Definitions
Plain English: Defines GDPR-specific terms (Controller, Processor, Personal Data, Sub-processor, etc.) as they apply to this DPA.
Capitalized terms used in this DPA have the meanings given below or in the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). "Controller" means the Customer, who determines the purposes and means of the processing of Personal Data. "Processor" means OS Domains GmbH, who processes Personal Data on behalf of the Controller. "Personal Data" has the meaning given in Article 4(1) GDPR and refers to the personal data submitted by Customer to the Services that is subject to processing by OS Domains under the Agreement. "Sub-processor" means any third party engaged by OS Domains to assist in providing the Services who has access to Personal Data, as listed in Annex 3. "Data Subject" means an identified or identifiable natural person whose Personal Data is processed. "Supervisory Authority" means an independent public authority established by a Member State pursuant to Article 51 GDPR. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission Decision (EU) 2021/914 for transfers of Personal Data to third countries.
Subject Matter and Duration
Plain English: What this DPA covers, how long it lasts, and how it relates to the underlying Service Agreement.
This DPA governs the processing of Personal Data by OS Domains on behalf of Customer in the course of providing the Services described in the applicable Order Form and the Terms of Service at /terms (the "Agreement"). This DPA forms an integral part of the Agreement and prevails over the Terms in case of conflict on data-protection matters. This DPA commences on the same Effective Date as the Agreement and continues until OS Domains has completed all processing activities, including return or deletion of Personal Data at termination as set out in Section 11. The categories of Personal Data processed, the categories of Data Subjects, and the duration and purposes of processing are described in Annex 1 (Description of Processing).
Roles of the Parties
Plain English: Customer is the data controller. OS Domains is the data processor. What that means in practice.
For the purposes of this DPA, Customer is the Controller of the Personal Data and OS Domains is the Processor. Customer determines (i) which categories of Data Subjects to send Personal Data to, (ii) the content and form of the messages, (iii) the lawful basis under GDPR Article 6 for processing each category of Personal Data, and (iv) the legitimate interests asserted, where applicable. OS Domains processes Personal Data only on documented instructions from Customer, which include the instructions implicit in Customer's use of the Services (such as submitting recipients and message content via the API for outbound delivery). OS Domains will inform Customer if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law. OS Domains does not determine purposes or means of processing on its own behalf with respect to Customer's Personal Data and is not a joint controller.
Scope and Purpose of Processing
Plain English: OS Domains processes data only to provide the Services. Specifics in Annex 1.
OS Domains will process Personal Data solely for the purpose of providing the Services to Customer, including: receiving Personal Data from Customer via the API, SMTP relay, or customer portal; routing and transmitting messages to recipient mailbox providers; processing bounces, complaints, and delivery events; generating delivery statistics and reputation metrics in aggregate form; maintaining security, audit, and incident-response logs; and providing customer support upon Customer's request. OS Domains will not use Personal Data for any other purpose, including without limitation: training machine-learning models, aggregating data with other customers' data for resale to third parties, building advertising profiles, or any purpose not specified in this DPA or the Agreement. Personal Data is processed for the duration of the Agreement plus a 90-day post-termination period for data export, after which it is deleted in accordance with Section 11.
Processor's Obligations under Article 28(3)
Plain English: The eight specific commitments Article 28(3) GDPR requires OS Domains to make.
Pursuant to GDPR Article 28(3), OS Domains will: (a) process Personal Data only on documented instructions from Customer, including with regard to transfers to a third country or international organization, unless required to do so by Union or Member State law to which OS Domains is subject (in which case OS Domains will inform Customer of that legal requirement before processing, unless prohibited by law); (b) ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality; (c) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2; (d) respect the conditions for engaging Sub-processors set out in Section 7; (e) taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR; (f) assist Customer in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36 taking into account the nature of processing and the information available to OS Domains; (g) at the choice of Customer, delete or return all Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage; and (h) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, subject to the audit terms in Section 12.
Security of Processing (Article 32)
Plain English: The specific technical and organizational measures we implement. Detail in Annex 2.
OS Domains implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by GDPR Article 32. These measures include, at minimum: pseudonymization and encryption of Personal Data where appropriate; ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures. OS Domains is certified to ISO 27001:2022 (certificate available on request under NDA) and is in the process of completing SOC 2 Type II attestation. A full description of current measures is in Annex 2 and is updated as the security program evolves; material changes are communicated to Customer with at least 30 days notice.
Sub-processors
Plain English: When OS Domains uses third parties to help process data. General authorization with 30-day objection period.
Customer grants OS Domains a general authorization to engage Sub-processors to assist in providing the Services, subject to the following conditions: (a) OS Domains maintains a current list of authorized Sub-processors at /dpa#sub-processors (Annex 3 below); (b) OS Domains will notify Customer at least 30 days before adding or replacing a Sub-processor by email to the account contact and by updating Annex 3; (c) Customer may object to the addition or replacement of a Sub-processor in writing within the 30-day notice period on reasonable data-protection grounds, in which case OS Domains will either not engage the Sub-processor for Customer's Personal Data or, if that is not feasible, Customer may terminate the affected Services with a pro-rata refund of prepaid but unused fees; (d) OS Domains imposes data-protection obligations on each Sub-processor by written contract that are no less protective than those in this DPA, including the same Article 28 commitments; (e) OS Domains remains fully liable to Customer for the performance of any Sub-processor's obligations under this DPA.
Cross-Border Data Transfers
Plain English: How we handle data leaving the EEA, with SCCs and Transfer Impact Assessments after Schrems II.
By default, OS Domains processes Personal Data exclusively within the European Economic Area in the EU PoPs that Customer has selected (Vienna, Frankfurt, Amsterdam, London, Strasbourg). Cross-border transfers occur only when Customer has explicitly opted into PoPs outside the EEA (Dallas, United States and Panama City, Panama) or engaged Sub-processors that process data outside the EEA (as identified in Annex 3). For any such transfer outside the EEA, OS Domains relies on one or more of the following lawful transfer mechanisms: (i) the EU-US Data Privacy Framework where the recipient is certified under it, (ii) the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), Module 2 (Controller to Processor) or Module 3 (Processor to Processor) as appropriate, supplemented by a Transfer Impact Assessment per the Court of Justice's Schrems II ruling, (iii) Binding Corporate Rules where the Sub-processor has them, or (iv) any other valid mechanism under GDPR Chapter V. OS Domains has completed Transfer Impact Assessments for all current cross-border transfers and supplementary measures (including encryption in transit and at rest, access controls, and surveillance-law review) are documented and available to Customer under NDA. Enterprise customers may contractually prohibit any non-EEA processing by selecting EU-only PoPs and the EU-only sub-processor configuration.
Assistance with Data Subject Rights
Plain English: How we help Customer respond to data-subject requests (access, erasure, portability, etc.).
Taking into account the nature of the processing and the information available to it, OS Domains will assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR, including the right of access (Article 15), right to rectification (Article 16), right to erasure (Article 17), right to restriction of processing (Article 18), right to data portability (Article 20), and right to object (Article 21). If a Data Subject directly contacts OS Domains regarding processing on Customer's behalf, OS Domains will, without undue delay, (i) inform the Data Subject that the inquiry must be addressed to Customer as the Controller, and (ii) forward the inquiry to Customer's designated contact. OS Domains provides Customer with self-service tooling in the customer portal to fulfill common requests (suppression list management, message-log search by recipient address, export, deletion). Beyond self-service, OS Domains will respond to a Customer assistance request related to a Data Subject request within 5 business days at no additional charge.
Personal Data Breach Notification
Plain English: How fast we notify you if there is a breach (48 hours), and what we include in the notification.
OS Domains will notify Customer of a Personal Data Breach affecting Customer's Personal Data without undue delay and in any event within 48 hours of OS Domains becoming aware of the breach. The 48-hour internal commitment is more strict than the GDPR's "without undue delay" standard and exists specifically to provide Customer with sufficient buffer to meet Customer's own 72-hour notification obligation to its Supervisory Authority under Article 33. Each notification will include, to the extent then known: (a) the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the Personal Data Breach; (c) the measures taken or proposed by OS Domains to address the breach and mitigate its possible adverse effects; and (d) the name and contact details of the Data Protection Officer or other point of contact where more information can be obtained. Where the full information is not available within 48 hours, OS Domains will provide it in phases as it becomes available without further undue delay. OS Domains maintains a Personal Data Breach register pursuant to Article 33(5).
Return and Deletion of Personal Data
Plain English: What happens to your data when the contract ends. 90-day export window, then deletion.
Upon termination or expiration of the Agreement, OS Domains will: (a) for a period of 90 days following the termination date, make Customer Personal Data available to Customer for export via the customer portal, REST API, or bulk download as Customer reasonably requests; (b) at the choice of Customer, delete or return all Personal Data to Customer; (c) delete existing copies of Personal Data unless Union or Member State law requires storage of the Personal Data, in which case OS Domains will inform Customer of the legal requirement and continue to protect the data in accordance with this DPA. Default retention periods during the term of the Agreement are described in Annex 4 (Retention Schedule). Customer may at any time before termination instruct OS Domains to delete specific categories of Personal Data; OS Domains will complete such deletion within 14 days unless retention is required by law or to fulfill an open legitimate-interest request from Customer (for example, deletion is paused while a legal hold notice from Customer is in effect).
Audit Rights
Plain English: How Customer can verify OS Domains is doing what this DPA says. Annual right, NDA-based.
Customer has the right to audit OS Domains' compliance with this DPA once per calendar year, at Customer's expense, subject to the following conditions: (a) Customer provides at least 30 days' advance written notice of the proposed audit; (b) audits are conducted during normal business hours and with minimum disruption to OS Domains' operations; (c) Customer's auditor signs OS Domains' standard NDA before the audit commences; (d) Customer pays OS Domains' reasonable costs of supporting the audit at OS Domains' standard professional-services rate; (e) Customer may not audit security findings, source code, or any information that would compromise OS Domains' security posture or other customers' data. As an alternative to an on-site audit, Customer may rely on OS Domains' current ISO 27001:2022 certification, SOC 2 attestation (when issued), penetration-test summaries, and the security questionnaire responses available on request under NDA. Audits are not available to Customers in litigation with OS Domains or where audit access would conflict with confidentiality obligations to other customers. Audits where Customer reasonably suspects material non-compliance may be exempt from the once-per-year limit.
Governing Law and Jurisdiction
Plain English: Austrian law applies. Vienna courts have exclusive jurisdiction.
This DPA is governed by the laws of Austria, consistent with the underlying Agreement. Any dispute, controversy, or claim arising out of or relating to this DPA shall be exclusively submitted to the competent courts of Vienna, Austria. Nothing in this DPA limits Data Subjects' rights to bring claims before their own Supervisory Authority or the courts of their habitual residence as provided under the GDPR.