Data Processing Agreement.

1. Parties

This Data Processing Agreement (the "DPA") is entered into between Mailnurse (the "Processor") and the Customer identified in the underlying subscription (the "Controller"), collectively the "Parties".

2. Scope

This DPA applies whenever the Customer's use of the Service involves the processing of personal data within the meaning of Article 4(1) of Regulation (EU) 2016/679 (the "GDPR"). It forms part of, and is incorporated by reference into, the Terms of Service.

3. Subject matter and duration

The subject matter of the processing is the operation of the Mailnurse service for the Customer. The duration of the processing coincides with the term of the Customer's active subscription and the thirty-day post-termination retention window described in section 13 below.

4. Nature and purpose of processing

Mailnurse processes personal data to:

• Monitor the deliverability of the Customer's authorized sending mailboxes.
• Run inbox-placement tests against seed lists owned and operated by Mailnurse.
• Query DNS-based blocklists (DNSBLs) for the Customer's sending IPs and domains.
• Evaluate the Customer's configured deliverability rules.
• Orchestrate domain rotation via the Customer-authorized provider APIs (Workspace, Cloudflare, Instantly, Spaceship).

5. Categories of data subjects

The personal data processed under this DPA relates to the Customer's employees and contractors who use the dashboard, and to the persona identity attributes the Customer assigns to its mailboxes. Where personas are AI-generated identities — not natural persons — they fall outside the GDPR's definition of a data subject; the Customer's own personnel using the dashboard remain in scope.

6. Categories of personal data

The categories of personal data processed are:

• Account-holder name and email address.
• Mailbox usernames.
• OAuth tokens and API credentials (treated as confidential information rather than personal data of the credential holder).
• Persona identity attributes (first name, last name, role, biography) assigned by the Customer to mailboxes.
• Dashboard usage logs (IP address, browser type, page paths, timestamps).

7. Processor obligations

Mailnurse shall:

• Process personal data only on the documented instructions of the Customer.
• Ensure that personnel authorized to process the data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organizational measures as required under Article 32 of the GDPR.
• Assist the Customer in responding to data-subject requests under Articles 15–22 of the GDPR.
• Notify the Customer of any confirmed personal-data breach without undue delay, and in any event within seventy-two hours of becoming aware.
• Support the Customer's data-protection impact assessments and prior consultations with supervisory authorities.

8. Subprocessors

Mailnurse engages the subprocessors listed in Privacy Policy section 5. The Customer authorizes Mailnurse to engage additional subprocessors subject to thirty days' prior written notice. The Customer may object in writing during that window; if the objection cannot be resolved, the Customer may terminate the affected portion of the subscription.

9. International transfers

The default processing region is AWS us-east-1. EEA Customers may request the eu-west-1 region. Transfers of personal data outside the European Economic Area are governed by the Standard Contractual Clauses, Module 2 (Controller-to-Processor), as set out in European Commission Implementing Decision (EU) 2021/914, which are hereby incorporated by reference.

10. Security measures

A summary of Mailnurse's technical and organizational security measures is published at mailnurse.io/security. The measures described there form Annex II of this DPA.

11. Data subject rights

Mailnurse shall assist the Customer, by appropriate technical and organizational measures, in responding to data-subject requests for access, rectification, erasure, restriction, portability, and objection. Assistance is provided within fourteen days of the Customer's documented request.

12. Audits

Mailnurse shall make available to the Customer a SOC 2 report (when available) or a written summary of its security controls on request. Onsite audits are available to enterprise Customers at the Customer's reasonable cost, with thirty days' prior written notice and during normal business hours.

13. Return and deletion at end of processing

On termination of the subscription, the Customer may export its data via the dashboard or the API for a window of thirty days. After that window, Mailnurse will delete all Customer personal data from production systems; backups are rotated out within ninety days.

14. Liability and governing law

Liability under this DPA is governed by, and capped in accordance with, the Terms of Service. This DPA is governed by Belgian law; disputes are subject to the exclusive jurisdiction of the courts of Antwerp.

15. Signature

This DPA is incorporated by reference into the Customer's subscription and takes effect on the subscription start date. A signed counterpart is available on request — contact us and we will return a signed copy by email within five business days.