Security & Data Protection

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of our Terms of Service and governs the processing of personal data by CalimaticMail on behalf of our customers ("Data Controllers").

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data
• Data Controller: The entity that determines the purposes and means of processing
• Data Processor: CalimaticMail, processing data on behalf of the Controller

3. Processing Instructions

CalimaticMail will only process personal data in accordance with documented instructions from the Data Controller, unless required by law. Processing activities include:

• Storing and transmitting email messages
• Processing email metadata for delivery and analytics
• Backup and disaster recovery operations
• Security scanning and spam filtering

4. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data at rest and in transit
• Ensuring ongoing confidentiality, integrity, and availability
• Regular testing and evaluation of security measures
• Incident response and disaster recovery procedures

5. Sub-processors

We may engage sub-processors to assist in providing our services. We maintain a list of current sub-processors and will notify you of any changes. Current sub-processors include:

• Cloud infrastructure providers
• Payment processors
• Customer support tools

6. Data Subject Rights

We will assist you in responding to data subject requests, including:

• Access to personal data
• Rectification of inaccurate data
• Erasure of personal data
• Data portability
• Objection to processing

7. Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay (within 72 hours) and provide all necessary information to comply with your notification obligations.

8. Data Deletion

Upon termination of services, we will delete or return all personal data within 30 days, unless retention is required by law.

9. Audit Rights

Upon reasonable notice, we will make available information necessary to demonstrate compliance with this DPA and allow for audits conducted by you or an appointed auditor.

10. International Transfers

For transfers of personal data outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable