Personal and Contact Information
- Clients' personal and contact information is never shared with any third party under any circumstance.
- Clients' personal and contact information is only released to law enforcement officials when a court order mandates said release.
Usage Details, Data & Privacy
- Your usage details such as time, frequency, duration and pattern of use, features used and the amount of storage used will be recorded by us in order to enhance your experience of the Mailcheap Services and to help us provide you the best possible service.
- All data related to a service is destroyed when a cancellation request or termination is processed for the service. Backups relating to a service may be kept for an additional 7-30 days (from the date of termination) in case of automatic service termination.
EU GDPR rights overview
- Right to Access / Data Portability: Email data is accessible for an active service through the server's IMAP service. Clients' may use programs like OfflineIMAP (or similar) to download the email data. Email domains and identities can be exported from the server's admin panel. In addition to mailserver data, clients' personal and contact information is stored in the client area billing/support system. This data is available on request by opening a support ticket.
- Right to be Forgotten: All email data related to a service is destroyed when a cancellation request or termination is processed for the service. Backups relating to a service may be kept for an additional 7-30 days (from the date of termination) in case of automatic service termination. Clients' client area billing/support system account can be closed on request by opening a support ticket from the client area.
- Data Protection Officer: Pavin Joseph (L3 Systems Engineer) may be contacted from the contact page.
- Breach Notification: Clients will be notified within 72 hours of first having become aware of any data breach. This does not include data breaches caused by client due to use of weak/insecure passwords and/or re-use of passwords. Use a password manager to create random passwords for all your accounts. Mailcheap will not be responsible for lost passwords or compromised accounts due to weak passwords.
Mailcheap Data Processing Agreement
1. Scope, Order of Precedence and Term
1.1 This data processing agreement (the “Data Processing Agreement”) applies to Mailcheap’s
Processing of Personal Data as part of Mailcheap’s provision of Mailcheap Services (“
Services”). The Services are described in (i) the applicable order for Services, (ii) the
applicable Agreement or other applicable master agreement by and between You and Mailcheap in
which this Data Processing Agreement is referenced, and (iii) the Service Specifications (i, ii and iii
collectively the “Services Agreement”).
1.2 Unless otherwise expressly stated in the order, this version of the Data Processing Agreement is incorporated into and subject to the terms of the Services Agreement, and shall be effective and remain in force for the Service Period of the Services.
1.3 Except as expressly stated otherwise in this Data Processing Agreement or the order, in the event of any conflict between the terms of the Services Agreement, including any policies or schedules referenced therein, and the terms of this Data Processing Agreement, the relevant terms of this Data Processing Agreement shall take precedence.
2.1 “Applicable Data Protection Law” means (i) Directive 95/46/EC of October 24, 1995, as amended, on
the protection of individuals with regard to the Processing of Personal Data and on the free movement of
such data (‘Directive’) until such time that it is replaced by Regulation (EU) 2016/679 of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, applicable as of May 25, 2018; and (ii) any other data privacy or data protection
law or regulation that applies to the Processing of Personal Data under this Data Processing Agreement;
2.2 “You” means the customer entity that has executed the order;
2.3 “Data Subject”, “Data Protection Impact Assessments”, “Data Protection Officer”, “Process/Processing”, “Supervisory Authority”, “Controller”, “Processor” and “Binding Corporate Rules” (or any of the equivalent terms) have the meaning set forth under Applicable Data Protection Law;
2.4 “EU Model Clauses” means the standard contractual clauses annexed to the EU Commission Decision 2010/87/EU of 5 February 2010 for the Transfer of Personal Data to Processors established in Third Countries under the Directive 95/46/EC, or any successor standard contractual clauses that may be adopted pursuant to an EU Commission decision;
2.5 “Argentinean Model Clauses” means the Model Agreement of International Transfer of Personal Data for the case of Personal Data Assignment (Contrato modelo de transferencia internacional de datos personales con motivo de la cesión de datos personales), approved by the National Directorate for Personal Data Protection on 2 November 2016;
2.6 “Mailcheap” means the Mailcheap Affiliate that has executed the order;
2.7 “Mailcheap Affiliate(s)” means the subsidiar(y)(ies) of Cyberlabs s.r.o. & Cyberlabs Inc. that may assist in the performance of the Services as set forth in Section 3.3;
2.8 “Personal Data” means any information relating to a Data Subject that Mailcheap may Process on Your behalf as part of the Services;
2.9 “Third Party Subprocessor” means a third party subcontractor, other than an Mailcheap Affiliate, engaged by Mailcheap and which may Process Personal Data as set forth in Section 3.3. Other capitalized terms have the definitions provided for them in the Services Agreement or as otherwise specified below.
3. Controller and Processor of Personal Data and Purpose of Processing
3.1 You are and will at all times remain the Controller of the Personal Data Processed by Mailcheap under
the Services Agreement. You are responsible for compliance with Your obligations as a Controller
under Applicable Data Protection Law, in particular for justification of any transmission of Personal Data
to Mailcheap (including providing any required notices and obtaining any required consents and/or
authorizations, or otherwise securing an appropriate legal basis under Applicable Data Protection Law),
and for Your decisions and actions concerning the Processing of such Personal Data.
3.2 Mailcheap is and will at all times remain a Processor with regard to the Personal Data provided by You to Mailcheap under the Services Agreement. Mailcheap is responsible for compliance with its obligations under this Data Processing Agreement and for compliance with its obligations as a Processor under Applicable Data Protections Law.
3.3 Mailcheap and any persons acting under the authority of Mailcheap, including any Mailcheap Affiliates and Third Party Subprocessors as set forth in Section 8, will Process Personal Data solely for the purpose of (i) providing the Services in accordance with the Services Agreement and this Data Processing Agreement (ii) complying with Your documented written instructions in accordance with Section 5, or (iii) complying with Mailcheap’s regulatory obligations in accordance with Section 13.
4. Categories of Personal Data and Data Subjects
4.1 In order to perform the Services and depending on the Services You have ordered,
Mailcheap may Process some or all of the following categories of Personal Data: personal contact
information such as name, home address, home telephone or mobile number, fax number, email
address, and passwords; information concerning your age and
date of birth; business contact details; financial details; goods and services provided; IP addresses.
4.2 Categories of Data Subjects whose Personal Data may be Processed in order to perform the Services may include, among others, Your representatives and end users, such as Your employees, job applicants, contractors, collaborators, partners, suppliers, customers and clients.
4.3 Additional categories of Personal Data and/or Data Subjects may be described in the Services Agreement. Unless otherwise specified in Your order (including in the Service Specifications), Your Content may not include any sensitive or special personal data that imposes specific data security or data protection obligations on Mailcheap in addition to or different from those specified in the Service Specifications.
5. Your Instructions
5.1 Mailcheap will Process Personal Data on Your written instructions as specified in the Services
Agreement and this Data Processing Agreement, including instructions regarding data transfers as set
forth in Section 7.
5.2 You may provide additional instructions in writing to Mailcheap with regard to Processing of Personal Data in accordance with Applicable Data Protection Law. Mailcheap will comply with all such instructions to the extent necessary for Mailcheap to (i) comply with its Processor obligations under Applicable Data Protection Law; or (ii) assist You to comply with Your Controller obligations under Applicable Data Protection Law relevant to Your use of the Services, including assistance with notifying Personal Data breaches as set forth in Section 11, Data Subject requests as set forth in Section 6, and Data Protection Impact Assessments (DPIAs).
5.3 To the extent required by Applicable Data Protection Law, Mailcheap will immediately inform You if, in its opinion, Your instruction infringes Applicable Data Protection Law. You acknowledge and agree that Mailcheap is not responsible for performing legal research and/or for providing legal advice to You.
5.4 Without prejudice to Mailcheap’s obligations under this Section 5, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by Mailcheap to comply with instructions with regard to the Processing of Personal Data that require the use of resources different from or in addition to those required for the provision of the Services.
6. Rights of Data Subjects
6.1 Mailcheap will grant You electronic access to Your Services environment that holds Personal Data
to enable You to respond to requests from Data Subjects to exercise their rights under Applicable Data
Protection Law, including requests to access, delete or erase, restrict, rectify, receive and transmit, block
access to or object to Processing of specific Personal Data or sets of Personal Data.
6.2 To the extent such electronic access is not available to You, You can submit a “service request” via Mailcheap Support, or other applicable primary support tool provided for the Services), and provide detailed written instructions to Mailcheap (including the Personal Data necessary to identify the Data Subject) on how to assist with such Data Subject requests in relation to Personal Data held in Your Services environment. Mailcheap will promptly follow such instructions. If applicable, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by Mailcheap to comply with instructions that require the use of resources different from or in addition to those required for the provision of the Services.
6.3 If Mailcheap directly receives any Data Subject requests regarding Personal Data, it will promptly pass on such requests to You without responding to the Data Subject if the Data Subject identifies You as the Data Controller. If the Data Subject does not identify You, Mailcheap will instruct the Data Subject to contact the entity responsible for collecting their Personal Data.
7. Personal Data Transfers
7.1 Personal Data held in Your Services environment will be hosted in the data center region
specified in the Services Agreement or otherwise selected by You. Mailcheap will not migrate Your
Services environment to a different data center region without Your prior written authorization.
7.2 Without prejudice to Section 7.1, Mailcheap may access and Process Personal Data on a global basis as necessary to perform the Services, including for IT security purposes, maintenance and performance of the Services and related infrastructure, Services technical support and Service change management.
7.3 To the extent such global access involves a transfer of Personal Data originating from the European Economic Area (“EEA”) or Switzerland to Mailcheap Affiliates or Third Party Subprocessors located in countries outside the EEA or Switzerland that have not received a binding adequacy decision by the European Commission or by a competent national EEA data protection authority, such transfers are subject to (i) the terms of the EU Model Clauses incorporated into this Data Processing Agreement by reference; or (ii) other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Applicable Data Protection Law, such as approved Binding Corporate Rules for Processors. For the purposes of the EU Model Clauses, You and Mailcheap agree that (i) You will act as the data exporter on Your own behalf and on behalf of any of Your entities, (ii) Mailcheap will act on its own behalf and/or on behalf of the relevant Mailcheap Affiliates as the data importers, (iii) any Third Party Subprocessors will act as ‘subcontractors’ pursuant to Clause 11 of the EU Model Clauses.
7.4 To the extent such global access involves a transfer of Personal Data originating from Argentina to Mailcheap Affiliates or Third Party Subprocessors located in countries outside Argentina that have not received a binding adequacy decision by the National Directorate for Personal Data Protection, such transfers are subject to (i) the terms of the Argentinean Model Clauses incorporated into this Data Processing Agreement by reference; or (ii) other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Applicable Data Protection Law.
7.5 Transfers of Personal Data originating from other locations globally to Mailcheap Affiliates or Third Party Subprocessors are subject to (i) for Mailcheap Affiliates, the terms of the Mailcheap Intra-Company Data Processing and Transfer Agreement entered into between Cyberlabs s.r.o. & Cyberlabs Inc. and the Mailcheap Affiliates, which requires all transfers of Personal Data to be made in compliance with all applicable Mailcheap security and data privacy policies and standards; and (ii) for Third Party Subprocessors, the terms of the relevant Mailcheap Third Party Subprocessor agreement incorporating security and data privacy requirements consistent with the relevant requirements of this Data Processing Agreement.
7.6 The terms of this Data Processing Agreement shall be read in conjunction with the EU Model Clauses, the Argentinean Model Clauses and other applicable transfer mechanisms pursuant to this Section 7.
8. Mailcheap Affiliates and Third Party Subprocessors
8.1 Subject to the terms and restrictions specified in Sections 3.3, 7 and 8, You agree that Mailcheap may
engage Mailcheap Affiliates and Third Party Subprocessors to assist in the performance of the
8.2 The following is the list of Mailcheap Affiliates and Third Party Subprocessors that may Process Personal Data.
- Cyberlabs s.r.o.
- Cyberlabs Inc.
8.3 Within fourteen (14) calendar days of Mailcheap providing such notice to You, You may object to the intended involvement of a Third Party Subprocessor or Mailcheap Affiliate in the performance of the Services, providing objective justifiable grounds related to the ability of such Third Party Subprocessor or Mailcheap Affiliate to adequately protect Personal Data in accordance with this Data Processing Agreement or Applicable Data Protection Law in writing by submitting a “service request” via Mailcheap Support, or other applicable primary support tool provided for the Services. In the event Your objection is justified, You and Mailcheap will work together in good faith to find a mutually acceptable resolution to address such objection, including but not limited to reviewing additional documentation supporting the Third Party Subprocessors’ or Mailcheap Affiliate’s compliance with this Data Processing Agreement or Applicable Data Protection Law, or delivering the Services without the involvement of such Third Party Subprocessor. To the extent You and Mailcheap do not reach a mutually acceptable resolution within a reasonable timeframe, You shall have the right to terminate the relevant Services (i) upon serving prior notice in accordance with the terms of the Services Agreement; (ii) without liability to You and Mailcheap and (iii) without relieving You from Your payment obligations under the Services Agreement up to the date of termination. If the termination in accordance with this Section 8.3 only pertains to a portion of Services under an order, You will enter into an amendment or replacement order to reflect such partial termination.
8.4 The Mailcheap Affiliates and Third Party Subprocessors are required to abide by the same level of data protection and security as Mailcheap under this Data Processing Agreement as applicable to their Processing of Personal Data. You may request that Mailcheap audit a Third Party Subprocessor or provide confirmation that such an audit has occurred (or, where available, obtain or assist customer in obtaining a third-party audit report concerning the Third Party Subprocessor’s operations) to verify compliance with such obligations. You will also be entitled, upon written request, to receive copies of the relevant privacy and security terms of Mailcheap’s agreement with any Third Party Subprocessors and Mailcheap Affiliates that may Process Personal Data.
8.5 Mailcheap remains responsible at all times for the performance of the Mailcheap Affiliates’ and Third Party Subprocessors’ obligations in compliance with the terms of this Data Processing Agreement and Applicable Data Protection Law.
9. Technical and Organizational Measures, and Confidentiality of Processing
9.1 Mailcheap has implemented and will maintain appropriate technical and organizational security
measures for the Processing of Personal Data. These measures take into account the nature, scope and
purposes of Processing as specified in this Data Processing Agreement, and are intended to protect
Personal Data against the risks inherent to the Processing of Personal Data in the performance of the
Services, in particular risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
9.2 In particular, Mailcheap has implemented the physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures specified in the Service Specifications. You are advised to carefully review the applicable Service Specifications to understand which specific security measures and practices apply to the particular Services ordered by You, and to ensure that these measures and practices are appropriate for the Processing of Personal Data pursuant to this Data Processing Agreement.
9.3 All Mailcheap and Mailcheap Affiliate staff, as well as any Third Party Subprocessors that may have access to Personal Data are subject to appropriate confidentiality arrangements.
10. Audit Rights and Cooperation with You and Your Supervisory Authorities
10.1 You may audit Mailcheap’s compliance with its obligations under this Data Processing Agreement up to
once per year. In addition, to the extent required by Applicable Data Protection Law, including where
mandated by Your Supervisory Authority, You or Your Supervisory Authority may perform more frequent
audits, including inspections of the Service data center facility that Processes Personal Data.
Mailcheap will contribute to such audits by providing You or Your Supervisory Authority with the information
and assistance reasonably necessary to conduct the audit, including any relevant records of Processing
activities applicable to the Services ordered by You.
10.2 If a third party is to conduct the audit, the third party must be mutually agreed to by You and Mailcheap (except if such Third Party is a competent Supervisory Authority). Mailcheap will not unreasonably withhold its consent to a third party auditor requested by You. The third party must execute a written confidentiality agreement acceptable to Mailcheap or otherwise be bound by a statutory confidentiality obligation before conducting the audit.
10.3 To request an audit, You must submit a detailed proposed audit plan to Mailcheap at least two weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Mailcheap will review the proposed audit plan and provide You with any concerns or questions (for example, any request for information that could compromise Mailcheap security, privacy, employment or other relevant policies). Mailcheap will work cooperatively with You to agree on a final audit plan.
10.4 If the requested audit scope is addressed in a SSAE 16/ISAE 3402 Type 2, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified third party auditor within the prior twelve months and Mailcheap provides such report to You confirming there are no known material changes in the controls audited, You agree to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report.
10.5 The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and Mailcheap’s health and safety or other relevant policies, and may not unreasonably interfere with Mailcheap business activities.
10.6 You will provide Mailcheap any audit reports generated in connection with any audit under this Section 10, unless prohibited by Applicable Data Protection Law or otherwise instructed by a Supervisory Authority. You may use the audit reports only for the purposes of meeting Your regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Agreement. The audit reports are Confidential Information of the parties under the terms of the Services Agreement.
10.7 Any audits are at Your expense. The parties will negotiate in good faith with respect to any charges or fees that may be incurred by Mailcheap to provide assistance with an audit that requires the use of resources different from or in addition to those required for the provision of the Services.
11. Incident Management and Personal Data Breach Notification
11.1 Mailcheap promptly evaluates and responds to incidents that create suspicion of or indicate
unauthorized access to or Processing of Personal Data (“Incident”). All Mailcheap and Mailcheap Affiliates
staff that have access to or Process Personal Data are instructed on responding to Incidents, including
prompt internal reporting, escalation procedures, and chain of custody practices to secure relevant
evidence. Mailcheap’s agreements with Third Party Subprocessors contain similar Incident reporting
11.2 In order to address an Incident, Mailcheap defines escalation paths and response teams involving internal functions such as Information Security and Legal. The goal of Mailcheap’s Incident response will be to restore the confidentiality, integrity, and availability of the Services environment and the Personal Data that may be contained therein, and to establish root causes and remediation steps. Depending on the nature and scope of the Incident, Mailcheap may also involve and work with You and outside law enforcement to respond to the Incident.
11.3 To the extent Mailcheap becomes aware and determines that an Incident qualifies as a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed on Mailcheap systems or the Services environment that compromises the security, confidentiality or integrity of such Personal Data (“Personal Data Breach”), Mailcheap will inform You of such Personal Data Breach without undue delay but at the latest within 72 hours.
11.4 Mailcheap will take reasonable measures designed to identify the root cause(s) of the Personal Data Breach, mitigate any possible adverse effects and prevent a recurrence. As information regarding the Personal Data Breach is collected or otherwise reasonably becomes available to Mailcheap and to the extent permitted by law, Mailcheap will provide You with (i) a description of the nature and reasonably anticipated consequences of the Personal Data Breach; (ii) the measures taken to mitigate any possible adverse effects and prevent a recurrence; (iii) where possible, the categories of Personal Data and Data Subjects including an approximate number of Personal Data records and Data Subjects that were the subject of the Personal Data Breach; and (iv) other information concerning the Personal Data Breach reasonably known or available to Mailcheap that You may be required to disclose to a Supervisory Authority or affected Data Subject(s).
11.5 Unless otherwise required under Applicable Data Protection Law, the parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects and/or notices to the relevant Supervisory Authorities.
12. Return and Deletion of Personal Data upon Termination of Services12.1 Upon termination of the Services or upon expiry of the retrieval period following termination of the Services (if available), Mailcheap will promptly delete all copies of Personal Data from the Services environment by rendering such Personal Data unrecoverable, except as may be required by law.
13. Legally Required Disclosure Requests
13.1 If Mailcheap receives any subpoena, judicial, administrative or arbitral order of an executive or
administrative agency, regulatory agency, or other governmental authority which relates to the
Processing of Personal Data (“Disclosure Request”), it will promptly pass on such Disclosure Request to
You without responding to it, unless otherwise required by applicable law (including to provide an
acknowledgement of receipt to the authority that made the Disclosure Request).
13.2 At Your request, Mailcheap will provide You with reasonable information in its possession that may be responsive to the Disclosure Request and any assistance reasonably required for You to respond to the Disclosure Request in a timely manner.
14. Data Protection Officer
14.1 Mailcheap has appointed a Global Data Protection Officer (Pavin Joseph). Mailcheap’s
Global Data Protection Officer may be contacted from the contact page .
14.2 If You have appointed a Data Protection Officer, You may request Mailcheap to include the contact details of Your Data Protection Officer in the order, or may subsequently communicate the relevant contact details to Mailcheap by submitting a “service request” via Mailcheap Support.