Skip to content
OS Domains
Data Processing Agreement

GDPR Article 28, in plain enough English to read.

This is the contractually-binding DPA that supplements our Terms of Service for any Customer processing Personal Data on OS Domains' infrastructure. It is current as of 2026-03-15 (version v3.4). Every section has a one-line plain-English summary at the top so you can scan for what matters; the legal text below each summary is the binding language. The three Annexes at the bottom — Sub-processors, Security Measures, Retention Schedule — are updated more frequently than the main body and have their own 30-day change-notice mechanism.

Enterprise customers negotiating custom DPA addenda: redlines to [email protected]. €790 review fee for Starter/Standard, included for Performance and Enterprise. Schedule a DPO call if you need clause-by-clause discussion.

Document metadata
Version
v3.4
Last updated
2026-03-15
Legal basis
GDPR Art. 28
Breach window
48 hours (strict)
Sub-processor notice
30 days
01

Definitions

Plain English: Defines GDPR-specific terms (Controller, Processor, Personal Data, Sub-processor, etc.) as they apply to this DPA.

Capitalized terms used in this DPA have the meanings given below or in the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). "Controller" means the Customer, who determines the purposes and means of the processing of Personal Data. "Processor" means OS Domains GmbH, who processes Personal Data on behalf of the Controller. "Personal Data" has the meaning given in Article 4(1) GDPR and refers to the personal data submitted by Customer to the Services that is subject to processing by OS Domains under the Agreement. "Sub-processor" means any third party engaged by OS Domains to assist in providing the Services who has access to Personal Data, as listed in Annex 3. "Data Subject" means an identified or identifiable natural person whose Personal Data is processed. "Supervisory Authority" means an independent public authority established by a Member State pursuant to Article 51 GDPR. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission Decision (EU) 2021/914 for transfers of Personal Data to third countries.

02

Subject Matter and Duration

Plain English: What this DPA covers, how long it lasts, and how it relates to the underlying Service Agreement.

This DPA governs the processing of Personal Data by OS Domains on behalf of Customer in the course of providing the Services described in the applicable Order Form and the Terms of Service at /terms (the "Agreement"). This DPA forms an integral part of the Agreement and prevails over the Terms in case of conflict on data-protection matters. This DPA commences on the same Effective Date as the Agreement and continues until OS Domains has completed all processing activities, including return or deletion of Personal Data at termination as set out in Section 11. The categories of Personal Data processed, the categories of Data Subjects, and the duration and purposes of processing are described in Annex 1 (Description of Processing).

03

Roles of the Parties

Plain English: Customer is the data controller. OS Domains is the data processor. What that means in practice.

For the purposes of this DPA, Customer is the Controller of the Personal Data and OS Domains is the Processor. Customer determines (i) which categories of Data Subjects to send Personal Data to, (ii) the content and form of the messages, (iii) the lawful basis under GDPR Article 6 for processing each category of Personal Data, and (iv) the legitimate interests asserted, where applicable. OS Domains processes Personal Data only on documented instructions from Customer, which include the instructions implicit in Customer's use of the Services (such as submitting recipients and message content via the API for outbound delivery). OS Domains will inform Customer if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law. OS Domains does not determine purposes or means of processing on its own behalf with respect to Customer's Personal Data and is not a joint controller.

04

Scope and Purpose of Processing

Plain English: OS Domains processes data only to provide the Services. Specifics in Annex 1.

OS Domains will process Personal Data solely for the purpose of providing the Services to Customer, including: receiving Personal Data from Customer via the API, SMTP relay, or customer portal; routing and transmitting messages to recipient mailbox providers; processing bounces, complaints, and delivery events; generating delivery statistics and reputation metrics in aggregate form; maintaining security, audit, and incident-response logs; and providing customer support upon Customer's request. OS Domains will not use Personal Data for any other purpose, including without limitation: training machine-learning models, aggregating data with other customers' data for resale to third parties, building advertising profiles, or any purpose not specified in this DPA or the Agreement. Personal Data is processed for the duration of the Agreement plus a 90-day post-termination period for data export, after which it is deleted in accordance with Section 11.

05

Processor's Obligations under Article 28(3)

Plain English: The eight specific commitments Article 28(3) GDPR requires OS Domains to make.

Pursuant to GDPR Article 28(3), OS Domains will: (a) process Personal Data only on documented instructions from Customer, including with regard to transfers to a third country or international organization, unless required to do so by Union or Member State law to which OS Domains is subject (in which case OS Domains will inform Customer of that legal requirement before processing, unless prohibited by law); (b) ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality; (c) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2; (d) respect the conditions for engaging Sub-processors set out in Section 7; (e) taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR; (f) assist Customer in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36 taking into account the nature of processing and the information available to OS Domains; (g) at the choice of Customer, delete or return all Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage; and (h) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, subject to the audit terms in Section 12.

06

Security of Processing (Article 32)

Plain English: The specific technical and organizational measures we implement. Detail in Annex 2.

OS Domains implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by GDPR Article 32. These measures include, at minimum: pseudonymization and encryption of Personal Data where appropriate; ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures. OS Domains is certified to ISO 27001:2022 (certificate available on request under NDA) and is in the process of completing SOC 2 Type II attestation. A full description of current measures is in Annex 2 and is updated as the security program evolves; material changes are communicated to Customer with at least 30 days notice.

07

Sub-processors

Plain English: When OS Domains uses third parties to help process data. General authorization with 30-day objection period.

Customer grants OS Domains a general authorization to engage Sub-processors to assist in providing the Services, subject to the following conditions: (a) OS Domains maintains a current list of authorized Sub-processors at /dpa#sub-processors (Annex 3 below); (b) OS Domains will notify Customer at least 30 days before adding or replacing a Sub-processor by email to the account contact and by updating Annex 3; (c) Customer may object to the addition or replacement of a Sub-processor in writing within the 30-day notice period on reasonable data-protection grounds, in which case OS Domains will either not engage the Sub-processor for Customer's Personal Data or, if that is not feasible, Customer may terminate the affected Services with a pro-rata refund of prepaid but unused fees; (d) OS Domains imposes data-protection obligations on each Sub-processor by written contract that are no less protective than those in this DPA, including the same Article 28 commitments; (e) OS Domains remains fully liable to Customer for the performance of any Sub-processor's obligations under this DPA.

08

Cross-Border Data Transfers

Plain English: How we handle data leaving the EEA, with SCCs and Transfer Impact Assessments after Schrems II.

By default, OS Domains processes Personal Data exclusively within the European Economic Area in the EU PoPs that Customer has selected (Vienna, Frankfurt, Amsterdam, London, Strasbourg). Cross-border transfers occur only when Customer has explicitly opted into PoPs outside the EEA (Dallas, United States and Panama City, Panama) or engaged Sub-processors that process data outside the EEA (as identified in Annex 3). For any such transfer outside the EEA, OS Domains relies on one or more of the following lawful transfer mechanisms: (i) the EU-US Data Privacy Framework where the recipient is certified under it, (ii) the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), Module 2 (Controller to Processor) or Module 3 (Processor to Processor) as appropriate, supplemented by a Transfer Impact Assessment per the Court of Justice's Schrems II ruling, (iii) Binding Corporate Rules where the Sub-processor has them, or (iv) any other valid mechanism under GDPR Chapter V. OS Domains has completed Transfer Impact Assessments for all current cross-border transfers and supplementary measures (including encryption in transit and at rest, access controls, and surveillance-law review) are documented and available to Customer under NDA. Enterprise customers may contractually prohibit any non-EEA processing by selecting EU-only PoPs and the EU-only sub-processor configuration.

09

Assistance with Data Subject Rights

Plain English: How we help Customer respond to data-subject requests (access, erasure, portability, etc.).

Taking into account the nature of the processing and the information available to it, OS Domains will assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR, including the right of access (Article 15), right to rectification (Article 16), right to erasure (Article 17), right to restriction of processing (Article 18), right to data portability (Article 20), and right to object (Article 21). If a Data Subject directly contacts OS Domains regarding processing on Customer's behalf, OS Domains will, without undue delay, (i) inform the Data Subject that the inquiry must be addressed to Customer as the Controller, and (ii) forward the inquiry to Customer's designated contact. OS Domains provides Customer with self-service tooling in the customer portal to fulfill common requests (suppression list management, message-log search by recipient address, export, deletion). Beyond self-service, OS Domains will respond to a Customer assistance request related to a Data Subject request within 5 business days at no additional charge.

10

Personal Data Breach Notification

Plain English: How fast we notify you if there is a breach (48 hours), and what we include in the notification.

OS Domains will notify Customer of a Personal Data Breach affecting Customer's Personal Data without undue delay and in any event within 48 hours of OS Domains becoming aware of the breach. The 48-hour internal commitment is more strict than the GDPR's "without undue delay" standard and exists specifically to provide Customer with sufficient buffer to meet Customer's own 72-hour notification obligation to its Supervisory Authority under Article 33. Each notification will include, to the extent then known: (a) the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the Personal Data Breach; (c) the measures taken or proposed by OS Domains to address the breach and mitigate its possible adverse effects; and (d) the name and contact details of the Data Protection Officer or other point of contact where more information can be obtained. Where the full information is not available within 48 hours, OS Domains will provide it in phases as it becomes available without further undue delay. OS Domains maintains a Personal Data Breach register pursuant to Article 33(5).

11

Return and Deletion of Personal Data

Plain English: What happens to your data when the contract ends. 90-day export window, then deletion.

Upon termination or expiration of the Agreement, OS Domains will: (a) for a period of 90 days following the termination date, make Customer Personal Data available to Customer for export via the customer portal, REST API, or bulk download as Customer reasonably requests; (b) at the choice of Customer, delete or return all Personal Data to Customer; (c) delete existing copies of Personal Data unless Union or Member State law requires storage of the Personal Data, in which case OS Domains will inform Customer of the legal requirement and continue to protect the data in accordance with this DPA. Default retention periods during the term of the Agreement are described in Annex 4 (Retention Schedule). Customer may at any time before termination instruct OS Domains to delete specific categories of Personal Data; OS Domains will complete such deletion within 14 days unless retention is required by law or to fulfill an open legitimate-interest request from Customer (for example, deletion is paused while a legal hold notice from Customer is in effect).

12

Audit Rights

Plain English: How Customer can verify OS Domains is doing what this DPA says. Annual right, NDA-based.

Customer has the right to audit OS Domains' compliance with this DPA once per calendar year, at Customer's expense, subject to the following conditions: (a) Customer provides at least 30 days' advance written notice of the proposed audit; (b) audits are conducted during normal business hours and with minimum disruption to OS Domains' operations; (c) Customer's auditor signs OS Domains' standard NDA before the audit commences; (d) Customer pays OS Domains' reasonable costs of supporting the audit at OS Domains' standard professional-services rate; (e) Customer may not audit security findings, source code, or any information that would compromise OS Domains' security posture or other customers' data. As an alternative to an on-site audit, Customer may rely on OS Domains' current ISO 27001:2022 certification, SOC 2 attestation (when issued), penetration-test summaries, and the security questionnaire responses available on request under NDA. Audits are not available to Customers in litigation with OS Domains or where audit access would conflict with confidentiality obligations to other customers. Audits where Customer reasonably suspects material non-compliance may be exempt from the once-per-year limit.

13

Governing Law and Jurisdiction

Plain English: Austrian law applies. Vienna courts have exclusive jurisdiction.

This DPA is governed by the laws of Austria, consistent with the underlying Agreement. Any dispute, controversy, or claim arising out of or relating to this DPA shall be exclusively submitted to the competent courts of Vienna, Austria. Nothing in this DPA limits Data Subjects' rights to bring claims before their own Supervisory Authority or the courts of their habitual residence as provided under the GDPR.

Annex 1

Description of Processing

Categories of Data Subjects

  • · Customer's email recipients
  • · Customer's employees with portal access
  • · Customer's technical and billing contacts

Categories of Personal Data

  • · Email addresses (recipient and sender)
  • · Message content (subject, body, headers, attachments)
  • · Delivery metadata (timestamps, status, error codes)
  • · Engagement data (opens, clicks, where Customer opts in)
  • · Customer employee names and work email addresses

Purpose of Processing

Transmission of outbound email messages on behalf of Customer to recipient mailbox providers, plus the associated deliverability monitoring, bounce processing, and reporting necessary to maintain reputation and complete the service.

Duration

For the term of the underlying Agreement, plus a 90-day post-termination export grace period, plus any longer retention required by law (see Annex 4).

Special Categories of Personal Data (Article 9)

By default, OS Domains does not process Special Categories of Personal Data under GDPR Article 9 (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, sex life or sexual orientation). Customer warrants that it will not transmit Special Categories of Personal Data through the Services unless Customer has put in place additional safeguards required by GDPR Article 9 and has obtained explicit consent or other lawful basis. Customers who require processing of Special Categories should contact [email protected] before sending — additional contractual measures and a documented impact assessment will be required.

Annex 2

Technical and Organizational Security Measures

The measures listed below correspond to the security controls mapped to ISO 27001:2022 and SOC 2 criteria. Customer may request the current ISO 27001 control-mapping evidence and pre-certification control evidence under NDA via [email protected].

Encryption in transit

TLS 1.3 mandatory for inbound API, customer portal, and webhook delivery. TLS 1.2 grandfathered for legacy SMTP clients. TLS 1.0 and 1.1 rejected. HSTS enforced with 12-month max-age.

Encryption at rest

AES-256 on all databases, object storage, log archives, and backups. Encryption keys rotated annually; HSM-backed for keys protecting customer credentials.

Authentication

Customer portal: argon2id password hashing, MFA available (TOTP/WebAuthn), SAML SSO on Performance and Enterprise. API: per-environment keys with scope, OAuth2 for human-attended flows. Internal: hardware token MFA required for all production access.

Access control

Least-privilege RBAC for internal staff. Access to message content is logged and visible to Customer in the audit log. Access to production systems requires named approver and is time-bounded (8-hour windows).

Network segregation

Customer data plane isolated from management plane. Per-customer VLAN isolation on MTA infrastructure. No direct internet exposure of databases.

Monitoring & detection

Real-time monitoring of API call patterns, authentication anomalies, queue depth, error rates. PagerDuty pages within 5 minutes 24/7. SIEM with 12-month log retention.

Incident response

Documented IR playbook with named roles. Quarterly tabletop exercises. Annual external penetration test. Bug bounty disclosure via [email protected] (PGP available).

Backup & recovery

Customer configurations backed up every 6 hours to a second EU PoP, AES-256 encrypted. 35-day retention. Quarterly restore testing. RPO 6 hours, RTO 4 hours for catastrophic loss.

Personnel

Background checks for all production-access staff. Mandatory annual security training. NDA and confidentiality clauses in all employment and contractor agreements. Access removed within 24 hours of departure.

Physical security

All datacenter PoPs are Tier III or Tier IV facilities with biometric access, 24/7 manned security, video surveillance retained 90 days, and visitor logs retained 12 months.

Vulnerability management

Continuous vulnerability scanning. Critical CVEs patched within 7 days. Annual penetration test by accredited third party. Internal red-team exercise twice yearly.

Vendor management

All Sub-processors reviewed annually for continued GDPR compliance. Sub-processor contracts impose equivalent data-protection obligations. Transfer Impact Assessments refreshed annually or upon material change.

Annex 3

Authorized Sub-processors

Below is the complete current list of authorized Sub-processors. Changes are notified to Customer by email at least 30 days in advance with an objection window per Section 7. Subscribe to [email protected] for proactive notifications regardless of whether you have an active contract.

Sub-processor Service Data accessed Location Transfer mechanism
Cloudflare, Inc. CDN, edge caching, DDoS protection, bot management for the marketing site and customer portal IP addresses, request metadata, browser fingerprint Global (EU edge processing, US contractual entity) EU-US Data Privacy Framework certified + SCCs Module 3 + TIA
Hetzner Online GmbH Bare-metal infrastructure for Frankfurt PoP and customer portal backend No direct access to message content (encrypted at rest); physical-layer access to hardware Germany (Falkenstein, Nuremberg) Within EEA · no transfer mechanism needed
Interxion (Digital Realty) Datacenter colocation for Vienna and Amsterdam PoPs Physical-layer only; no logical access to data Austria, Netherlands Within EEA · no transfer mechanism needed
Equinix, Inc. Datacenter colocation for London, Strasbourg, Dallas PoPs Physical-layer only; no logical access to data UK (adequacy), France, USA UK adequacy decision + SCCs Module 2 (USA) + TIA
PaIX Panama Datacenter colocation for Panama PoP (opt-in only) Physical-layer only; no logical access to data Panama SCCs Module 2 + TIA + customer opt-in only
Sendmarc DMARC report aggregation enrichment (optional add-on) DMARC rua/ruf reports, which contain envelope-level metadata South Africa SCCs Module 3 + TIA + customer opt-in only
Stripe Payments Europe Ltd. Payment processing for Customer subscription fees Customer billing contact name, email, payment method; not message content Ireland (EU entity), with US parent Within EEA for Customer data + EU-US Data Privacy Framework + SCCs
PagerDuty, Inc. On-call alerting platform for OS Domains internal incident response Internal monitoring alerts only; no Customer Personal Data USA No Customer Personal Data processed
Plausible Insights OÜ Privacy-respecting web analytics for the marketing site (no third-party cookies) Aggregated, anonymized page-view counts; no individual user tracking Estonia Within EEA · no transfer mechanism needed
Annex 4

Retention Schedule

Data category Default retention Extended option
Outbound message metadata (timestamps, addresses, status, error codes) 90 days Up to 13 months via Extended Log Retention add-on (€49/mo)
Outbound message content (subject, body, headers) 7 days Up to 30 days on Enterprise contracts
Webhook delivery logs (success/failure events) 30 days Up to 6 months on Performance and Enterprise
DMARC aggregate reports (rua) 12 months Up to 24 months on Enterprise
DMARC forensic reports (ruf) 90 days Up to 12 months on Enterprise
Suppression lists (bounces, complaints, unsubscribes) Customer-controlled (no auto-deletion) Customer may purge at any time
Customer portal audit logs 12 months Required minimum under SOC 2; cannot be shortened
Authentication / access logs 12 months Required minimum under ISO 27001:2022 controls
Customer billing records 7 years Required by Austrian commercial law (UGB §190)
Customer account profile, technical contacts Active relationship + 90 days Deleted after 90-day post-termination export window
Sign or negotiate

Standard customers accept this DPA by clicking through. Enterprise customers redline it.

If you operate at a scale where your legal team needs to negotiate clause-by-clause, schedule a call with our DPO. The €790 review fee for Starter and Standard tier customers covers one round of redlines and a 45-minute call; included for Performance and Enterprise. Most negotiations conclude within 2-3 weeks.

Phone +43 1 205 11 80 Mon–Fri · 9–18 CET
Email [email protected] Avg response 4h business
Office Fleischmarkt 1, 1010 Wien By appointment