Data Processing
1. Subject Matter and Duration
This DPA governs the Processor’s Processing of Personal Data on behalf of the Controller in connection with the provision of the Warmup Inbox services (the “Services”). This DPA is effective for the term of the Agreement under which the Services are provided and will survive until the Processor deletes or returns all Personal Data as instructed by the Controller.
2. Roles of the Parties
The Controller determines the purposes and means of Processing Personal Data. The Processor Processes Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by EU or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such information.
3. Definitions
- “Personal Data” has the meaning given in Article 4(1) GDPR and includes any information relating to an identified or identifiable natural person Processed by the Processor on behalf of the Controller.
- “Processing” has the meaning given in Article 4(2) GDPR.
- “Sub‑processor” means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
- “SCCs” means the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).
4. Nature and Purpose of Processing
Processor will Process Personal Data as necessary to provide, maintain, secure, and support the Services (e.g., connecting to mailboxes via IMAP/SMTP/OAuth, sending/receiving warm‑up messages, deliverability analytics, account administration, billing, and customer support).
5. Categories of Data Subjects and Types of Personal Data
- Data Subjects: Controller’s authorised users; recipients/contacts involved in warm‑up exchanges; customer billing contacts.
- Personal Data: Account identifiers (name, email, login ID); mailbox metadata and header data; message body snippets as required for warm‑up workflows; usage logs; billing identifiers (limited to what is needed to process payments via the payment provider); support communications.
- Special Categories: The Services are not intended to Process special categories of data (GDPR Art. 9) or children’s data. Controller will not submit such data to the Services.
6. Controller Responsibilities
Controller is responsible for the lawfulness of Processing (including providing any required notices and obtaining consents), the accuracy of Personal Data, and the legality of the means by which the Controller acquired Personal Data. Controller will not instruct the Processor to Process Personal Data in a manner that violates applicable law.
7. Processor Obligations
- Instructions. Processor shall Process Personal Data only on documented instructions from Controller.
- Confidentiality. Processor ensures that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Security. Processor implements the technical and organisational measures described in Annex II.
- Assistance. Taking into account the nature of Processing, Processor assists Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of Controller’s obligations to respond to Data Subject requests under Chapter III GDPR (see Section 10).
- Breach Notification. Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach, and provide information reasonably required for Controller to meet its breach‑notification obligations.
- Data Protection Impact Assessments. Processor will provide reasonable assistance to Controller with DPIAs and prior consultations with supervisory authorities, taking into account the nature of Processing and the information available to Processor.
- Return/Deletion. At the end of the provision of Services, and at Controller’s choice, Processor shall delete or return all Personal Data and delete existing copies (unless EU or Member State law requires storage).
- Records. Processor will make available to Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits (see Section 11).
8. Sub‑processors
Controller authorises Processor to engage the Sub‑processors listed in Annex III. Processor will impose data protection obligations on Sub‑processors that are no less protective than those set out in this DPA. Processor will provide advance notice of any intended changes concerning the addition or replacement of Sub‑processors at the Sub‑processor page identified in Annex III, thereby giving Controller the opportunity to object on reasonable grounds.
9. International Transfers
Where the Processing involves a transfer of Personal Data to a third country outside the EEA/UK not subject to an adequacy decision, the Parties agree that such transfers shall be governed by the SCCs (Module 2 and/or Module 3, as applicable). For UK transfers, the UK IDTA / UK Addendum to the SCCs will apply. If there is a conflict between this DPA and the SCCs, the SCCs shall prevail for the relevant transfer.
10. Assistance with Data Subject Requests
Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organisational measures, insofar as possible, to fulfil Controller’s obligation to respond to requests for exercising the Data Subject’s rights under GDPR Chapter III. Controller is responsible for verifying the identity of the requester and determining the scope of the response. Requests may be sent to [email protected].
11. Audits and Compliance
Upon reasonable advance notice, no more than once annually (unless required by a competent authority or following a Personal Data Breach), Processor will make available information necessary to demonstrate compliance with this DPA and, where strictly necessary, allow audits to be conducted by Controller or an independent auditor mandated by Controller, during normal business hours and in a manner that does not disrupt operations or compromise the security or confidentiality of other customers’ data.
12. Liability and Indemnity
The Parties’ aggregate liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits a Party’s liability where such limitation is not permitted by applicable law.
13. Governing Law and Jurisdiction
This DPA is governed by the laws of the Slovak Republic. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of the Slovak Republic, without prejudice to mandatory provisions of the SCCs for international transfers.
14. Order of Precedence
In the event of any conflict between this DPA and the Agreement, this DPA shall control with respect to the Processing of Personal Data. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail for the relevant transfer.
15. Contact Points
- Privacy/Data Protection: [email protected]
- Support: [email protected]
- Registered Address:CyberPanda s.r.o
Obchodna 2,
811 06, Bratislava
Slovak Republic
[email protected]
Annex I — Details of Processing
- Subject‑matter: Operation of the Warmup Inbox Services for Controller’s accounts.
- Duration: For the term of the Agreement plus a 90‑day deprovisioning period unless a longer period is required by law.
- Nature and purpose: Connectivity to mail systems; sending/receiving warm‑up emails; reputation and deliverability analytics; account administration and support.
- Types of Personal Data: As listed in Section 5 above.
- Categories of Data Subjects: As listed in Section 5 above.
- Frequency of transfer: Continuous and as initiated by Controller’s use of the Services.
- Retention/Deletion: As set out in Section 7 (Return/Deletion) and the Privacy Policy; backups rotate on a defined schedule.
Annex II — Technical and Organisational Measures (TOMs)
- Access Control: Role‑based access; least‑privilege; multi‑factor authentication for administrative access; regular access reviews.
- Encryption: TLS in transit; encryption at rest for primary data stores and backups where supported.
- Network & Infrastructure Security: Segmented networks; firewalls; DDoS protections; hardened configurations; security patching.
- Application Security: Secure SDLC; code reviews; vulnerability management; logging and monitoring.
- Operational Security: Change management; incident response plan; employee security training; background checks where legally permissible.
- Data Minimisation & Pseudonymisation: Collect only data necessary for the Services; pseudonymise where feasible.
- Backup & Recovery: Regular backups; tested restore procedures; geographically separate backup storage where applicable.
- Supplier Management: Due diligence and contractual security obligations for Sub‑processors.
Annex III — Authorised Sub‑processors
As of the Effective Date, the following vendors are used to support the Services:
| Vendor | Role | Location | Safeguard for Transfers |
|---|---|---|---|
| WorldStream B.V. | Infrastructure hosting | Netherlands (EEA) | EEA hosting |
| Stripe Payments Europe, Ltd. | Payment processing (limited billing data) | Ireland (EEA) | EEA processing |
Processor may update this list from time to time. Controller may subscribe to change notifications on the Sub‑processor page and may object on reasonable grounds within 14 days of notice.