Mailvelope Data Processing Agreement (DPA)

Last modified: March 24, 2022

This DPA, as defined below, forms part of the Contract for Services under the Mailvelope Business Terms (the “Principal Agreement”), between a Mailvelope Customer (the “Customer”, or the “(Data) Controller”) and Mailvelope GmbH (“Mailvelope”, or the “(Data) Processor”) (together as the “Parties”)

This DPA is an amendment to the Principal Agreement and this DPA, as well as any modification herereto is effective upon its incorporation to the Principal Agreement, which incorporation may be specified in the Principal Agreement or an executed amendment to the Principal Agreement. Upon its incorporation into the Principal Agreement, this DPA will form a part of the Principal Agreement. The term of this DPA is the same as the term of the Principal Agreeement.


(A) The Customer acts as a Data Controller.

(B) The Customer wishes to subcontract certain Services, which imply the processing of personal data on its behalf, to the Data Processor.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) The Parties wish to lay down their rights and obligations.


1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

1.1.1 DPA means this Data Processing Agreement and all Schedules;

1.1.2 “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Principal Agreement;

1.1.3 “Contracted Processor” means a Subprocessor;

1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 “EEA” means the European Economic Area;

1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;

1.1.8 “Data Transfer” means disclosing Customer Personal Data or otherwise making Customer Personal Data, subject to this DPA, available to another Controller, joint controller or Processor;

1.1.9 “Services” means the services Mailvelope provides. The data processing performed by the Data Processor on behalf of the Controller relates to the services of credentials and password management. The data processing details and procedure can be found in the Mailvelope Privacy Policy at

1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

1.3 This DPA shall be read and interpreted in the light of the provisions of the GDPR. It shall not be interpreted in a way that runs counter to the rights and obligations provided for in the GDPR or in a way that prejudices the fundamental rights or freedoms of the data subjects.

2. Description of the Processing

2.1 The subject matter, duration, nature and purpose of the Processing as well as the type of Personal Data and categories of Data Subjects are set out in Schedule 1 (Details of Processing).

The Processor shall not process sensitive data, as defined in Articles 9 and 10 of the GDPR, unless the Customer gives clear and documented additional instructions. In this case, the Customer shall specify to the Processor which specific limitations and/or additional safeguards are to be applied to the processing of these categories of data and the Processor shall be free to accept them or not and, if applicable, to accept them at an additional cost.

3. Instructions and purpose

3.1 Processor

The Controller confirms that it has assessed, established and documented, based on information exchanged and the Processor's expert knowledge, reliability, resources and reputation, that the Processor provides sufficient guarantees to implement appropriate technical and organisational measures so that the Processing meets the requirements of the GDPR.

3.2 Documented instructions

3.2.1 The Processor shall Process the Personal Data in accordance with the documented instructions of the Controller, including as described in the Principal Agreement and this DPA, and only for the specific purpose(s) of the Processing, as set out in Schedule 1 (Details of Processing), unless it receives further instructions from the Controller. The Controller confirms that the Processor's obligations under the Principal Agreement and this DPA constitute instructions to be followed by the Processor.

3.2.2 Any further instructions to Process Personal Data may be sent by email by the Controller to the authorised representative of the Processor at contact details provided by the Processor or making use of the contact details as set out in Section 13.2 of this DPA.

Notwithstanding 3.2.1 above, the Processor may also Process and/or transfer Personal Data as required by applicable EU or EU Member State law. In case of such requirement of EU or EU Member State law, the Processor shall inform the Controller of that legal requirement before Processing the Personal Data, unless that law prohibits such information to be provided to the Controller on important grounds of public interest.

3.3 Controller's obligations

3.3.1 The Controller warrants and guarantees that (i) it has lawfully obtained the Personal Data, (ii) the Processing of the Personal Data by the Processor is lawful and has specific purpose, (iii) any required notices have been made and (iv) consent has been obtained (where applicable) or there is another appropriate lawful Processing ground enabling (a) the Controller to transfer the Personal Data to the Processor and the Processor to receive the Personal Data from the Controller and (b) the Processor to lawfully Process the Personal Data.

3.3.2 The Controller shall inform the Processor as to the risk involved in the Processing and as to any other circumstance the Processor should reasonably be informed about in order to comply with this DPA.

3.4 Compliance with Data Protection Laws

In the course of the provision of the Services and the resulting Processing of Personal Data, the Parties shall comply with all Data Protection Laws as applicable to each Party respectively.

4. Security

4.1 The Processor shall take reasonable steps to ensure the reliability of any of its employees, agents or contractors or those of any Contracted Processor, who may have access to Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of implementing, managing and monitoring of the Principal Agreement, and to comply with applicable laws in the context of that individual’s duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4.2 The Processor shall implement technical and organisational measures, to ensure the security of Customer Personal Data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). The Processor will use reasonable efforts to ensure an appropriate level of security, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects. The measures shall also aim at preventing unnecessary collection and further Processing of Personal Data.

4.3 The Processor shall obtain the Controller's approval before making any material changes to its technical and organisational security measures. The Controller shall not unreasonably withhold approval for such changes.

4.4 In order to maintain an appropriate level of security as described in Section 4.1 above, the Processor shall perform regular security checks and implement updates where required.

Taking into account the nature of the Processing, the Processor shall provide the Controller with reasonable assistance in relation to the Controller's obligation to adopt adequate technical and organisational security measures.

5. Subprocessing

5.1 Controller's authorisation

5.1.1 The Processor has the Controller’s general authorisation for the engagement of Contracted Processors from the list in Schedule 2 (Approved Contracted Processors).

5.1.2 The Controller is deemed to have authorised in writing the Processing of Personal Data by the Contracted Processors as listed in Schedule 2 (Approved Contracted Processors).

5.1.3 The Processor shall notify the Controller in writing of any intended changes of that list through the addition or replacement of other Contracted Processors at least 15 days in advance, thereby giving the Controller the opportunity to object to such changes prior to the engagement of the concerned Contracted Processor. Objections by the Controller must be accompanied by a written justification, e.g. demonstrating that a Contracted Processor cannot ensure adequate protection of the Personal Data. If, within 10 Business Days of receipt of this notice, the Controller has not provided any reasonable objection to the intended change, the Controller is deemed to have authorised the intended change. The Processor shall provide the Controller with the information necessary to enable the Controller to exercise the right to object. In the event of an objection by the Controller, based on legitimate reasons with regard to the protection of the Personal Data, having as a consequence that the Processor is no longer in a position to provide its services, the Processor will have the right to terminate the Principal Agreement, without indemnity, other notice or the prior intervention of a judge.

5.1.4 The Processor shall remain fully and unconditionally liable to the Controller for the performance of the Contracted Processor's obligations in accordance with the latter's contract with the Processor. The Processor shall notify the Controller of any failure by the Contracted Processor to fulfil its contractual obligations.

5.1.5 The Processor shall maintain a list of Contracted Processors including, to the extent reasonably possible, their respective locations, activities and the safeguards implemented by them. Such information is also included in Schedule 2 (Approved Contracted Processors).

5.2 Contract with Contracted Processor

5.2.1 The Processor shall impose on all Contracted Processors written data protection obligations that offer at least the same protection of Personal Data as the data protection obligations to which the Processor is bound on the basis of the Principal Agreement and this DPA. The Processor shall ensure that the Contracted Processor complies with the obligations to which the Processor is subject pursuant to this DPA and the GDPR. At the Controller's request, the Processor shall provide the Controller with a copy of any written agreement entered into by the Processor with a Contracted Processor and any subsequent amendments. To the extent necessary to protect business secret, commercial terms or other confidential information, including Personal Data, Processor may redact the text of the agreement prior to sharing the copy.

6. Data Subject rights requests

6.1 Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by the Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2 In the event where a Data Subject submits a request to exercise any of its Data Subject rights to the Processor, the Processor shall:

6.2.1 promptly notify the Customer; and

6.2.2 ensure that it does not respond to that request except on the documented instructions of the Customer.

7. Personal Data Breach

7.1 The Processor shall notify the Customer without undue delay and in any case within fourty-eight (48) hours after becoming aware thereof of a Personal Data Breach affecting Customer Personal Data. Such notification shall contain, at least:

(a) a description of the nature of the Data Protection Breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned);

(b) the details of a contact point where more information concerning the Personal Data Breach can be obtained;

(c) its likely consequences and the measures taken or proposed to be taken to address the Data Protection Breach, including to mitigate its possible adverse effects.

7.2 Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

7.3 The Processor shall cooperate with the Customer and take commercially reasonable steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach as well as notification of the Personal Data Breach to the Supervising Authority and/or the communication of the Personal Data Breach to the Data Subjects concerned.

8. Other assistance to the Controller

8.1 The Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to the Processor and, if applicable, the Contracted Processors.

8.2 The Processor shall furthermore assist the Controller in ensuring compliance with the obligation to ensure that Customer Personal Data is accurate and up to date, by informing the Controller without delay if Processor becomes aware that the Customer Personal Data it is Processing is inaccurate or has become outdated.

9. Documentation, compliance and audit rights

9.1 The Parties shall be able to demonstrate compliance with this DPA.

9.2 The Processor shall make available to the Customer on request all information necessary to demonstrate compliance with the obligations that are set out in this DPA and stem directly from the GDPR, which may include relevant portions of the Processor's record of processing activities, and shall allow for and contribute to audits, including inspections, in relation to the Processing of the Customer Personal Data covered by this DPA, including by the Contracted Processors, at reasonable intervals - within the limit of one audit every two years, or if there are tangible indications of non-compliance.

9.3 Information and audit rights of the Controller only arise under Section 9.2to the extent that the DPA does not otherwise give the information and audit rights meeting the relevant requirements of Data Protection Law. In deciding on a review or an audit, the Controller may take into account relevant certifications held by the Processor.

The Customer may decide to carry out the audit itself or appoint an independent auditor. In the latter case, the Customer shall, prior to the audit request:

a) notify the proposed independent auditor to the Processor, which may within one (1) calendar week object to the appointment on reasonable grounds relating to the auditor's competition with Mailvelope or the existence of doubts about the proposed independent auditor's ability to ensure information security and data protection; and

b) upon request of Mailvelope, obtain an appropriate confidentiality undertaking from the independent auditor.

9.4 Audits may also include inspections at the Processor's premises, upon reasonable notice of at least (1) month without prejudice to a shorter period imposed by a Regulator. In connection with inspections, the Customer agrees to:

a) respect the confidentiality and security of the Processor's premises and any relevant internal procedures or policies notified by the Processor to the Customer prior to the audit;

b) minimize the risk of any disruption to the Processor and its customers' business and the risk of personal data breach arising from the audit;

c) define with the Processor the scope of the audit prior to the audit.

9.5 The costs of the audits and inspections shall be borne by the Customer except in cases where they reveal the Processor's non-compliance.

9.6 The Parties shall make the information referred to in this Section 9, including the results of any audits, available to the competent supervisory authority/ies on request.

10. Data Transfer

10.1 The Processor may not transfer or authorize the transfer of Customer Personal Data to countries outside the European Economic Area (EEA) unless the Controller has given its prior written approval or in order to fulfil a specific legal requirement and such transfer shall take place in compliance with Chapter V of the GDPR.

10.2 When requesting the approval from the Controller under 11.1 above, the Processor shall provide the Controller with information about the relevant country of destination and the relevant data transfer mechanism.

10.3 The Processor shall ensure that all required measures, commitments, certifications and safeguards necessary to be able to rely on any data transfer mechanism are maintained. If a data transfer mechanism relied upon for a transfer under this Section 10 is no longer maintained, requires adjustment or is invalidated as a result of any change in Data Protection Laws or decision of a Supervisory Authority or other competent authority, the Processor shall immediately inform the Controller thereof and take appropriate action. The latter may include the putting in place of an alternative data transfer mechanism to ensure that the transfer(s) remain to be performed in compliance with Data Protection Laws.

10.4 For the avoidance of doubt, any written approval from the Controller to transfer Personal Data to a non-EEA recipient, shall constitute a documented instruction within the meaning of Section 3.2 (Documented Instructions).

10.5 The Controller hereby approves transfers of Personal Data to the Contracted Processors listed in Schedule 2 (Approved Contracted Processors) which are non-EEA -recipients, provided the other terms of 11.1 above are met.

10.6 The Controller hereby agrees that where the Processor engages a Contracted Processor in accordance with Section 5 for carrying out specific Processing activities (on behalf of the Controller) and those Processing activities involve a transfer of Customer Personal Data within the meaning of Chapter V of the GDPR, the Processor and the Contracted Processor can ensure compliance with Chapter V of the GDPR by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of the GDPR, provided the conditions for the use of those standard contractual clauses are met.

11. Confidentiality

11.1 Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.

12. Non-compliance with this DPA and termination

12.1 The Processor shall immediately inform the Controller if, in its opinion, any instruction given by the Controller infringes any Data Protection Laws. The Controller shall respond to such notification from the Processor within 10 Business Days. In case of inaction from the Controller or in case the Controller persists with an unlawful instruction, the Processor shall be allowed to terminate this DPA, without indemnity, other notice or the prior intervention of a judge.

12.2 In the event that the Processor is in breach of its obligations under this DPA, the Controller may instruct the Processor to suspend the Processing of Customer Personal Data until the latter complies with this DPA or the Principal Agreement is terminated.

12.3 The Controller shall be entitled to terminate the Principal Agreement insofar as it concerns Processing of Customer Personal Data in accordance with this DPA if:

(a) the Processing of Customer Personal Data by the Processor has been suspended by the Controller pursuant to 13.2 and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;

(b) the Processor is in substantial or persistent breach of this DPA or its obligations under the GDPR;

(c) the Processor fails to comply with a binding decision of a competent court or the competent Supervisory Authority/ies regarding its obligations pursuant to this DPA or the GDPR.

12.4 Upon termination of the Principal Agreement, this DPA, or at the written request of the Controller, the Processor shall, at the choice of the Controller, return the Customer Personal Data and all copies thereof to the Controller and/or shall destroy (delete) such Customer Personal Data and all existing copies thereof securely, taking into account its obligations pursuant to Article 32 GDPR. To the extent the Processor cannot comply with the Controller's request to return and/or destroy the Customer Personal Data, because applicable EU or EU Member State statutory provisions require longer storage, the Processor shall inform the Controller of such legal obligation, keep the Customer Personal Data confidential and only Process the Customer Personal Data to the extent required by the applicable EU or EU Member State law. Until the Customer Personal Data is deleted or returned, Processor shall continue to ensure compliance with this DPA.

12.5 Any request of deletion or return of Personal Data under this Section 12 shall be performed by the Processor within 30 Business Days after the date of the request from the Controller or termination of the Principal Agreement or this DPA, unless otherwise agreed upon at such time by the Parties. The Processor shall confirm in writing that the Processor has returned or destroyed all Personal Data and copies thereof in accordance with the request of the Controller.

13. Miscellaneous

13.1 The Processor may require the Customer to reimburse Processor's costs and expenses in complying with its obligations pursuant to Sections 6 (Data Subject rights requests), 4.4 (Security), 7 (Personal Data Breach), 8 (Other assistance to the Controller) and 9 (Documentation, compliance and audit rights) subject to these costs and expenses being reasonable.

13.2 Any notices, information and communications under this DPA may be sent by email using the following email addresses:

For the Processor:

For the Controller: the email used to send an invoice to the Customer.

Such contact details may change from time to time and shall be notified by the relevant Party.

13.3 Nothing in this DPA reduces the Processor's obligations under any other agreement between the Parties in relation to the protection of Personal Data or permits the Processor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by any other agreement between the Parties. In the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.

13.4 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

13.5 The Parties agree that they will amend this DPA if reasonably required to comply with Data Protection Laws.

14. Governing Law and Jurisdiction

14.1 This DPA is governed by the laws of the Germany

14.2 Any dispute arising in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the city of Würzburg.

Schedule 1 – Details of Processing

Subject matter and nature of the Processing

The Data Processing performed by the Data Processor on behalf of the Controller relates to the services of credentials and password management.

The Personal Data will be collected, received, used, stored and otherwise Processed as necessary to operate and support the Services, as further described in the Principal Agreement, to the extent determined and controlled by the Customer in its sole discretion. Further, Mailvelope and service providers it uses shall Process and enrich the Personal Data its systems to improve the availability, reliability and security of the Services.

The Data Processing details and procedure can be found in the Mailvelope Privacy Policy at

Duration of the Processing

The Processing shall continue until the later of:

(i) the DPA being terminated;

(ii) the Processor no longer being subject to an applicable legal or regulatory requirement to continue to store the Personal Data.

Types of Personal Data

Name, email address, contact details, files and documents, location, IP address, browser user agent.

Categories of Data Subjects

Employees, agents, advisors, freelancers of Customer (who are natural persons);

Users authorized by Customer to use the Services;

Schedule 2 – Approved Contracted Processors

The Service Provider currently uses the following Contracted Processors:

Contracted processors of the Service Provider
Contracted processor Processor activities Type of personal data Location Implemented safeguards & data transfer mechanism
Chargebee Subscription & invoice management Name, email address, location, IP address of customer. USA ISO 27001:2013, SOC 1, SOC 2, PCI DSS certifications. (Ref) Standard Contractual Clauses.
Uberspace Web application and website hosting for Mailvelope key server: name, email address Germany Security best practices. (Ref) Standard Contractual Clauses.
AWS Email service name, email address Germany, Ireland PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171 (Ref) Standard Contractual Clauses.

Do you have a question or require a signed version? Please contact us at