Last updated: May 21, 2026
This Data Processing Agreement ("DPA") forms part of the contract between Smailor / Victor André EI ("Processor") and the customer ("Controller") who uses the Smailor service, and governs the processing of personal data by the Processor on behalf of the Controller, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).
By using the Smailor service, the Controller accepts the terms of this DPA. A signed version may be requested at [email protected] for enterprise or compliance purposes.
1. Definitions
| Term | Meaning |
|---|---|
| Personal data | Any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1). |
| Processing | Any operation performed on personal data, as defined in GDPR Art. 4(2). |
| Controller | The customer who determines the purposes and means of processing. |
| Processor | Smailor / Victor André EI, who processes data on behalf of the Controller. |
| Sub-processor | A third party engaged by the Processor to process personal data on the Controller's behalf. |
| Data subject | The individual to whom personal data relates (e.g. your end users, customers). |
2. Subject matter and scope
The Processor shall process personal data on behalf of the Controller solely for the purposes of providing the Smailor service as described in the Terms of Service and as instructed by the Controller.
Nature of processing: Hosting, storage, transmission, routing, and display of customer support emails, attachments, and associated metadata.
Categories of data subjects: End users and customers of the Controller who send or receive email through the Smailor service.
Categories of personal data: Email addresses, names, message content, attachments, IP addresses (where present in email headers), and any other personal data contained in the emails processed through the service.
Duration: For the term of the Controller's subscription and for such retention periods as are set out in the Privacy Policy or required by law, whichever is longer.
3. Obligations of the Processor
The Processor shall:
3.1 Process only on documented instructions from the Controller, including with regard to transfers outside the EEA. The terms of this DPA and the Terms of Service constitute the Controller's documented instructions. If the Processor is required by EU/Member State law to process data otherwise, the Processor shall inform the Controller before processing unless prohibited by law.
3.2 Ensure confidentiality: Persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (GDPR Art. 28(3)(b)).
3.3 Implement appropriate technical and organisational security measures in accordance with GDPR Art. 32, including as described in Section 7 of this DPA.
3.4 Sub-processor controls: Not engage a new sub-processor without giving the Controller reasonable opportunity to object (see Section 5). Where the Processor engages sub-processors, it shall impose the same data protection obligations on them by contract.
3.5 Assist the Controller with responding to data subject requests and with the Controller's obligations under GDPR Arts. 32–36 (security, breach notification, impact assessments), taking into account the nature of processing and the information available to the Processor, as described in Section 6.
3.6 Delete or return all personal data to the Controller at the choice of the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.
3.7 Make available all information necessary to demonstrate compliance with GDPR Art. 28, and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to reasonable notice and appropriate confidentiality protections.
4. Obligations of the Controller
The Controller shall:
4.1 Ensure it has a lawful basis for processing and any required consents or notices for the personal data it submits to the service.
4.2 Ensure that data subjects have been informed of the processing, including that Smailor acts as a processor.
4.3 Provide the Processor with complete and accurate instructions and promptly inform the Processor if instructions change.
4.4 Be responsible for the accuracy, quality, and legality of personal data submitted to the service.
4.5 Ensure that the personal data submitted is limited to what is necessary for the purposes of the service (data minimisation).
5. Sub-processors
The Controller authorises the Processor to use the following sub-processors, subject to the obligations in Section 3.4:
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Servers, storage, networking | 🇩🇪 Germany / 🇫🇮 Finland (EU) | Within EEA — no transfer |
| Mollie B.V. | Payment processing (billing data only) | 🇳🇱 Netherlands (EU entity) | Within EEA |
| Cloudflare, Inc. | DNS, CDN, bot protection (Turnstile) | 🇺🇸 USA | Standard Contractual Clauses (SCCs) |
| Qwen 2.5 1.5B (self-hosted) | AI triage and drafting features — runs on Processor's own Hetzner infrastructure | 🇩🇪 Germany (EU) | Within EEA — no transfer, no third party |
The Processor shall notify the Controller at least 14 days in advance of any intended addition or replacement of sub-processors by posting the updated list at smailor.com/trust and (where possible) by email. The Controller may object within that period on reasonable grounds related to data protection by contacting [email protected]. If the parties cannot resolve the objection, the Controller may terminate the relevant services without penalty.
6. Data subject rights and Controller assistance
When the Processor receives a request from a data subject exercising rights under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection), the Processor shall:
- Promptly forward the request to the Controller (within 5 business days); and
- Assist the Controller in fulfilling the request, to the extent technically feasible within the service.
For data breaches affecting personal data processed under this DPA: the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a breach, providing all information available at the time. Further information shall be provided as it becomes available. The Controller is responsible for notifying the relevant supervisory authority and data subjects as required by GDPR.
7. Technical and organisational security measures (GDPR Art. 32)
The Processor implements and maintains the following measures, appropriate to the risk:
7.1 Encryption
- All data in transit is encrypted using TLS 1.2 or higher (HTTPS for web, STARTTLS for SMTP).
- Storage volumes are encrypted at rest by Hetzner's infrastructure layer.
- DKIM keys (RSA-2048) are stored securely and rotated on request.
7.2 Access controls
- Authentication via strong password (bcrypt-hashed) or OAuth (Google, Discord).
- Role-based access controls within workspaces.
- Session tokens are short-lived and invalidated on logout or security events.
- Administrative access to production systems is limited to the data controller (Victor André).
7.3 Availability and resilience
- Infrastructure hosted on Hetzner with standard availability SLAs.
- Regular automated backups. Backup restoration is tested periodically.
- Rate limiting and abuse controls to protect service availability.
7.4 Monitoring and incident response
- Security events and login anomalies are logged and monitored.
- Logs are retained for up to 24 months unless a longer period is required by law.
- Security incidents trigger the breach notification procedure in Section 6.
7.5 Organisational measures
- All persons with access to personal data are bound by confidentiality.
- Sub-processors are assessed before engagement and bound by equivalent obligations (Section 5).
8. International transfers
Transfers of personal data outside the European Economic Area (EEA) are made only to sub-processors listed in Section 5 with appropriate transfer mechanisms in place (Standard Contractual Clauses, adequacy decision, or equivalent). No ad-hoc transfers of Controller data outside the EEA are made without the Controller's prior instruction.
9. Audits
The Controller may, with reasonable advance notice (at least 15 business days) and no more than once per calendar year (unless required by a supervisory authority), request an audit of the Processor's data processing activities related to this DPA. Audits shall be conducted at the Controller's cost, during business hours, and subject to a confidentiality agreement. The Processor may satisfy audit requirements by providing up-to-date compliance documentation (e.g. sub-processor DPAs, security policy summaries) in lieu of an on-site visit where this adequately addresses the Controller's concerns.
10. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits liability for matters that cannot be excluded under GDPR or applicable law (e.g. supervisory fines remain the responsibility of the party at fault).
11. Termination and data deletion
Upon termination of the service agreement or at the Controller's written request:
- The Processor shall cease processing and delete or return all personal data within 30 days, except where retention is required by applicable law.
- Anonymised, aggregated, or de-identified data not relating to the Controller may be retained.
- The Processor shall provide a written confirmation of deletion upon request.
12. Governing law
This DPA is governed by the laws of France and, where applicable, EU law (including the GDPR). Disputes shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.
13. Contact
For DPA-related requests, data subject rights, or security matters:
- Privacy: [email protected]
- Security / abuse: [email protected]
- Legal entity: Victor André EI, France
See the Legal Notice for postal and registration details.