Data Processing Agreement
Last updated: 2026-05-02
1. Scope
This Data Processing Agreement (“DPA”) supplements the Terms of Service and governs the processing of personal data by Bel Consulting OÜ (registry code 16192499, VAT EE102951727, Sakala 7-2, 10141 Tallinn, Estonia), trading as ApexMail (“Processor”) on behalf of the Customer (“Controller”) under Article 28 of Regulation (EU) 2016/679 (General Data Protection Regulation).
2. Definitions
Terms used in this DPA have the meanings given in the GDPR unless otherwise defined.
3. Processing Details
| Element | Description |
|---|---|
| Subject matter | Email sending, delivery tracking, analytics |
| Duration | Term of the service agreement |
| Nature | Automated processing and transmission of email messages |
| Purpose | Provision of email infrastructure services |
| Data categories | Email addresses, message content, delivery metadata, IP addresses |
| Data subjects | Customer’s end users (email recipients) |
4. Processor Obligations
The Processor shall:
- Process data only on documented instructions from the Controller.
- Ensure personnel are bound by confidentiality.
- Implement appropriate technical and organisational measures (Article 32).
- Assist the Controller in responding to data subject requests.
- Delete or return all personal data upon termination of the agreement.
- Make available all information necessary to demonstrate compliance with Article 28.
- Allow for and contribute to audits and inspections conducted by the Controller or an authorised auditor.
5. Sub-processors
5.1 Authorised Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure (compute, storage) | EU (Germany/Finland) |
5.2 Notification of Changes
The Processor shall notify the Controller at least 30 days before adding or replacing any sub-processor, giving the Controller the opportunity to object. If the Controller objects on reasonable data protection grounds and no alternative can be reached, the Controller may terminate the affected services.
6. International Transfers
All processing occurs within the EEA (Estonia). No personal data is transferred outside the EEA without appropriate safeguards (Standard Contractual Clauses or an adequacy decision under Article 45).
7. Security Measures
- AES-256-GCM encryption at rest
- TLS 1.3 in transit
- Argon2id password hashing
- Audit logging with hash-chain integrity
- SOC 2-aligned security controls
- Access control with multi-factor authentication
- Regular vulnerability scanning and penetration testing
8. Data Breach Notification
The Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of a personal data breach involving the Controller’s data, in accordance with Article 33(2). The notification shall include:
- The nature of the breach.
- Categories and approximate number of data subjects and records concerned.
- Contact details of the Data Protection Lead.
- Likely consequences and measures taken or proposed.
9. Return and Deletion of Data
Upon termination of the agreement, the Processor shall, at the Controller’s choice, return or delete all personal data processed on behalf of the Controller, unless EU or Estonian law requires retention (e.g., billing records retained for 7 years per the Estonian Accounting Act).
10. Audit Rights
The Controller may request an audit of the Processor’s compliance with this DPA at reasonable intervals. The audit shall be conducted at the Controller’s expense and subject to confidentiality obligations.
11. Governing Law
This DPA is governed by the laws of the Republic of Estonia and the GDPR. Any disputes shall be resolved in the courts of Tallinn, Estonia.