Data Processing Agreement
Last revised and updated 10/29/2020. Click here to see the latest version.
On October 29, 2020 we updated the Data Protection Agreement in the following way:
– We have clarified our data protection safeguards in place to ensure that any international transfers are done with valid legal basis.
– We have updated our list of subcontractors to align with our use across our combined company since the acquisition of Mailjet by Mailgun in October 2019.
– We have integrated Standard contractual clauses into our DPA by default.
– We have updated our technical and organisational security measures in place to align with our security standards across our combined company.
The older version (December 27, 2019) of our Data Processing Agreement can be found below:
In the course of providing the Services under the Agreement, Mailjet may process certain Personal Data on Customer’s behalf and in such cases, the Parties agree to comply with the terms and conditions in this DPA.
For all purposes herein, the Customer is the controller of its Personal Data and Mailjet is the processor of such Data, except when the Customer acts as a processor of the Customer’s Personal Data, in which case Mailjet is a Sub-Processor.
Mailjet may periodically update this DPA. If you have an active Mailjet account, we will inform you of any important changes.
1. Subject and duration
(1) The Processor and other Data Processing entities as listed in Section 7 of this Agreement perform IT Services for the controller, as part of the provision of services pursuant to the services contract between the Parties. IT Services are defined as “distributed Data Processing services” which are not characterized through a conventional bilateral cooperation between Processor and Controller, but are generated by multiple Processors with alternating processing duties.
(2) As Personal Data will be processed on behalf of the Controller and according to his instructions for this matter, the services are commissioned Data Processing in accordance with the European Regulation 2016/679 (General Data Protection Regulation, “GDPR”) and all applicable Data Protection Laws.
(3) The terms ”Personal Data“, “Processing“, “Consent”, “Collection”, “Third Party“, “Controller” and “Processor” are to be interpreted according to the definitions given in Article 4 of the GDPR.
2. Details of the Processing
(1) The Processing of the Controller’s Data within the scope of the Agreement shall be carried out in accordance with the following stipulations:
(a) Subject-matter: The subject-matter of Processing of Personal Data by Processor is the provision of the Services to the Controller that involves the Processing of Personal Data, as specified in the Agreement.
(b) Types of Personal Data: The Personal Data submitted, the extent of which is determined and controlled by the Controller in its sole discretion, includes name, email, telephone numbers, company titles and other specific Data as entered by the Controller into the Processor platform.
(c) Categories of Data Subjects: Controller may submit Personal Data into the Processor platform, the extent of which is determined and controlled by Controller in its sole discretion, and which may include, but is not limited to Controller’s contacts and other end users including Controller’s employees, contractors, collaborators, customers, prospects, suppliers and Sub-processors.
(d) Duration of the Processing: Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of this DPA.
3. Obligations of the Controller
(1) Within the scope of the Agreement and in its use of the Services, the Controller is responsible for its own compliance with the requirements relating to Data protection and privacy provisions.
(2) The Controller warrants that:
(a) The Processing of the Controller’s Personal Data is based on legal grounds, as may be required by EU Data Protection Laws, with respect to Mailjet’s Services under this DPA and the Agreement; and
(b) The Controller will inform its Data Subjects about its use of Processors in Processing their Personal Data, to the extent required under applicable Data protection Law.
(3) The Controller shall ensure compliance with the security measures implemented by the Processor and guarantee a level of security adapted to the risk.
(4) The Controller shall respond in a reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Personal Data by the Controller, and to give appropriate instructions to the Processor in a timely manner.
(5) The Controller shall respond in reasonable time to enquiries from Data Protection Authorities regarding the Processing of relevant Personal Data by Data Controller.
4. Obligations of the Processor
(1) Compliance with instructions
(a) Processor shall collect, process and use Personal Data only for the purposes of fulfilling its obligations under the Agreement and within the scope of Controller’s Instructions. If the Processor believes that an Instruction of the Controller infringes the Data Protection Law, it shall immediately inform the Controller without delay.
(b) Such Customer’s instructions shall be documented in the applicable order, services description, support ticket, other written communication or as directed by Customer using the Services (such as through an API or service portal).
(c) If Processor cannot process Personal Data in accordance with the Instructions due to a legal requirement under any applicable Data Protection Law, Processor will promptly notify the Controller of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Law; and cease all Processing until such time as the Controller issues new instructions with which Processor is able to comply.
(a) The Processor’s internal operating procedures shall comply with the specific requirements of an effective Data Protection management.
(b) The Processor warrants and undertakes to employ and document reasonable and appropriate technical and organizational security measures for the Data Processing.
(c) Personal Data processed for different Controllers have to be processed by the Processor separately. The Processor undertakes to implement the following security measures to ensure separate handling, but are not limited to:
- anonymisation and encryption of Personal Data;
- the means to ensure the ongoing confidentiality, integrity and availability of Processing systems and services;
- the means of restoring the availability of and access to Personal Data within appropriate time limits in the event of a physical or technical security incident;
- a procedure to regularly test, analyse and evaluate the effectiveness of technical and organizational measures to ensure the security of the Processing operation.
We are committed to the security of our site. You can check our certificate here.
(d) The technical and organizational measures are subject to technical progress and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced.
(a) The Processor warrants and undertakes that all employees involved in the Data Processing are in possession of the required professional qualifications and trained with the relevant security and Data Protection requirements.
(b) The Processor assures that those employees are subject to confidentiality obligations with respect to the Personal Data provided by the Controller.
(c) Insofar as the Processor is required by law to provide Third Parties with information about customer Data, the Processor shall inform the Controller in writing about the recipient, time and content of the information to be provided and its legal basis in a reasonable delay prior to providing such information.
(4) Personal Data Breaches
(a) The Processor shall notify the Controller without undue delay of any Personal Data breach, including any unauthorised or unlawful Processing of Personal Data and any accidental loss, alteration, misuse, disclosure or destruction of, or damage to, Personal Data committed by its employees, Sub-processors or other Third Parties which concern Personal Data provided by the Controller.
(b) The Processor shall, taking into account the nature of the Processing and the information available, use commercially reasonable efforts to provide the Customer with the information on the Personal Data security incident. It shall include details of the time and nature of the incident, the computer system concerned, the persons concerned, the time of discovery, all conceivable adverse consequences of the Data security incident and the measures taken by the Processor as a result thereof.
(5) Return or Destruction of Personal Data
(a) Upon termination of the Agreement, the Processor shall return or delete all Personal Data (including copies thereof) processed pursuant to this DPA. This provision shall not affect potential statutory duties of the Parties to preserve records for retention periods set by law, statute or contract.
(b) The Processor shall be obligated, upon request by the Controller, to hand over the Controller’s Data in a form that can be read and processed further.
(c) Any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of the Agreement shall be borne by Controller.
(6) Assistance to Controller
(a) To the extent that the required information is available to Processor and the Controller does not otherwise have access to the required information, Processor will provide reasonable assistance to Controller with any Data Protection Impact Assessments, and prior consultations with supervisory authorities or other competent Data privacy authorities.
(b) The Processor shall at all times have in place an officer who is responsible for assisting the Controller (i) in responding to inquiries concerning the commissioned Data Processing, received from Data Subjects; and, (ii) in completing all legal information and disclosure requirements which apply to the Controller and are associated with the commissioned Data Processing. The Data Protection Officer may be contacted directly at firstname.lastname@example.org. The Processor will ensure that this information is up to date at all times.
5. Data Subject requests
(1) The Processor shall provide reasonable assistance to the Controller, by appropriate technical and organizational measures, for the fulfillment of the Controller’s obligation to respond to requests for exercising Data Subjects’ rights.
(2) Mailjet provides specific tools in order to assist customers in replying to requests received from Data Subjects. These include our APIs and interfaces to search event Data, suppressions, and retrieve message content.
(3) In the event that a Data Subject contacts the Processor directly to exercise their rights pursuant to Data Protection Laws, Processor will notify the Customer within 7 days from the receipt of the request. Mailjet shall assist the Customer at the Customer’s cost, by appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising such Data Subjects’ rights.
6. Data Transfers
For transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of Data Protection within the meaning of Data Protection Laws of the foregoing territories, to the extent such transfers are subject to Data Protection Laws and Regulations and in order to implement appropriate safeguards, the following safeguards are taken: (i) EU-U.S. Privacy Shield Framework as administrated by the U.S Department of Commerce; and/or (ii) Standard Contractual Clauses as per European Commissions’s Decision 2010/87/EU.
(1) Subcontracting for the purpose of this DPA is to be understood as meaning services which relate directly to the provision of the Agreement. This does not include the following ancillary services; namely telecommunication services, postal or transport services, maintenance and user support tools. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the Data protection and Data security of the Customer’s Data, even in the case of outsourced ancillary services.
(2) The list of companies providing critical and substantial services which relate directly to the provision of the Agreement are detailed in the Schedule 1 up-to-date list of Sub-Processors available here. The Controller expressly agrees to their assignment.
(3) Changes in the list of Sub-Processors are permissible when the Processor provide notice to the Controller for the engagement of further Sub-Processors and if the Controller has not objected on reasonable grounds to the planned outsourcing in writing (including via email) within a period of 30 days. Processor shall not appoint that proposed Sub-Processor until reasonable steps have been taken to address the objections raised by the Customer and the Customer has been provided with a reasonable written explanation of the steps taken. If the Processor and Controller are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.
(4) The Processor ensures that the Sub-Processor’s Processing is carried out under a written agreement imposing on the Sub-Processor at least the same obligations imposed on the Processor under this Agreement. Processor shall control the Sub-Processor’s compliance on a regular basis.
(1) Processor shall make available, under reasonable written request by Controler, information that is reasonably necessary to demonstrate the Customer’s compliance with this DPA.
(2) Controller, or a mandated third party auditor, may upon written request and at least 30 days’ notice to Processor, during regular business hours and without interrupting Processor’s business operations, conduct an inspection of Processor’s business operations to the extent necessary according to Data Protections Laws. Controller shall ensure strict confidentiality.
(3) The Customer shall be responsible for any costs and expenses of Processor arising from the provision of such information and audit rights.
9. Termination of the contract
(1) This DPA will terminate contemporaneously and automatically with the termination of the Agreement.
(2) The Controller can terminate the contractual relationship without notice if the Processor substantially violates this DPA or the regulations of the Data Protection Laws.
10. Final provisions
(1) Insofar as this DPA does not contain any special provisions, the provisions of the Agreement shall apply. In case of contradictions between this DPA and from the Service Contract, the provisions from this Agreement take precedence.
(2) In case individual provisions of this Agreement are invalid, this shall not affect the validity of the remainder of the Agreement.
(3) This DPA has been written in several languages. The version that has priority for interpreting this DPA shall be the English language version.
11. Governing law and jurisdiction
(1) The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.