Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Data Controller") and Malex Software SRL ("Company", "we", "us", "our", or "Data Processor") regarding the processing of personal data in connection with Dokkio services.

2. Parties

2.1 Data Controller

Customer: The organization or individual subscribing to Dokkio services who determines the purposes and means of processing personal data.

2.2 Data Processor

3. Scope and Application

3.1 Scope

This DPA applies to the processing of personal data by the Company on behalf of the Customer in connection with Dokkio services, where such processing is subject to European Union data protection laws.

3.2 Service Description

Dokkio provides email processing services that:

• Receive emails at registered addresses
• Extract structured data using AI-powered processing
• Deliver extracted data via secure webhooks
• Provide API access for email address management

4. Data Processing Details

4.1 Categories of Personal Data

If personal data is processed, it may include:

• Email addresses of senders and recipients
• Names mentioned in email content
• Contact information contained in processed emails
• Any personal identifiers within business communications

4.2 Categories of Data Subjects

• Customer employees and representatives
• Business contacts and vendors
• Individuals whose information appears in business communications

4.3 Purposes of Processing

• Email content analysis and data extraction
• Delivery of extracted data to Customer webhooks
• Service provision and technical support
• System monitoring and performance optimization

4.4 Processing Activities

• Collection and temporary storage of email content
• Analysis and extraction of structured data
• Transmission of extracted data to Customer systems
• Deletion of processed email content

5. Data Processing Principles

5.1 Lawfulness

The Company will process personal data only on documented instructions from the Customer, including transfers to third countries or international organizations, unless required by applicable law.

5.2 Purpose Limitation

Personal data will be processed solely for the purposes specified in this DPA and the Terms of Service.

5.3 Data Minimization

The Company will process only the personal data necessary to provide Dokkio services.

6. Data Retention and Deletion

6.1 Retention Period

6.2 Data Deletion

• Email content is automatically deleted after the retention period
• Webhook logs are deleted after 1 day
• Account data is deleted upon account termination
• Backups are purged according to our data retention schedule

6.3 Return or Deletion

At the end of the provision of services, the Company will delete or return all personal data to the Customer and delete existing copies unless storage is required by applicable law.

7. Technical and Organizational Measures

7.1 Security Measures

• Encryption in transit (HTTPS/TLS) and at rest
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Secure coding practices and vulnerability management
• Employee training on data protection and security

7.2 Access Controls

• Role-based access control for company personnel
• Multi-factor authentication for administrative access
• Regular access reviews and privilege management
• Logging and monitoring of data access

7.3 Data Integrity

• Data validation and integrity checks
• Secure backup and recovery procedures
• Change management processes
• Regular testing of security measures

8. Sub-processing

8.1 Authorized Sub-processors

The Customer authorizes the Company to engage the following sub-processors:

• DigitalOcean: Cloud hosting and infrastructure services
• Amazon Web Services (AWS): Cloud infrastructure and services
• MongoDB Inc.: Database services

8.2 Sub-processor Obligations

The Company ensures that sub-processors are bound by data protection obligations equivalent to those in this DPA.

8.3 Changes to Sub-processors

The Company will inform the Customer of any intended changes concerning sub-processors. The Customer may object to such changes within 30 days of notification.

9. Data Subject Rights

9.1 Assistance with Rights Requests

The Company will assist the Customer in responding to data subject rights requests, including:

• Access to personal data
• Rectification of inaccurate data
• Erasure of personal data
• Restriction of processing
• Data portability
• Objection to processing

9.2 Response Timeframe

The Company will respond to Customer requests regarding data subject rights within 10 business days, providing available information and assistance.

10. Data Breach Notification

10.1 Notification Procedure

In case of a personal data breach, the Company will:

• Notify the Customer without undue delay and no later than 72 hours after becoming aware
• Provide all relevant information about the breach
• Assist the Customer in notifying supervisory authorities and data subjects as required
• Take immediate measures to contain and remedy the breach

10.2 Breach Information

Breach notifications will include the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed.

11. Audits and Compliance

11.1 Audit Rights

The Customer has the right to conduct audits and inspections to verify compliance with this DPA, subject to:

• Reasonable advance notice (minimum 30 days)
• Execution of appropriate confidentiality agreements
• Limitation to normal business hours
• Customer responsibility for audit costs

11.2 Compliance Documentation

The Company will maintain records of processing activities and make available information necessary to demonstrate compliance with GDPR obligations.

12. International Transfers

12.1 Transfer Mechanisms

International transfers of personal data will be made only:

• To countries with an adequacy decision from the European Commission
• With appropriate safeguards (Standard Contractual Clauses)
• Based on specific derogations for specific situations

12.2 Transfer Impact Assessment

Before transferring personal data to third countries, the Company will assess the adequacy of protection and implement additional measures if necessary.

13. Termination

13.1 Effect of Termination

Upon termination of this DPA or the Terms of Service:

• The Company will cease processing personal data
• All personal data will be returned or deleted as instructed
• Certificates of deletion will be provided upon request
• Sub-processor agreements will be terminated or modified accordingly

13.2 Survival

Confidentiality obligations and liability provisions will survive termination of this DPA.

14. Contact Information

For questions regarding this DPA or data processing practices, please contact: