d MailPace - Transactional Email Provider and API

Data Processing Agreement

MailPace Data Processing Agreement

Thank you for using MailPace!

MailPace is a European company and our data infrastructure is based in France covered by the EU’s strong data privacy laws. Processing and storing data in a secure, fair, and transparent way is extremely important to us.

This Data Processing Agreement (“DPA”) is an addendum to the Terms of Service between MailPace and the customer.

If you are accepting this DPA on behalf of your customer, you warrant that: (a) you have full legal authority to bind your customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of your customer, to this DPA.

These service terms incorporate the MailPace Data Processing Agreement” (“DPA”), when the General Data Protection regulation (“GDPR”) applies to your use of MailPace services to send transactional emails as defined in the DPA. We protect and secure your transactional email data to the high standards set out in the agreement.


“You” or “customer” refers to the company or organisation that signs up to use the MailPace to send transactional emails

In the course of providing the MailPace service to customer pursuant to the agreement, MailPace may process transactional emails on behalf of customer.

In this Data Processing Agreement (“DPA”), “Data Protection Legislation” means the General Data Protection Regulation (Regulation (EU) 2016/279), and all other applicable laws relating to processing of transactional emails and privacy that may exist in any relevant jurisdiction.

“data controller”, “data processor”, “data subject”, “personal data” and “processing” shall be interpreted in accordance with applicable Data Protection Legislation.

The parties agree that customer is the data controller and that MailPace is its data processor in relation to transactional email data that is processed in the course of providing the service.

Privacy and security of your Transactional Email data

We take many measures to protect and secure your data through backups, redundancies, and encryption. When you use our service to send transactional emails MailPace will store data sent to our API and SMTP servers to process transactional emails. You agree that MailPace may process your data as described in our privacy and data policy and for no other purpose.

You own all right, title, and interest to your transactional email data. We obtain no rights from you to your transactional email data.

The group of data subjects affected by the processing of their data under this agreement includes end users of of the controller’s services which make use of the service (transactional email processing) provided by the processor.

Organisational and technical security measures

All of the data that we store to process transactional email is kept fully secured, encrypted and hosted in France. This ensures that all of the data is being covered by the European Union’s strict laws on data privacy. Your transactional email data never leaves the EU and EU-owned cloud infrastructure, execpt for actually sending each email, which is sent via SMTP servers based in the UK and on to SMTP servers that are outside of MailPace's control, and are located in various global locations depending on the domain emails are being sent to.

For encryption, we use https in transit and encryption at rest. In addition to this, we use strict firewall rules and private encrypted networking. We keep offsite backups with replication including strong bcrypt passwords.

Processor’s obligations with respect to the controller

MailPace will process transactional email data only in accordance with instructions from customer through the settings of the service, i.e. (a) to operate, maintain and support the infrastructure used to provide the service; (b) to comply with customer’s instructions and processing instructions in their use, management and administration of the service; (c) as otherwise instructed through settings of the service. MailPace will only process data in accordance with the agreement.

MailPace shall notify customer without undue delay if, in MailPace’s opinion, an instruction for the processing of data given by customer infringes applicable Data Protection Legislation.

We as humans can access your data to help you with support requests you make and to maintain and safeguard MailPace to ensure the security of your data and the service as a whole. MailPace shall ensure that all MailPace personnel required to access the transactional email data are trained in GDPR and data privacy, informed of the confidential nature of the data and comply with the obligations sets out in this agreement.

MailPace shall implement and maintain appropriate technical and organisational security measures designed to protect the transactional email data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the transactional data and having regard to the nature of the transactional data which is to be protected.

We do work with sub-processors. With each vendor, we assess their commitment to privacy and we sign a data processing agreement with them that include the controller-processor Standard Contractual Clauses. Any such subcontractors will be permitted to process data only to deliver the services MailPace has retained them to provide, and they shall be prohibited from using data for any other purpose. MailPace shall notify the controller when modifying the list of subprocessors using our email, privacy policy page, and/or blog. The controller is able to legitimately object and may terminate the agreement.

If MailPace becomes aware of any accidental, unauthorised or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data that is processed by MailPace in the course of providing the service, it shall without undue delay (not later than 48 hours after having become aware of it), notify customer by email and provide customer with a description of the incident as well as periodic updates to information about the incident, including its impact on customer content. MailPace shall additionally take action to investigate the incident and reasonably prevent or mitigate the effects of the incident.

MailPace shall not on its own authority rectify, erase or restrict the processing of transactional email data that is being processed on behalf of the controller (unless this is required by law or the Processor Terms of Service), but shall only do so on documented instructions from the controller and in accordance to the data retention rules associated to the controller subscription plan.

MailPace shall assist the controller in complying with the obligations concerning the security of personal data. MailPace will also provide assistance to the controller for DPIAs. Where a data subject asserts their rights as a data subject, this request will be forwarded to the controller without delay.

How we handle delete instructions

You can choose to delete your account, domain or organisation at any time. We provide simple no-questions-asked deletion links.

All your transactional emails will be permanently deleted immediately when you delete your MailPace account or when you delete your domain or organisation. We cannot recover this information once it has been permanently deleted.

All transactional emails sent or recieved are retained for a maxmimum of 35 days. Retained emails are available to view in the dashboard, with all emails auto-deleted and removed from the dashboard after 30 days, and removed from backups 5 days later.

Customer undertakings and MailPace assistance

Customer warrants that it has all necessary rights to provide to MailPace any data used for processing emails in connection with the provision of the MailPace Services.

Customer shall comply at all times with Data Protection Legislations in respect of all data it provided to MailPace pursuant to the Agreement.

Customer understands, as a controller, that it is responsible (as between customer and MailPace) for:

Liability and Indemnity

Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.

Duration and Termination

The DPA is effective as of October 11th, 2022 and replaces and supersedes any previously agreed data processing agreement between you and MailPace relating to the GDPR.

Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein.

Are customers required to sign the MailPace DPA?

In order to use our products and services, you need to accept our DPA. By using our product you are agreeing to our terms of service, and you are automatically accepting our DPA and do not need to sign a separate document. We provide the same privacy rights and protection to all customers.

Can a customer share the MailPace DPA with its customers?

Yes. The DPA is a publicly available document and customers who wish to share it with their customers to confirm our security measures and other terms may feel free to do so.

Do customers need to notify anyone upon accepting our DPA?

No. You are not required to notify us or any third party upon accepting our DPA though, as mentioned above, you are free to do so.

Contact Us

If you have a question about this Data Processing Agreement (DPA) or if you have any questions or concerns regarding your information and personal data, please contact us at support@mailpace.com.

Last updated: October 12th, 2022