Data Processing Addendum (DPA)
1) Scope & Roles
This DPA applies to Is My Mail Read’s processing of personal data on behalf of Customer in connection with the provision of the Service available at https://ismymailread.com. Customer acts as Controller/Business; Is My Mail Read acts as Processor/Service Provider.
2) Definitions
Terms have the meanings given by applicable data protection laws (e.g., GDPR/UK GDPR, ePrivacy, CCPA/CPRA). “Customer Data” means personal data submitted to or collected by the Service on Customer’s behalf.
3) Processing on Instructions
Processor will process Customer Data solely: (a) to provide, secure, and support the Service; (b) per documented instructions from Customer (Agreement, admin settings, API requests); and (c) as required by law. Processor will promptly notify Customer if instructions infringe applicable law, where legally permitted.
4) Security Measures
Processor applies appropriate technical and organizational measures, including: encryption in transit, Argon2id password hashing, access control and least privilege, logging/monitoring, vulnerability management, and backups/restore testing. See our Security Statement for details.
5) Subprocessors
Customer authorizes use of subprocessors to support the Service. Processor will impose data protection obligations at least as protective as those in this DPA and will maintain a public list at /subprocessors. Customer may subscribe to change notifications and may object on reasonable grounds; Processor may propose commercially reasonable alternatives.
6) International Transfers
Where Processor transfers personal data internationally, it will implement appropriate safeguards (e.g., EU Standard Contractual Clauses, UK Addendum) and additional measures as required.
7) Data Subject Requests
Taking into account the nature of processing, Processor will assist Customer with data subject requests (access, deletion, correction, portability, objection/restriction) by providing available tools and reasonable cooperation. Requests may be initiated via privacy@ismymailread.com.
8) Incident Notification
Processor will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data and will provide information to support compliance obligations, subject to ongoing investigation. Security contact: security@ismymailread.com.
9) Audit & Assistance
Upon reasonable written request, Processor will make available information necessary to demonstrate compliance with this DPA and applicable law and allow for audits conducted by Customer or an independent auditor, subject to confidentiality, frequency, and cost allocation.
10) Deletion & Return
Upon termination or on documented request, Processor will delete or return Customer Data, unless retention is required by law. Deletion timelines align with the Data Retention & Deletion Policy.
11) CCPA/CPRA Service Provider Terms
Processor will not sell or share Customer Data (as defined by CCPA/CPRA), will process solely to provide the Service, will not combine Customer Data with personal information from other sources except as permitted, and will support Customer’s consumer requests handling.
12) Miscellaneous
Precedence: If there is a conflict between this DPA and the Agreement, this DPA controls to the extent of the conflict with respect to processing of Customer Data. Changes: We may update this DPA; material updates will be communicated. Contact: privacy@ismymailread.com.
Related: Privacy Policy • Terms • Security • Subprocessors • Retention