Data Processing Agreement (DPA)

Last updated: 18.12.2025

GDPR Compliant

This Data Processing Agreement (DPA) pursuant to Art. 28 GDPR governs the processing of personal data by Mailaura on behalf of our customers.

Contracting Parties

Controller (Client)

The customer using Mailaura who has personal data (e.g., email addresses of newsletter subscribers) processed on their behalf.

Processor

AdSimple GmbH

Fabriksgasse 20

2230 Gänserndorf, Österreich

VAT ID: ATU72856279

Subject Matter of Processing

The processor processes personal data on behalf of the controller in the course of the following activities:

  • Storage and management of newsletter subscribers
  • Sending email campaigns and automated emails
  • Collection of open and click statistics
  • Segmentation and analysis of subscriber data
  • Provision of reporting and analytics

Categories of Data

Data Subjects

Newsletter subscribers and contacts of the controller

Types of Personal Data

  • Email addresses
  • Names (first and last name)
  • Custom fields (e.g., company, phone)
  • Interaction data (opens, clicks, timestamps)
  • Technical data (IP address, device type, email client)

Obligations of the Processor

The processor commits to:

  • Process personal data only on documented instructions from the controller
  • Ensure all persons with data access are bound to confidentiality
  • Implement appropriate technical and organizational measures to protect data
  • Only use sub-processors with the controller's authorization
  • Assist the controller in fulfilling obligations towards data subjects
  • Delete or return all data after termination of processing services
  • Make available all information necessary to demonstrate compliance

Sub-Processors

The processor uses the following sub-processors. The controller consents to their use:

Amazon Web Services EMEA SARL

Location: Frankfurt, Germany (eu-central-1)

Purpose: Email delivery (Amazon SES), data storage (S3)

Vercel Inc.

Location: Frankfurt, Germany

Purpose: Web application hosting

Neon Inc.

Location: Frankfurt, Germany

Purpose: Database hosting (PostgreSQL)

Stripe Payments Europe Ltd.

Location: Dublin, Ireland

Purpose: Payment processing

Upstash Inc.

Location: Frankfurt, Germany

Purpose: Caching and rate limiting (Redis)

Technical and Organizational Measures

The processor has implemented the following measures:

Encryption

TLS 1.3 for data transmission, AES-256 for stored data

Access Control

Role-based access rights, 2FA for admin access

Data Backup

Daily automated backups with 30-day retention

Monitoring

24/7 system monitoring, audit logs for all data access

Support for Data Subject Rights

The processor assists the controller in fulfilling data subject rights (access, rectification, erasure, restriction, portability, objection). Data subjects can contact the controller directly.

Duration and Termination

This DPA applies for the duration of the controller's use of Mailaura.

After termination, all personal data will be deleted within 30 days, unless legal retention requirements apply. The controller may request an export beforehand.

Governing Law

This DPA is governed by Austrian law. Place of jurisdiction is Korneuburg, Austria. The General Data Protection Regulation (GDPR) of the European Union applies.

Request DPA as PDF

For a signed version, please contact us

Request DPA

Contact for Data Protection

For questions about data processing or privacy, contact us at:

datenschutz@mailaura.io

Legal NoticePrivacy PolicyTerms and ConditionsBack to home