Data Processing Agreement

Last updated: January 16, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Perelman Services Private Limited ("Data Processor" or "we") and you ("Data Controller" or "you") for the provision of email infrastructure services.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Data Protection Laws" means GDPR, CCPA, and other applicable data protection regulations.

2. Scope and Purpose

This DPA applies to the Processing of Personal Data by StackMail on behalf of the Data Controller in connection with the provision of our Services. We process Personal Data only for the purposes of providing the Services as described in our Terms of Service and Privacy Policy.

3. Data Controller Obligations

As the Data Controller, you are responsible for:

  • Ensuring you have a lawful basis for Processing Personal Data
  • Providing appropriate notices to Data Subjects
  • Obtaining necessary consents where required
  • Ensuring the accuracy of Personal Data provided to us
  • Responding to Data Subject requests

4. Data Processor Obligations

As the Data Processor, we shall:

  • Process Personal Data only on your documented instructions
  • Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to Data Subject requests
  • Assist you with data protection impact assessments where required
  • Delete or return all Personal Data upon termination of Services
  • Make available information necessary to demonstrate compliance

5. Security Measures

We implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security testing and assessments
  • Incident response and breach notification procedures
  • Employee training on data protection
  • Physical security of data centers

6. Sub-processors

You authorize us to engage the following categories of Sub-processors:

  • Cloud hosting providers (AWS, Google Cloud)
  • Payment processors (Stripe, Razorpay)
  • Email service providers (Google Workspace, Microsoft 365)
  • Analytics providers
  • Customer support tools

We will notify you of any intended changes to Sub-processors and give you the opportunity to object. A current list of Sub-processors is available upon request.

7. International Transfers

Personal Data may be transferred to countries outside the European Economic Area (EEA). We ensure appropriate safeguards for such transfers, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by relevant authorities
  • Other legally recognized transfer mechanisms

8. Data Breach Notification

In the event of a Personal Data breach, we will:

  • Notify you without undue delay (within 72 hours where feasible)
  • Provide information about the nature of the breach
  • Describe likely consequences of the breach
  • Describe measures taken or proposed to address the breach
  • Cooperate with your investigation and reporting obligations

9. Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests, including requests for:

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure of Personal Data
  • Restriction of Processing
  • Data portability
  • Objection to Processing

10. Audit Rights

You have the right to audit our compliance with this DPA. We will make available all information necessary to demonstrate compliance and allow for audits, including inspections, conducted by you or an auditor mandated by you.

11. Term and Termination

This DPA shall remain in effect for the duration of our provision of Services. Upon termination, we will delete or return all Personal Data within 30 days, unless retention is required by applicable law.

12. Contact Information

For questions about this DPA or to exercise your rights, please contact:

Data Protection Officer: dpo@stackmail.io
Address: Perelman Services Private Limited, Maharashtra, India