Notification of Changes:

Maileroo shall notify Customer via email at least thirty (30) days before:

  • Engaging a new Sub-processor to process Personal Data
  • Replacing an existing Sub-processor
Right to Object:

Customer may object to Maileroo's appointment or replacement of a Sub-processor on reasonable data protection grounds by notifying Maileroo in writing within fifteen (15) days of receiving notification. Such objection must include detailed reasons relating to data protection concerns.

Resolution:

If Customer objects, the parties shall work together in good faith to find a commercially reasonable solution, which may include:

  • Maileroo proposing an alternative Sub-processor
  • Implementing additional safeguards to address Customer's concerns
  • Customer disabling the affected functionality or features

If the parties cannot reach a resolution within thirty (30) days, Customer may terminate the affected Services without penalty by providing written notice to Maileroo.

Sub-processor Requirements:

Maileroo shall:

  • Impose data protection obligations on Sub-processors that are materially equivalent to those in this DPA
  • Ensure Sub-processors implement appropriate technical and organizational measures to protect Personal Data
  • Conduct appropriate due diligence on Sub-processors before engagement
  • Monitor Sub-processor compliance with their obligations
  • Remain fully liable to Customer for the performance of any Sub-processor's obligations
3.5 Data Subject Rights

Maileroo shall, taking into account the nature of the Processing and to the extent legally permitted:

  • Provide reasonable assistance to Customer to enable Customer to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:
    • Right of access to Personal Data
    • Right to rectification of inaccurate Personal Data
    • Right to erasure ("right to be forgotten")
    • Right to restriction of Processing
    • Right to data portability
    • Right to object to Processing
    • Rights related to automated decision-making and profiling
  • Promptly notify Customer (and in any event within two (2) business days) if Maileroo receives a request directly from a Data Subject regarding their Personal Data
  • Not respond to such requests directly without Customer's prior written authorization, except to acknowledge receipt and inform the Data Subject to submit their request to Customer
  • Provide Customer with commercially reasonable cooperation and assistance in responding to Data Subject requests

Customer acknowledges that assistance provided by Maileroo beyond the functionality of the Services may be subject to additional fees based on Maileroo's then-current professional services rates. Maileroo shall provide Customer with an estimate before incurring such fees.

3.6 Personal Data Breach Notification

Maileroo shall:

  • Notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data
  • Provide Customer with sufficient information to enable Customer to meet any obligations to report or inform Data Subjects and Supervisory Authorities of the Personal Data Breach under Data Protection Laws, including:
    • A description of the nature of the Personal Data Breach
    • The categories and approximate number of Data Subjects affected
    • The categories and approximate number of Personal Data records affected
    • The likely consequences of the Personal Data Breach
    • The measures taken or proposed to be taken to address the Personal Data Breach
    • Measures to mitigate potential adverse effects
    • Contact details for obtaining more information
  • Provide regular status updates (at least weekly or as otherwise reasonably requested by Customer) on the investigation and remediation of the Personal Data Breach
  • Cooperate with Customer and take commercially reasonable steps to investigate, remediate, and mitigate the effects of the Personal Data Breach
  • Preserve evidence relating to the Personal Data Breach for forensic investigation

Notification of a Personal Data Breach shall be made to the email address associated with Customer's account or to such other email address as Customer may specify in writing.

Customer acknowledges that Maileroo's notification of a Personal Data Breach does not constitute an acknowledgment by Maileroo of fault or liability with respect to the breach.

3.7 Data Protection Impact Assessments and Prior Consultation

Maileroo shall, taking into account the nature of the Processing and the information available to Maileroo, provide reasonable assistance to Customer with:

  • Data protection impact assessments (DPIAs) required under Data Protection Laws
  • Prior consultations with Supervisory Authorities where required
  • Assessment of the privacy and security implications of the Services

Such assistance may include:

  • Providing information about the Services and Maileroo's data processing practices
  • Providing information about security measures and safeguards
  • Providing information about Sub-processors and data transfers
  • Reviewing and commenting on draft DPIAs prepared by Customer

Customer acknowledges that assistance provided by Maileroo beyond providing standard documentation and information may be subject to additional fees based on Maileroo's then-current professional services rates.

3.8 Deletion or Return of Personal Data

Upon termination or expiration of the Agreement, or upon Customer's earlier written request (except as otherwise required by the Agreement), Maileroo shall, at Customer's election:

  • Delete all Personal Data (including copies) in Maileroo's possession or control; or
  • Return a complete copy of all Personal Data to Customer in a commonly used, machine-readable format

Following such deletion or return, Maileroo shall certify in writing to Customer that it has complied with this Section 3.8.

Exceptions:

Maileroo may retain Personal Data to the extent required by applicable law, regulation, or professional standards, provided that Maileroo shall:

  • Ensure the confidentiality of all such retained Personal Data
  • Only process such Personal Data as necessary to comply with the applicable law or regulation
  • Inform Customer of any such legal requirement before deletion, where possible
  • Continue to protect such Personal Data in accordance with this DPA
Standard Retention Periods:

Unless otherwise instructed by Customer or required by law, Maileroo applies the following retention periods:

  • Email content and attachments: Up to 14 days from transmission
  • Email metadata and delivery logs: Up to 14 days from transmission
  • Email analytics and engagement data: Up to 2 years or as configured in Customer's account settings
  • Billing and transaction records: Minimum 7 years (as required by tax and accounting regulations)
  • Backup data: Up to 30 days in encrypted backup systems
3.9 Audit Rights and Compliance

Maileroo shall make available to Customer, upon written request and subject to confidentiality obligations, information reasonably necessary to demonstrate compliance with this DPA and Data Protection Laws.

Documentation and Reports:

Maileroo shall provide Customer with:

  • Current copies of relevant security certifications (such as SOC 2 Type II, ISO 27001, or similar)
  • Summary audit reports from independent third-party auditors
  • Security and compliance documentation as reasonably requested
  • Attestations of compliance with this DPA upon reasonable request
On-Site Audits:

Customer may, upon reasonable written request and subject to the following conditions, conduct audits or inspections of Maileroo's data processing activities:

  • Customer provides at least sixty (60) days' prior written notice
  • Audits are conducted no more than once per year, unless:
    • Required by a Supervisory Authority
    • Required in response to a Personal Data Breach
    • Required by applicable law
  • Audits are conducted during normal business hours and do not unreasonably interfere with Maileroo's operations
  • Customer uses an independent third-party auditor reasonably acceptable to Maileroo
  • The auditor is bound by appropriate confidentiality obligations
  • The audit scope is limited to matters relevant to Maileroo's obligations under this DPA
  • Customer bears all costs associated with the audit
  • The audit does not extend to areas where Maileroo processes data for other customers
Audit Findings:

If an audit reveals non-compliance with this DPA:

  • Maileroo shall work with Customer to develop and implement a remediation plan
  • Maileroo shall provide regular updates on remediation progress
  • If the non-compliance poses a material risk, Customer may exercise its termination rights under the Agreement
4. CUSTOMER'S OBLIGATIONS AS CONTROLLER
4.1 Compliance with Data Protection Laws

Customer represents, warrants, and covenants that:

  • It has and will maintain a lawful basis under Data Protection Laws for Processing Personal Data and for instructing Maileroo to process Personal Data on its behalf
  • It has provided and will provide all notices and obtained all consents and authorizations required under Data Protection Laws for the Processing of Personal Data, including for Maileroo's Processing on Customer's behalf
  • Its instructions to Maileroo regarding the Processing of Personal Data comply with Data Protection Laws
  • The Processing of Personal Data in accordance with Customer's instructions will not violate any applicable laws, regulations, or rights of Data Subjects
  • It has implemented and will maintain appropriate security measures for Personal Data in its possession or control
4.2 Instructions to Maileroo

Customer shall:

  • Provide clear, lawful, and documented instructions regarding the Processing of Personal Data
  • Ensure that Customer personnel and end-users who access the Services are authorized to do so and comply with this DPA
  • Use the Services and provide instructions in a manner consistent with applicable Data Protection Laws
  • Promptly notify Maileroo of any changes to instructions or any concerns regarding Maileroo's Processing activities
  • Not provide instructions that would cause Maileroo to violate Data Protection Laws or this DPA
4.3 Prohibited Data

Customer acknowledges that the Services are not designed or intended for the Processing of:

  • Special Categories of Personal Data (as defined in GDPR Article 9 or equivalent under other Data Protection Laws), including data revealing:
    • Racial or ethnic origin
    • Political opinions
    • Religious or philosophical beliefs
    • Trade union membership
    • Genetic data
    • Biometric data for the purpose of uniquely identifying a natural person
    • Health data
    • Data concerning a natural person's sex life or sexual orientation
  • Personal Data relating to criminal convictions and offenses
  • Personal Data of children under the age of 16 (or such other age as may be specified by applicable law) without verified parental or guardian consent
  • Government-issued identification numbers (such as social security numbers, passport numbers, or driver's license numbers), except as necessary for account verification
  • Financial account information (such as credit card numbers or bank account numbers), except as necessary for payment processing

Customer shall not submit, upload, transmit, or otherwise process any such prohibited data through the Services without:

  • Prior written agreement with Maileroo
  • Implementation of additional safeguards as may be required
  • Compliance with all applicable legal requirements

If Customer transmits any prohibited data through the Services:

  • Customer shall immediately notify Maileroo in writing
  • Customer shall indemnify and hold harmless Maileroo from and against any claims, damages, costs, or liabilities arising from such transmission
  • Maileroo may suspend the Services until the issue is resolved
  • Maileroo may terminate the Agreement in accordance with its terms
4.4 Data Subject Rights Requests

Customer acknowledges and agrees that:

  • Customer is responsible for responding to requests from Data Subjects exercising their rights under Data Protection Laws
  • Maileroo provides tools and features within the Services to assist Customer in responding to such requests
  • Customer shall use these tools appropriately and in compliance with Data Protection Laws
  • Maileroo's assistance beyond the standard functionality of the Services may be subject to additional fees
5. INTERNATIONAL DATA TRANSFERS
5.1 Data Location and Transfers

Maileroo's primary data processing facilities are located in the EU. Personal Data may be transferred to, stored, and processed in Germany, Netherlands and Finland, and other countries where Maileroo or its Sub-processors maintain facilities or data centers.

Customer acknowledges and agrees that Maileroo may make such transfers as necessary to provide the Services.

5.2 Transfers from the EEA, UK, and Switzerland

For transfers of Personal Data from the EEA, UK, or Switzerland to countries that have not been deemed to provide adequate protection by the European Commission, UK authorities, or Swiss authorities (as applicable), the parties agree to rely on the following transfer mechanisms:

Standard Contractual Clauses (EU):

The parties agree to be bound by the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 as set out in Annex 4 to this DPA.

For purposes of the Standard Contractual Clauses:

  • Customer (and any EU/EEA Affiliate that is a Controller) is the "data exporter"
  • Maileroo is the "data importer"
  • Module Two (Controller to Processor) shall apply
  • The optional docking clause in Clause 7 shall apply
  • In Clause 9(a) (Use of sub-processors), Option 2 (General written authorisation) applies, with a notice period of thirty (30) days
  • In Clause 11(a) (Redress), the optional requirement for independent dispute resolution is not selected
  • In Clause 17 (Governing law), the law of Ireland shall apply
  • In Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Ireland
  • Annex I, Annex II, and Annex III to the Standard Contractual Clauses are completed as set out in Annexes 1, 2, and 3 to this DPA
UK International Data Transfer Addendum:

For transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022) issued by the UK Information Commissioner's Office shall apply, incorporating the Standard Contractual Clauses referenced above with the following modifications:

  • Table 1 (Parties): The parties' details are as set out in the Agreement
  • Table 2 (Selected SCCs, Modules and Selected Clauses): Module Two applies as specified above
  • Table 3 (Appendix Information): Information is as set out in Annexes 1, 2, and 3 to this DPA
  • Table 4 (Ending this Addendum when the Approved Addendum Changes): Neither party may end the UK Addendum on this basis
Swiss Data Protection Act:

For transfers from Switzerland, the parties agree that:

  • References to the "GDPR" in the Standard Contractual Clauses shall be interpreted as references to the Swiss Federal Act on Data Protection (FADP)
  • References to "EU Member State" shall be interpreted as references to Switzerland
  • References to the "competent supervisory authority" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC)
  • The Swiss FDPIC shall have jurisdiction for data protection supervision
  • The law of Switzerland shall govern data protection matters to the extent required by Swiss law
5.3 Additional Safeguards

In addition to the Standard Contractual Clauses and related addenda, Maileroo implements the following supplementary measures to protect Personal Data during international transfers:

  • Encryption of Personal Data in transit and at rest
  • Robust access controls and authentication mechanisms
  • Contractual obligations on Sub-processors regarding data protection and security
  • Regular security assessments and audits
  • Incident response and breach notification procedures
  • Employee training on data protection and privacy
5.4 Alternative Transfer Mechanisms

If the Standard Contractual Clauses or other transfer mechanisms referenced in this Section 5 are invalidated, replaced, or amended, or if alternative transfer mechanisms become available and appropriate, the parties agree to cooperate in good faith to:

  • Implement such alternative mechanisms as are necessary to ensure lawful transfers
  • Execute such documents and take such actions as may be required
  • Minimize disruption to the Services during any transition
5.5 Australian Cross-Border Disclosures

For transfers of Personal Data from Australia to overseas recipients, Maileroo agrees to:

  • Comply with Australian Privacy Principle 8 (Cross-border disclosure of personal information)
  • Take reasonable steps to ensure that overseas recipients do not breach the Australian Privacy Principles
  • Enter into contractual arrangements with Sub-processors requiring compliance with the Australian Privacy Principles or substantially similar standards
6. LIABILITY AND INDEMNIFICATION
6.1 Liability Allocation

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, shall be subject to the limitations and exclusions of liability set forth in the Agreement.

Nothing in this DPA shall exclude or limit either party's liability for:

  • Death or personal injury caused by negligence
  • Fraud or fraudulent misrepresentation
  • Gross negligence or willful misconduct
  • Breach of confidentiality obligations
  • Violations of Data Protection Laws, to the extent such limitations are prohibited by applicable law
  • Indemnification obligations under this DPA or the Agreement
  • Any other liability that cannot be excluded or limited under applicable law
6.2 Maileroo's Indemnification

Maileroo shall indemnify, defend, and hold harmless Customer and its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and costs) arising from or relating to:

  • Maileroo's Processing of Personal Data in material violation of this DPA
  • Maileroo's failure to implement and maintain security measures as required by Section 3.3
  • A Personal Data Breach caused by Maileroo's negligence, willful misconduct, or failure to comply with this DPA
  • Maileroo's breach of its obligations under Data Protection Laws or this DPA

This indemnification obligation is subject to Customer:

  • Promptly notifying Maileroo in writing of the claim
  • Giving Maileroo sole control of the defense and settlement of the claim
  • Providing reasonable cooperation in the defense, at Maileroo's expense

Maileroo shall not settle any claim in a manner that admits liability on behalf of Customer or imposes obligations on Customer without Customer's prior written consent.

6.3 Customer's Indemnification

Customer shall indemnify, defend, and hold harmless Maileroo and its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and costs) arising from or relating to:

  • Customer's Processing of Personal Data in violation of Data Protection Laws
  • Customer's instructions that violate Data Protection Laws or this DPA
  • Customer's transmission of prohibited data as specified in Section 4.3
  • Customer's failure to obtain necessary consents or provide required notices to Data Subjects
  • Customer's breach of its representations, warranties, or obligations under this DPA
  • Claims by Data Subjects arising from Customer's Processing activities (except to the extent caused by Maileroo's breach of this DPA)

This indemnification obligation is subject to Maileroo:

  • Promptly notifying Customer in writing of the claim
  • Giving Customer sole control of the defense and settlement of the claim
  • Providing reasonable cooperation in the defense, at Customer's expense

Customer shall not settle any claim in a manner that admits liability on behalf of Maileroo or imposes obligations on Maileroo without Maileroo's prior written consent.

6.4 Mitigation

Each party shall take reasonable steps to mitigate damages arising from any breach of this DPA.

7. TERM AND TERMINATION
7.1 Term

This DPA shall commence on the effective date of the Agreement and shall remain in effect until the earlier of:

  • Termination or expiration of the Agreement; or
  • Deletion or return of all Personal Data by Maileroo in accordance with Section 3.8
7.2 Effect of Termination

Upon termination of this DPA:

  • Maileroo shall cease all Processing of Personal Data, except:
    • As necessary to comply with Section 3.8 (Deletion or Return of Personal Data)
    • As required by applicable law
    • To the extent Personal Data has been anonymized or aggregated such that it no longer constitutes Personal Data
  • Maileroo shall delete or return Personal Data in accordance with Section 3.8
  • The following provisions shall survive termination:
    • Section 3.2 (Confidentiality)
    • Section 3.8 (Deletion or Return of Personal Data)
    • Section 6 (Liability and Indemnification)
    • Section 8 (General Provisions)
    • Any other provisions that by their nature should survive
7.3 Termination for Breach

Either party may terminate this DPA (and, if applicable, the Agreement) if:

  • The other party materially breaches this DPA and fails to remedy such breach within thirty (30) days of receiving written notice
  • The other party's Processing of Personal Data poses an immediate and serious threat to Data Subjects' rights and freedoms (in which case immediate termination may be effected upon written notice)
8. GENERAL PROVISIONS
8.1 Amendments and Updates

Maileroo may amend this DPA from time to time to:

  • Reflect changes in Data Protection Laws
  • Reflect guidance or determinations from Supervisory Authorities
  • Implement industry best practices
  • Reflect changes to the Services or Sub-processors
  • Address security or compliance requirements

Material changes to this DPA will be communicated to Customer:

  • By email to the address associated with Customer's account
  • Through a notice in Customer's account dashboard
  • By posting an updated version on our website

Customer will be given at least thirty (30) days' notice before material changes take effect. Customer's continued use of the Services after such changes constitutes acceptance of the amended DPA.

If Customer does not agree to material changes, Customer may terminate the Agreement in accordance with its terms.

8.2 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction:

  • The remaining provisions shall remain in full force and effect
  • The invalid provision shall be replaced with a valid provision that most closely approximates the intent and economic effect of the invalid provision
  • The parties shall negotiate in good faith to implement such replacement provision
8.3 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws specified in the Agreement, without regard to conflicts of law principles.

For the avoidance of doubt, this choice of law:

  • Shall not affect the protection granted to Data Subjects under Data Protection Laws that cannot be derogated from by contract
  • Shall not override the governing law and jurisdiction provisions in the Standard Contractual Clauses (where applicable)
8.4 Order of Precedence

In the event of any conflict or inconsistency between documents, the following order of precedence shall apply (from highest to lowest):

  1. Standard Contractual Clauses and related addenda (where applicable)
  2. This Data Processing Addendum and its Annexes
  3. The Agreement (Terms and Conditions)
  4. Other policies referenced in the Agreement
8.5 Third-Party Beneficiaries

For the Standard Contractual Clauses only, Data Subjects are third-party beneficiaries to the extent provided in the Standard Contractual Clauses. Except as expressly provided in the Standard Contractual Clauses, there are no third-party beneficiaries to this DPA.

8.6 Entire Agreement

This DPA, together with the Agreement and the Annexes to this DPA, constitutes the entire agreement between the parties regarding the Processing of Personal Data and supersedes all prior agreements, understandings, negotiations, and discussions relating to such subject matter.

8.7 Waiver

No waiver of any provision of this DPA shall be effective unless in writing and signed by the party against whom the waiver is sought to be enforced. No failure or delay by either party in exercising any right, power, or remedy shall operate as a waiver thereof.

8.8 Assignment

Neither party may assign or transfer this DPA without the prior written consent of the other party, except that Maileroo may assign this DPA:

  • To an Affiliate, provided that Maileroo remains liable for performance
  • In connection with a merger, acquisition, or sale of all or substantially all of its assets

Any attempted assignment in violation of this provision is void.

8.9 Notices

All notices under this DPA shall be in writing and shall be deemed given:

  • When delivered personally
  • When sent by confirmed email
  • Five (5) business days after being sent by registered or certified mail
  • Two (2) business days after being sent by recognized international courier

Notices to Customer shall be sent to the email address associated with Customer's account or as otherwise specified by Customer.

Notices to Maileroo shall be sent to: [email protected]

8.10 Language

This DPA is executed in English. If this DPA is translated into any other language, the English version shall prevail in the event of any conflict.

9. CONTACT INFORMATION

For questions, concerns, or requests regarding this DPA, data protection matters, or to exercise rights under this DPA, please contact:

Maileroo Group Pty Ltd
ACN 691 482 836
Level 10, 440 Collins Street
Melbourne VIC 3000
Australia

Email: [email protected]

Data Protection Officer: [email protected]

10. ACKNOWLEDGMENT AND ACCEPTANCE

By accepting the Terms and Conditions, creating an account, or using the Services, Customer acknowledges that it has read, understood, and agrees to be bound by this Data Processing Addendum.

If Customer requires a separately signed copy of this DPA for compliance purposes, please contact us at [email protected] and we will provide an electronically executable version.


ANNEX 1: DETAILS OF PROCESSING

This Annex includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR and the Standard Contractual Clauses.

A. LIST OF PARTIES
Data Exporter (Controller):
  • Name: Customer (as identified in the Agreement)
  • Address: As provided in Customer's account information
  • Contact person: Account administrator
  • Activities relevant to the data transferred: Use of Maileroo's email delivery and marketing services
  • Role: Controller
Data Importer (Processor):
  • Name: Maileroo Group Pty Ltd
  • Address: Level 10, 440 Collins Street, Melbourne VIC 3000, Australia
  • Contact person: Data Protection Officer - [email protected]
  • Activities relevant to the data transferred: Provision of email API, SMTP relay, email marketing platform, email validation, tracking, analytics, and related services
  • Role: Processor
B. DESCRIPTION OF TRANSFER
Categories of Data Subjects:
  • Customer's employees, contractors, and authorized users of the Services
  • Recipients of emails sent through the Services
  • Individuals whose email addresses are stored in Customer's contact lists or databases
  • Website visitors who interact with emails sent through the Services (e.g., open, click tracking)
  • Subscribers to Customer's email marketing campaigns
Categories of Personal Data:
  • Contact information: email addresses, names (from email headers or content)
  • Communication data: email subject lines, message bodies, attachments, email headers, timestamps, message IDs
  • Technical data: IP addresses of senders and recipients, device identifiers, browser type and version, operating system
  • Usage data: email engagement metrics (opens, clicks, bounces, unsubscribes, spam complaints)
  • Location data: geographic location derived from IP addresses
  • Account data: usernames, account settings, preferences
  • Metadata: date and time information, email routing information
Sensitive Data (if applicable):

The Services are not intended for processing Special Categories of Personal Data as defined in GDPR Article 9. If Customer processes such data despite this restriction, Customer assumes full responsibility and liability.

Frequency of Transfer:

Continuous for the duration of the Agreement, as Customer uses the Services to send emails and access analytics.

Nature of Processing:

The Personal Data transferred will be subject to the following basic processing activities:

  • Collection and receipt of Personal Data from Customer via API, SMTP, or web interface
  • Storage of Personal Data on Maileroo's secure servers
  • Transmission of emails to recipient mail servers
  • Recording and tracking of email delivery status and engagement events
  • Analysis and aggregation of email performance metrics
  • Validation of email addresses for deliverability
  • Generation of reports and analytics dashboards
  • Retention of Personal Data in accordance with retention policies
  • Deletion or anonymization of Personal Data upon expiration of retention periods or Customer request
Purpose(s) of Processing:
  • To send, deliver, and track emails on behalf of Customer
  • To validate email addresses and improve deliverability
  • To provide analytics and reporting on email campaign performance
  • To maintain and improve email deliverability rates
  • To provide customer support and troubleshooting
  • To detect, prevent, and address fraud, spam, and abuse
  • To comply with legal obligations and enforce our policies
  • To improve and optimize the Services
Period for which Personal Data will be Retained:

Personal Data will be retained for the duration of the Agreement plus the following retention periods:

  • Email content and attachments: Up to 14 days from transmission
  • Email metadata and delivery logs: Up to 14 days from transmission
  • Email analytics and engagement data: Up to 2 years or as configured by Customer
  • Billing and transaction records: Minimum 7 years (as required by law)
  • Backup data: Up to 30 days in encrypted backup systems

Personal Data may be retained longer to the extent required by applicable law or regulation.

For Transfers to Sub-processors:

Subject to the conditions set out in Section 3.4 of this DPA and the current list of Sub-processors in Annex 3.

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses, which will generally be:

  • For data transfers from the EEA: The supervisory authority of the EU Member State where the data exporter is established or, if not established in the EEA, where the data exporter's representative is established
  • For data transfers from the UK: The UK Information Commissioner's Office
  • For data transfers from Switzerland: The Swiss Federal Data Protection and Information Commissioner

ANNEX 2: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Maileroo has implemented and maintains the following technical and organizational measures to protect Personal Data, in accordance with Article 32 GDPR and applicable Data Protection Laws:

1. PHYSICAL SECURITY
Data Center Security:
  • Tier III or higher certified data centers with 24/7 security monitoring
  • Physical access controls including biometric authentication and security badges
  • Video surveillance and recording systems
  • Visitor logs and escort requirements for non-authorized personnel
  • Environmental controls (fire suppression, temperature and humidity monitoring, flood detection)
  • Redundant power supplies (UPS and backup generators)
  • Redundant network connectivity
  • Secure equipment disposal and destruction procedures
2. NETWORK AND SYSTEM SECURITY
Network Security:
  • Next-generation firewalls with stateful inspection
  • Intrusion detection and prevention systems (IDS/IPS)
  • Network segmentation and isolation (DMZ, internal zones)
  • DDoS protection and mitigation services
  • Virtual Private Networks (VPNs) for remote administrative access
  • Regular network security scans and assessments
System Security:
  • Hardened server configurations following industry best practices
  • Regular security patches and updates (critical patches within 48 hours)
  • Antivirus and anti-malware software on all systems
  • Vulnerability scanning and remediation
  • Security event and information management (SIEM) systems
  • Automated security monitoring and alerting
3. ACCESS CONTROLS
Authentication and Authorization:
  • Multi-factor authentication (MFA) required for all administrative access
  • Role-based access control (RBAC) with principle of least privilege
  • Strong password policies (minimum length, complexity, expiration)
  • Single sign-on (SSO) capabilities for enterprise customers
  • Secure API authentication using API keys and OAuth 2.0
  • Regular access reviews and certification
  • Immediate revocation of access upon termination of employment or contract
Access Logging and Monitoring:
  • Comprehensive logging of all access to Personal Data
  • Centralized log management and retention (minimum 14 days)
  • Real-time monitoring and alerting for suspicious activities
  • Regular review of access logs
  • Audit trails for all administrative actions
4. DATA ENCRYPTION
Encryption in Transit:
  • TLS 1.2 or higher for all data transmissions
  • HTTPS enforced for all web interfaces
  • Secure SMTP with STARTTLS support
  • Perfect Forward Secrecy (PFS) enabled
  • Regular updates to cryptographic protocols and cipher suites
Encryption at Rest:
  • AES-256 encryption for all databases containing Personal Data
  • Full disk encryption on all servers and storage systems
  • Encrypted backups
  • Secure encryption key management with key rotation
  • Hardware Security Modules (HSMs) for key storage where applicable
5. APPLICATION SECURITY
Secure Development:
  • Security-focused software development lifecycle (SDLC)
  • Code reviews with security focus
  • Static and dynamic application security testing (SAST/DAST)
  • Dependency scanning for known vulnerabilities
  • Security testing in pre-production environments
  • Regular security training for developers
Application Protections:
  • Protection against OWASP Top 10 vulnerabilities
  • Input validation and output encoding
  • SQL injection prevention
  • Cross-site scripting (XSS) protection
  • Cross-site request forgery (CSRF) protection
  • Secure session management
  • Rate limiting and throttling to prevent abuse
6. INCIDENT RESPONSE AND BUSINESS CONTINUITY
Incident Response:
  • Documented incident response plan and procedures
  • Dedicated incident response team
  • 24/7 security monitoring and incident detection
  • Defined escalation procedures
  • Forensic investigation capabilities
  • Post-incident analysis and remediation
  • Breach notification procedures compliant with Data Protection Laws
Business Continuity and Disaster Recovery:
  • Regular encrypted backups (daily incremental, weekly full)
  • Geographically distributed backup storage
  • Documented business continuity and disaster recovery plans
  • Redundant infrastructure and automatic failover
  • Regular testing of backup restoration (quarterly)
  • Recovery Time Objective (RTO): 4 hours for critical systems
  • Recovery Point Objective (RPO): 24 hours maximum data loss
7. ORGANIZATIONAL SECURITY
Personnel Security:
  • Background checks for all employees with access to Personal Data
  • Confidentiality and non-disclosure agreements for all personnel
  • Regular security awareness training (at least annually)
  • Specialized data protection and privacy training for relevant personnel
  • Clear separation of duties for critical functions
  • Offboarding procedures including immediate access revocation
Policies and Procedures:
  • Comprehensive information security policy
  • Data protection and privacy policy
  • Acceptable use policy
  • Change management procedures
  • Vendor management and third-party security requirements
  • Data classification and handling standards
  • Secure disposal and destruction procedures
8. COMPLIANCE AND AUDIT
Compliance Monitoring:
  • Regular internal security audits and assessments
  • Third-party security audits and penetration testing (at least annually)
  • Compliance with relevant security frameworks (e.g., ISO 27001, SOC 2)
  • Regular review and update of security measures
  • Documentation of security controls and procedures
  • Security metrics and reporting
Certifications and Standards:
  • Ongoing pursuit of relevant security certifications (SOC 2 Type II, ISO 27001)
  • Compliance with industry-specific standards where applicable
  • Regular assessment against NIST Cybersecurity Framework
  • Participation in responsible disclosure programs
9. DATA MINIMIZATION AND RETENTION
Data Minimization:
  • Collection of only necessary Personal Data for service provision
  • Regular review of data collection practices
  • Pseudonymization and anonymization where appropriate
  • Aggregation of data for analytics where possible
Data Retention and Disposal:
  • Defined retention periods for different categories of Personal Data
  • Automated deletion processes upon expiration of retention periods
  • Secure deletion methods ensuring data cannot be recovered
  • Secure physical destruction of hardware containing Personal Data
  • Certificates of destruction for physical media
10. CONTINUOUS IMPROVEMENT

Maileroo continuously reviews and updates its security measures to:

  • Address evolving security threats
  • Incorporate technological advances
  • Maintain compliance with Data Protection Laws
  • Implement industry best practices
  • Respond to audit findings and recommendations

ANNEX 3: LIST OF SUB-PROCESSORS

Maileroo engages the following Sub-processors to process Personal Data on behalf of Customer in connection with the Services:

Name Entity Location Purpose of Processing
Paddle.com Market Limited United Kingdom Subscription billing, payment processing, tax compliance, and customer invoicing
Crisp IM SAS France Customer support chat and messaging platform
Zendesk, Inc. United States Customer support ticketing system and helpdesk software
StatCounter Ireland Analytics and reporting services
BunnyWay d.o.o. Slovenia Storage and Content Delivery Network (CDN) services
IPInfo, Inc. United States Geolocation services
Twilio, Inc. United States SMS and phone verification services
Proton AG. Switzerland Email and collaboration services
Github, Inc. United States Source code repository and collaboration services
OpenRouter, Inc. United States LLM API services
Cloudflare, Inc. United States Content delivery network (CDN), DDoS, WAF services
Hetzner Online GmbH Germany Server hosting, data storage, and infrastructure services for the platform
The Constant Company, LLC United States Cloud infrastructure services including computing, storage, and networking
Contabo GmbH Germany Server hosting, data storage, and infrastructure services for the platform
Macarne Limited United Kingdom Server hosting, data storage, and infrastructure services for the platform
Google LLC United States Analytics services (website and application usage tracking)
Additional Sub-processors may be added subject to the notification requirements in Section 3.4 of this DPA

Notification of Changes: Customer will be notified via email at least thirty (30) days in advance of any additions or replacements to this list, in accordance with Section 3.4 of this DPA.

Sub-processor Obligations: Each Sub-processor is bound by written agreements requiring them to provide at least the same level of data protection as set out in this DPA, including:

  • Processing Personal Data only in accordance with documented instructions
  • Maintaining confidentiality of Personal Data
  • Implementing appropriate technical and organizational security measures
  • Assisting with Data Subject rights requests
  • Notifying Maileroo of Personal Data Breaches
  • Deleting or returning Personal Data upon termination
  • Submitting to audits and inspections

ANNEX 4: STANDARD CONTRACTUAL CLAUSES

This Annex incorporates the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679, as approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

STANDARD CONTRACTUAL CLAUSES

Module Two: Controller to Processor

For the purposes of the Standard Contractual Clauses:

Clause 7 – Docking Clause:

The optional docking clause applies. An entity not party to these Clauses may accede to them at any time by executing an addendum.

Clause 9 – Use of Sub-processors:

Option 2 (General written authorisation) applies. The data importer has the data exporter's general authorisation for the engagement of Sub-processors. The data importer shall inform the data exporter of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the data exporter the opportunity to object to such changes. The notice period is thirty (30) days.

Clause 11 – Redress:

Option 1 applies. The optional requirement for independent dispute resolution is NOT selected.

Clause 13 – Supervision:

The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 shall act as competent supervisory authority.

Clause 17 – Governing Law:

These Clauses shall be governed by the law of Ireland.

Clause 18 – Choice of Forum and Jurisdiction:

Any dispute arising from these Clauses shall be resolved by the courts of Ireland.

APPENDIX TO THE STANDARD CONTRACTUAL CLAUSES

The Appendix to the Standard Contractual Clauses is completed as follows:

  • Annex I (List of Parties and Description of Transfer): As set out in Annex 1 to this DPA
  • Annex II (Technical and Organisational Measures): As set out in Annex 2 to this DPA
  • Annex III (List of Sub-processors): As set out in Annex 3 to this DPA
UK INTERNATIONAL DATA TRANSFER ADDENDUM

For transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force 21 March 2022) issued by the UK Information Commissioner's Office applies, with the following specifications:

  • Table 1 (The Parties): As specified in the Agreement and Annex 1 to this DPA
  • Table 2 (Selected SCCs, Modules and Selected Clauses): The Approved EU SCCs, Module Two (Controller to Processor), with the specifications noted above
  • Table 3 (Appendix Information): As set out in Annexes 1, 2, and 3 to this DPA
  • Table 4 (Ending this Addendum when the Approved Addendum Changes): Neither party may end this Addendum on this basis
SWISS DATA PROTECTION LAW MODIFICATIONS

For transfers from Switzerland, the parties agree to the following modifications to the Standard Contractual Clauses:

  • References to "Regulation (EU) 2016/679" or "GDPR" shall be interpreted as references to the Swiss Federal Act on Data Protection (FADP)
  • References to "EU", "Union", and "Member State" shall be interpreted as references to Switzerland
  • References to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC) and the competent courts in Switzerland
  • The FDPIC shall have jurisdiction for data protection supervision
  • To the extent required by Swiss law, the law of Switzerland shall govern data protection matters
ACCESSING THE FULL TEXT

The full text of the Standard Contractual Clauses and related addenda can be accessed at:

Copies of these documents are also available upon request by contacting: [email protected]

This Data Processing Addendum was last updated on 2 October 2025. For questions or to request a signed copy, please contact [email protected].