Data Processing Agreement
Last updated: 2026-06-13
This Data Processing Addendum ("DPA") forms part of the agreement between Mailmundo LLC ("Mailmundo," "Processor") and the Customer ("Controller") and governs Mailmundo's processing of personal data on the Customer's behalf when the Customer uses the Service to send email to its own contacts. It is designed to support compliance with applicable data-protection laws, including the EU/UK GDPR, the LGPD, and U.S. state privacy laws (such as the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and TDPSA). This page is informational and is not legal advice; consult your counsel for your specific obligations. In case of conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA controls.
1. Roles of the Parties
With respect to the recipient and contact data the Customer uploads, imports, or otherwise provides through the Service ("Customer Personal Data"), the Customer is the controller (or "business"/"controller" under U.S. state law) and determines the purposes and means of processing, and Mailmundo is the processor (or "service provider"/"processor") that processes such data only on the Customer's documented instructions. Where Mailmundo processes data about the Customer's own account and billing, Mailmundo acts as a controller, governed by its Privacy Policy. Mailmundo will not sell or share Customer Personal Data, will not retain, use, or disclose it for any purpose other than performing the Service or as permitted by law, and will not combine it with data from other sources except as permitted under applicable law.
2. Scope, Nature, and Purpose of Processing
Mailmundo processes Customer Personal Data to provide the Service: storing contact lists; sending email campaigns via AWS SES; handling bounces, opens, clicks, unsubscribes, and complaints; maintaining suppression lists; generating analytics; and providing related support and security. The categories of data subjects are the Customer's recipients and contacts; the categories of personal data typically include email addresses, names, and any custom fields and engagement metadata the Customer chooses to upload. Processing continues for the duration of the agreement. The Customer instructs Mailmundo to process Customer Personal Data as necessary to provide the Service and as otherwise documented in the agreement; Mailmundo will notify the Customer if it believes an instruction violates applicable law.
3. Processor Obligations
Mailmundo will: (a) process Customer Personal Data only on the Customer's documented instructions, including for international transfers, unless required by law (in which case it will notify the Customer unless legally prohibited); (b) ensure persons authorized to process the data are bound by confidentiality; (c) implement appropriate technical and organizational security measures (Section 5); (d) assist the Customer, taking into account the nature of processing, with data-subject requests, security, breach notification, data protection impact assessments, and consultations with authorities; and (e) make available information necessary to demonstrate compliance with this DPA. The Customer is responsible for the lawfulness of the data it uploads, for obtaining all necessary consents, and for the content and recipients of its campaigns.
4. Sub-Processors
The Customer provides general authorization for Mailmundo to engage sub-processors to provide the Service, including Amazon Web Services (hosting and AWS SES email delivery), Supabase/PostgreSQL (database hosting), and Stripe (billing). Mailmundo imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for its sub-processors' performance. Mailmundo will maintain a current list of sub-processors and provide reasonable advance notice of additions or replacements; the Customer may object on reasonable data-protection grounds, and the parties will work in good faith to resolve the objection, failing which the Customer may terminate the affected Service.
5. Security Measures
Mailmundo maintains administrative, technical, and physical safeguards appropriate to the risk, including: encryption of data in transit; PostgreSQL row-level security (RLS) to isolate tenant data; storage of passwords and API keys as one-way hashes; role-based access controls and least-privilege access; audit logging of security-relevant events; and use of reputable infrastructure providers (AWS, Supabase, Stripe). Mailmundo is not currently SOC 2 certified (certification is on its roadmap) and does not claim any certification it has not obtained. The Customer is responsible for configuring its use of the Service securely and for safeguarding its credentials and API keys.
6. Data-Subject Requests
Taking into account the nature of the processing, Mailmundo will assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising rights under applicable law (access, deletion, correction, portability, objection, opt-out, and similar). If Mailmundo receives a request directly from a data subject relating to Customer Personal Data, it will, where permitted, direct the individual to the Customer and will not respond except on the Customer's instructions or as legally required. The Service provides self-service tools (such as suppression, unsubscribe, and export) that enable the Customer to fulfill many such requests directly.
7. International Data Transfers
Mailmundo is based in the United States and processes data there and potentially in other jurisdictions. Where Customer Personal Data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the parties agree that the applicable Standard Contractual Clauses (and the UK International Data Transfer Addendum where relevant) are incorporated by reference and apply to such transfers, with Mailmundo as data importer. The Customer is responsible for ensuring it has a lawful basis and any required transfer mechanism for the data it routes through the Service. Mailmundo will provide reasonable cooperation to support the Customer's transfer-mechanism obligations.
8. Breach Notification
Mailmundo will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to it to help the Customer meet its own notification obligations to authorities and data subjects. Such notification is not an acknowledgment of fault or liability. Mailmundo will take reasonable steps to investigate, mitigate, and remediate the breach. The Customer is responsible for determining whether the incident requires notification to regulators or individuals under applicable law and for making any such notifications.
9. Deletion and Return of Data
Upon termination or expiration of the agreement, and at the Customer's choice, Mailmundo will delete or return Customer Personal Data, and delete existing copies, except to the extent retention is required by applicable law or for backup, audit, suppression, or anti-spam compliance, in which case the data remains subject to this DPA's confidentiality and security terms until deleted. The Customer is responsible for exporting its data before termination using the tools provided. Suppression and unsubscribe records may be retained as necessary to honor opt-outs and demonstrate compliance.
10. Audit
Mailmundo will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. Upon the Customer's reasonable written request, no more than once per year (unless required by a supervisory authority or following a breach), and subject to confidentiality, Mailmundo will respond to reasonable audit inquiries or provide available reports or summaries of its security practices. Any on-site audit will be at the Customer's expense, scheduled with reasonable advance notice, conducted during business hours, and designed to minimize disruption and protect other customers' data and the Service's security.
11. Term, Liability, and Contact
This DPA is effective for as long as Mailmundo processes Customer Personal Data on the Customer's behalf and survives termination of the agreement until all such data is deleted or returned. Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA does not relieve either party of obligations imposed directly on it by applicable data-protection law. For data-protection matters or to exercise rights under this DPA, contact privacy@mailmundo.com or the address published on our website.