Last Updated: September 12, 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between FairyMail (“Processor,” “we,” or “us”) and the customer (“Controller,” “you,” or “user”) who uses FairyMail to process personal data. This DPA governs how we process personal data on your behalf in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

1. Scope

This DPA applies to all processing of personal data performed by FairyMail in providing email marketing and related services to the user, where the user is the Data Controller and FairyMail acts as the Data Processor.

2. Roles and Responsibilities

Data Controller (User):

• Determines the purpose and means of processing personal data.
• Ensures that all personal data shared with FairyMail is collected lawfully and that proper consent has been obtained.

Data Processor (FairyMail):

• Processes personal data only on documented instructions from the Data Controller.
• Assists the Controller in fulfilling obligations under applicable data protection laws (e.g., responding to data subject requests).
• Ensures personnel authorized to process personal data are bound by confidentiality obligations.

3. Security and Confidentiality

FairyMail implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

1. Encryption of data in transit and at rest.
2. Access controls and authentication protocols.
3. Regular security testing and vulnerability management.
4. Measures to ensure the ongoing confidentiality, integrity, and availability of systems.

4. Sub-Processors

FairyMail may engage third-party sub-processors (e.g., cloud hosting providers) to support the delivery of its services. We will ensure sub-processors are bound by written agreements requiring data protection standards equivalent to this DPA. A list of current sub-processors will be made available to the Controller upon request. The Controller will be notified of any material changes regarding sub-processors.

5. Data Transfers

If personal data is transferred outside the European Union (EU) or European Economic Area (EEA):

Such transfers will only occur with appropriate legal safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other mechanisms permitted by law.

6. Data Breach Notification

In the event of a personal data breach:

FairyMail will notify the Controller without undue delay after becoming aware of the breach. The notification will include information necessary for the Controller to meet legal obligations, including the nature of the breach, likely consequences, and remedial actions taken.

7. Data Subject Requests

FairyMail will assist the Controller, to the extent legally permitted, in responding to requests from data subjects exercising their rights (e.g., access, correction, deletion, portability).

8. Data Deletion or Return

Upon termination of services, at the Controller’s choice, FairyMail will either:

Delete all personal data processed on behalf of the Controller, or return such data to the Controller, except where retention is required by law.

9. Governing Law

This DPA shall be governed by and construed in accordance with the laws specified in FairyMail’s Terms of Service, unless otherwise required by applicable data protection laws.