Skip to content
PowerMTA Experts

Legal

Data processing addendum

This addendum applies whenever we process personal data on your behalf during an engagement — for example while operating or auditing your mail infrastructure. It sets out our obligations as a processor under the GDPR and equivalent laws, and forms part of the agreement between us.

Last updated: [effective date]

Roles

For personal data you entrust to us in an engagement, you are the controller and we, [Legal entity name], are the processor acting on your instructions. This addendum governs that processing. It is separate from our privacy notice, which covers data we control as a business — such as your contact details when you enquire.

Subject matter, duration, nature and purpose

We process personal data only to provide the agreed services for the duration of the engagement and any agreed wind-down. The nature of the processing is whatever the work requires — for instance handling sending logs, suppression and recipient data while operating, migrating or auditing a mail system. The specific categories of data and data subjects are described in the engagement’s schedule: [Annex: categories of personal data and data subjects].

Our obligations as processor

  • Instructions. We process the personal data only on your documented instructions, including for transfers, unless the law requires otherwise — in which case we tell you first, where permitted.
  • Confidentiality. Everyone we authorise to process the data is bound by a duty of confidentiality.
  • Security. We apply appropriate technical and organisational measures under Article 32 — encryption in transit, least-privilege access, and the infrastructure discipline we bring to all our work — proportionate to the risk.
  • Sub-processors. We engage sub-processors only with your general written authorisation, keep a current list on our sub-processors page, impose equivalent data-protection terms on them, and remain responsible for their performance. We give you notice of any intended change so you can object.
  • Assistance. Taking the nature of the processing into account, we help you respond to data-subject requests and meet your obligations on security, breach notification and impact assessments (Articles 32–36).
  • Breach notification. We notify you without undue delay after becoming aware of a personal-data breach affecting your data, with the information you need to meet your own duties.
  • Return or deletion. At the end of the engagement we delete or return the personal data at your choice, and delete existing copies unless the law requires us to keep them.
  • Audits. We make available the information needed to show compliance with this addendum and allow for and contribute to audits, including inspections, on reasonable notice and subject to confidentiality.

International transfers

Where providing the service involves transferring personal data outside the European Economic Area, we do so only on your instructions and with a lawful transfer mechanism — an adequacy decision or appropriate safeguards such as the Standard Contractual Clauses, which are incorporated by reference where they apply.

Liability and precedence

Liability under this addendum is subject to the limitations in the engagement agreement. If this addendum conflicts with that agreement on data protection, this addendum prevails; on all other matters, the agreement prevails. Terms not defined here have the meaning given in the GDPR.

How this is agreed

This page is the standing text of our addendum. For an engagement it is executed as part of, or alongside, the written agreement, with the data categories and any client-specific terms completed in the schedule. [This is a template; have it reviewed and completed by qualified counsel before relying on it.]

Contact

For data-processing questions, write to [email protected].