Data Processing Agreement (DPA) – MailFred

This Data Processing Agreement governs the processing of Personal Data by the Processor on behalf of the Controller in accordance with GDPR requirements.

Controller

The Client using MailFred's services

Processor

Modern Business Workers V.O.F., operating MailFred

This Data Processing Agreement ("DPA") is incorporated into the MailFred Terms of Service ("Agreement") and governs the processing of Personal Data by the Processor on behalf of the Controller.

Controller: The Client using MailFred's services.

Processor: Modern Business Workers V.O.F., operating MailFred.

1. Definitions

Terms such as "Personal Data," "Data Subject," "Processing," "Controller," and "Processor" shall have the meanings ascribed to them in Article 4 of the GDPR.

2. Subject Matter and Details of Processing

The details of the processing activities, including subject matter, duration, purpose, and data types, are specified in Annex I of this DPA.

3. Obligations of the Processor (MailFred)

3.1. Instructions

Processor shall only process Personal Data on the documented instructions of the Controller. Instructions may be provided via email, shared documents, or during onboarding calls.

3.2. Confidentiality

Processor shall ensure that all personnel authorized to process the Personal Data are bound by a strict duty of confidentiality.

3.3. Security

Processor shall implement and maintain the appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex II.

3.4. Subprocessors

Controller provides a general written authorization for Processor to engage the subprocessors listed in Annex III. Processor shall inform Controller of any intended changes to this list, thereby giving Controller the opportunity to object.

3.5. Data Subject Rights

Processor shall, to the extent legally permitted, provide prompt assistance to the Controller to enable the Controller to respond to requests from Data Subjects exercising their rights under GDPR.

3.6. Breach Notification

Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's data.

3.7. Data Deletion or Return

Upon termination of the Agreement and at the Controller's written request, Processor shall delete or return all Personal Data to the Controller within thirty (30) days, unless required by law to retain it.

3.8. Audits and Inspections

Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR. Processor shall allow for and contribute to audits conducted by the Controller or a mandated auditor, upon reasonable notice and at the Controller's expense, ensuring minimal disruption to Processor's business operations.

4. Obligations of the Controller (Client)

Controller represents and warrants that it has a valid legal basis for the processing of all Personal Data provided to or sourced by the Processor and that its instructions comply with all applicable data protection laws.

5. Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions set forth in the "Limitation of Liability" section of the main Agreement (Terms of Service).

6. Governing Law and Jurisdiction

This DPA shall be governed by Dutch law. Any disputes shall be resolved in the courts of Amsterdam, the Netherlands.

ANNEX I: DETAILS OF PROCESSING

Subject Matter:

B2B cold email outreach services.

Duration of Processing:

The term of the main Agreement.

Nature and Purpose of Processing:

Scraping, verification, personalization, and campaign management for B2B outreach on behalf of the Controller.

Categories of Data Subjects:

Business professionals identified by the Controller as potential customers or partners.

Types of Personal Data:

Professional contact details, including but not limited to Name, Title, Company Name, Business Email Address, and LinkedIn profile URL.

Special Categories of Data:

None are to be processed under this DPA.

ANNEX II: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Processor implements the following measures to protect Personal Data:

Encryption:

Sensitive client data is encrypted in database and all data transmission is secured over TLS.

Access Control:

• Strict role-based access control is enforced to ensure personnel can only access data necessary for their role and for the specific client they are assigned to.
• Two-factor authentication (2FA) is mandatory for all internal systems containing Personal Data.

Personnel Security:

• All personnel are subject to contractual confidentiality obligations.
• Personnel are instructed on their data protection responsibilities.
• Strict password policies, including complexity requirements and regular forced resets, are enforced.
• Formal offboarding procedures are in place to immediately revoke all system access upon termination of employment.

Physical Security:

Office premises are locked and secured against unauthorized physical access.

Incident Response:

A plan is in place to detect, respond to, and report on security incidents and potential data breaches in a timely manner.

ANNEX III: LIST OF SUBPROCESSORS

As of the date of this DPA, Processor is authorized to use the following subprocessors:

OpenAI, L.L.C.

Purpose: AI Content Generation for Outreach
Country of Processing: USA

Google, LLC

Purpose: Workspace for Email & Calendar Infrastructure
Country of Processing: USA / Global

Supabase, Inc.

Purpose: Backend Database & Infrastructure
Country of Processing: Sweden (Stockholm)

Hetzner Online GmbH

Purpose: Virtual Private Server Infrastructure
Country of Processing: Germany (Falkenstein)

Neon.tech

Purpose: Database Services
Country of Processing: Germany (AWS Frankfurt)