SS
SecureSMTPMail · forms · delivery
Get started

Legal

Data Processing Agreement

Effective: June 14, 2026Last updated: June 14, 2026
Last updated June 14, 2026. This document is provided in good faith and may not be exhaustive. Email support@securessmtp.com with questions.

1. Parties

This Data Processing Agreement (“DPA”) is between you (“Customer” or “Controller”) and Technologia FZE, operating the SecureSMTP Service (“Processor” or “we”). It is incorporated into and supplements the Terms of Service.

It addresses our obligations under Article 28 of the EU/UK GDPR, the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), and equivalent legislation, to the extent applicable to your use of the Service.

2. Subject matter & duration

Subject matter. Processing of personal data by Processor on behalf of Customer in connection with the Service.

Duration. This DPA remains in effect as long as Customer uses the Service. Sections governing confidentiality, audit, and data return survive termination.

3. Nature & purpose of processing

Nature. Receipt, routing, abuse scanning, and delivery of email messages and form submissions; storage and display of related metadata in the SecureSMTP dashboard; provision of customer support.

Purpose. To provide the Service to Customer.

Types of personal data processed. Email addresses, names, IP addresses, content of relayed emails (subject and body), form-submission content, technical metadata.

Categories of data subjects. Customer’s end users, email recipients, form submitters, and Customer’s employees who administer the Service.

4. Obligations

Customer obligations. Customer:

  • Acts as Controller of the personal data and complies with applicable data protection laws.
  • Has a valid legal basis for transmitting each category of personal data through the Service.
  • Issues lawful, documented processing instructions to Processor. The Terms, this DPA, and Customer’s use of the Service constitute the documented instructions.
  • Is responsible for accuracy of data submitted, lawful collection of recipients’ consent where required, and honouring data-subject rights.

Processor obligations. Processor will:

  • Process personal data only on Customer’s documented instructions.
  • Notify Customer if it believes an instruction violates applicable law.
  • Implement appropriate technical and organizational measures (see Section 6).
  • Assist Customer with data-subject requests, impact assessments, and consultations with supervisory authorities, taking into account the nature of processing and information available to Processor.

5. Confidentiality of personnel

Processor ensures that personnel authorized to process personal data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

6. Security measures

Processor maintains the technical and organizational measures described in Section 9 of the Privacy Policy, including:

  • Encryption in transit (TLS 1.2+) and at rest.
  • Role-based access controls and least-privilege provisioning.
  • Logging of authentication and administrative events.
  • Network segregation and firewall controls.
  • Personnel training on data protection.

7. Subprocessors

Customer authorizes Processor to engage the subprocessors listed in the Privacy Policy, Section 5:

  • Stripe, Inc. (billing)
  • Resend (email delivery infrastructure)
  • Anthropic, PBC (AI abuse classification)
  • Google LLC (OAuth sign-in only)
  • Cloudflare, Inc. (DNS / bot protection)
  • Hostinger International Ltd. (VPS hosting)
  • PostgreSQL (self-hosted on the VPS above)

Processor remains liable for the acts and omissions of subprocessors. Processor will notify Customer at least 30 days before engaging a new subprocessor or replacing an existing one. Customer may object on reasonable data-protection grounds; if objected, the parties will negotiate in good faith or Customer may terminate the affected portion of the Service.

8. Data subject rights assistance

Processor will, taking into account the nature of processing, assist Customer by appropriate technical and organizational measures (insofar as possible) for the fulfilment of Customer’s obligation to respond to data subject requests for access, rectification, erasure, restriction, portability, and objection.

9. Personal data breach notification

Processor will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of a personal data breach affecting Customer’s personal data. Notification will include the information required to allow Customer to comply with its own breach-notification obligations.

10. Audit rights

Customer may verify Processor’s compliance with this DPA by:

  • Reviewing Processor’s most recent third-party audit reports or certifications (when available).
  • Submitting written questionnaires, which Processor will answer within 30 days.

An on-site audit may be conducted by mutual agreement no more than once every 12 months, on reasonable advance notice, during business hours, in a way that does not unreasonably interfere with Processor’s operations or the privacy of other customers. Customer bears all reasonable costs.

11. International transfers

Personal data may be transferred from the UAE to the United States, Ireland, Singapore, or other jurisdictions where Processor’s subprocessors operate. Where required by applicable law (e.g. GDPR Article 46), such transfers are subject to the EU Standard Contractual Clauses (Commission Decision 2021/914) or equivalent safeguards, which are incorporated into this DPA by reference and which Processor will sign on request.

12. Return or deletion of data

On termination of the Service, Processor will, at Customer’s choice, return or delete all personal data held on Customer’s behalf within 30 days, except to the extent retention is required by applicable law (e.g. UAE tax records, billing records).

13. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms of Service. Where joint liability is allocated by a supervisory authority or court, each party is liable in proportion to its responsibility for the relevant harm.

14. How this DPA applies

This DPA is automatically incorporated into the Terms for customers on Business and Enterprise plans. Customers on Free, Starter, or Pro plans who require an executed DPA may request one by emailing support@securessmtp.com; we will sign or counter-sign within 10 business days.

Governing law. UAE federal law, consistent with the Terms of Service.

Contact. support@securessmtp.com

Other legal documents

SecureSMTP is operated by Technologia FZE, registered at the Sharjah Research, Technology and Innovation Park (SRTIP), Sharjah, United Arab Emirates.