Data Processing Agreement
Last updated: March 27, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller", "you") and Mohammed Azirar, operating mlr. ("Data Processor", "we", "us").
This DPA applies where we process personal data on your behalf in connection with the provision of the mlr. email campaign management platform (the "Service"), in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that you upload to or process through the Service.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
- "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
3. Scope & Roles
You are the Data Controller. You determine the purposes and means of processing your recipients' personal data.
We are the Data Processor. We process personal data only on your instructions and solely for the purpose of providing the Service.
3.1 Categories of Data Subjects
Your email recipients whose data you upload to the Service.
3.2 Types of Personal Data
- Email addresses
- First and last names
- Opt-in URLs, timestamps, and IP addresses
- MD5 hashes of email addresses
- Email domains
3.3 Processing Activities
- Storing recipient lists in our database
- Processing CSV imports and deduplication
- Building campaign recipient lists (filtering, suppression)
- Sending emails to recipients via your configured MTA servers
- Storing and applying suppression lists
4. Obligations of the Processor
We shall:
- Process Personal Data only on your documented instructions, unless required by law.
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures to protect Personal Data (see Section 6).
- Not engage another processor without your prior written authorization (see Section 5).
- Assist you in responding to data subject requests (access, rectification, erasure, portability).
- Assist you in ensuring compliance with your obligations regarding data breach notification, data protection impact assessments, and prior consultation.
- At your choice, delete or return all Personal Data upon termination of the Service (see Section 8).
- Make available all information necessary to demonstrate compliance and allow for audits (see Section 7).
5. Sub-processors
You authorize us to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | United States |
| Stripe, Inc. | Payment processing | United States |
| Render Services, Inc. | Application hosting | United States |
| Functional Software, Inc. (Sentry) | Error tracking | United States |
| Intuition Machines, Inc. (hCaptcha) | Bot protection | United States |
We will notify you before adding or replacing a sub-processor, giving you a reasonable opportunity to object. If you reasonably object and we cannot accommodate your objection, you may terminate the Service.
6. Security Measures
We implement the following technical and organizational measures:
- Encryption in transit — all data transmitted over HTTPS/TLS
- Encryption at rest — SSH credentials encrypted with Fernet symmetric encryption
- Access control — Row Level Security (RLS) at the database level, ensuring complete tenant isolation
- Authentication — secure authentication via Supabase Auth with email confirmation and CAPTCHA protection
- Minimal access — no employee access to customer data in normal operations; service role keys used only for background processing
- Firewall — MTA server ports restricted to authorized IP ranges
- Monitoring — error tracking via Sentry for rapid incident response
7. Audits
You have the right to audit our compliance with this DPA. Audits shall be:
- Conducted with reasonable prior notice (at least 30 days)
- Limited to once per year, unless a Data Breach has occurred
- Conducted during normal business hours
- At your cost, unless the audit reveals a material breach by us
We may satisfy audit requests by providing relevant certifications, reports, or documentation.
8. Data Breach Notification
In the event of a Data Breach, we will:
- Notify you without undue delay and no later than 72 hours after becoming aware of the breach
- Provide details of the nature of the breach, categories and number of data subjects affected, likely consequences, and measures taken to address the breach
- Cooperate with you and take reasonable steps to mitigate the effects of the breach
9. Data Return & Deletion
Upon termination of the Service:
- At your request, we will return your Personal Data in a structured, commonly used, and machine-readable format (CSV export)
- We will delete all Personal Data within 30 days of termination, unless retention is required by applicable law
- We will confirm deletion in writing upon request
10. International Transfers
Personal Data may be transferred to and processed in the United States, where our sub-processors are located. Such transfers are protected by:
- Standard Contractual Clauses (SCCs) adopted by the European Commission
- Sub-processors' own data protection frameworks and certifications
11. Duration & Termination
This DPA remains in effect for as long as we process Personal Data on your behalf. It terminates automatically when the Terms of Service terminate, subject to our obligations regarding data return and deletion.
12. Governing Law
This DPA is governed by the laws of the Netherlands and shall be interpreted in accordance with the GDPR.
13. Contact
For questions about this DPA, contact us at:
Mohammed Azirar
Email: support@getmlr.com