Skip to content
Sairaph Mail

Data Processing Agreement

Effective date: 25 June 2026 Last updated: 25 June 2026 Version: 1 (initial)

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Terms of Service (the "Agreement") between the customer ("you", "Customer", "Controller") and WELLDONE, a business established in Poland, registered address Aleja Wyzwolenia 11/6, 70-552 Szczecin, Poland, Polish tax/VAT identification number (NIP) PL8531508847 ("Sairaph Mail", "we", "us", "Processor"), which operates the Sairaph Mail service (the "Service").

This DPA applies where, and only to the extent that, we process Customer Personal Data on your behalf as a processor within the meaning of Article 4(8) of Regulation (EU) 2016/679 (the "GDPR"). It does not apply to personal data for which we act as a controller (for example, your account, billing, security, and support data), which is governed by our Privacy Policy. Where there is a conflict between this DPA and the Agreement on the subject matter of data protection, this DPA prevails.

This DPA is made available to Business Customers as a click-through agreement incorporated by reference at checkout, with a signed copy available on request at privacy@sairaph.com.

---

1. Definitions

1.1 Terms such as "personal data", "processing", "data subject", "controller", "processor", "sub-processor", "personal data breach", and "supervisory authority" have the meanings given in the GDPR.

1.2 "Customer Personal Data" means personal data contained in the email messages, recipient and contact details, attachments, and related Content that you (or your authorised users, including any automated agents acting for you) transmit, store, or process through the Service, and in respect of which you act as controller (or as a processor for a third-party controller) and we act as your processor.

1.3 "SCCs" means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries.

1.4 "Sub-processor" means any third party engaged by us to process Customer Personal Data, as listed in SUB_PROCESSORS.md.

---

2. Roles and Scope of Processing

2.1 Roles. As to Customer Personal Data, you are the controller (or a processor acting on behalf of a third-party controller) and we are the processor. Where you are yourself a processor, you warrant that you have the third-party controller's authority to engage us as a sub-processor on the terms of this DPA.

2.2 Subject matter and duration. The subject matter is the provision of the Service. The duration is the term of the Agreement, plus any period during which we retain Customer Personal Data as permitted or required under Section 9 and applicable law.

2.3 Nature and purpose. The processing consists of receiving, sending, relaying, transmitting, storing, caching, indexing (envelope metadata), encrypting, backing up, and deleting email and related Content, and providing programmatic access to it via REST API and MCP, in order to deliver the Service.

2.4 Types of personal data. Identification and contact data (names, email addresses), the content of email messages, subjects, headers, attachments, recipient lists, and any other personal data the Customer chooses to include in Content. The Customer controls and is responsible for the categories of personal data it submits.

2.5 Categories of data subjects. The Customer's contacts, recipients, correspondents, end-users, and any other individuals whose personal data the Customer includes in Content.

2.6 Special categories. The Service is not designed for the routine processing of special categories of personal data (Art. 9 GDPR). If the Customer includes such data in Content, the Customer remains responsible for ensuring a lawful basis and any additional conditions under Articles 9 and 10 GDPR.

---

3. Processing on Documented Instructions

3.1 We process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Polish law to which we are subject; in such a case, we will inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.2 Your instructions are set out in this DPA, the Agreement, the documented configuration of the Service, and your use of the Service's features and API/MCP. Any additional or different instruction must be agreed in writing.

3.3 We will inform you if, in our opinion, an instruction infringes the GDPR or other EU or Member State data-protection provisions.

---

4. Confidentiality

4.1 We ensure that persons authorised to process Customer Personal Data are bound by appropriate confidentiality obligations (contractual or statutory) and are trained on their data-protection responsibilities. Access is limited to personnel who need it to provide and support the Service.

---

5. Security Measures (Article 32)

5.1 We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as relevant to the Service:

  • Encryption at rest of sensitive customer-owned data using per-customer encryption keys (Fernet sub-keys wrapped by a master key family), enabling crypto-erasure;
  • Encryption in transit via TLS, with strict HTTP security headers;
  • Password hashing with Argon2id (OWASP-recommended parameters) and a breached-password check at signup/change;
  • Two-factor authentication (TOTP with recovery codes) available to all customers;
  • Access controls, rate limiting, account-lockout, and audit logging of mutating actions;
  • Edge protection, abuse/deliverability monitoring, and security monitoring;
  • measures to restore availability and access to personal data in a timely manner after an incident, and a process for regularly testing and evaluating the effectiveness of these measures.

5.2 The measures are described further in our Privacy Policy (Security section). We may update them over time provided the level of security is not materially reduced.

---

6. Sub-processors

6.1 General authorisation. You give us a general authorisation to engage sub-processors to process Customer Personal Data. Our current sub-processors are listed in SUB_PROCESSORS.md, which forms part of this DPA. As at the effective date these include OVHcloud (EU infrastructure, mailbox hosting, domain registration/DNS, mail-relay and application hosting), Amazon Web Services / Amazon SES (outbound email relay, eu-west-1), Stripe (payment processing and tax — controller-side billing data), Cloudflare (Turnstile bot defence), and self-hosted Plausible analytics.

6.2 Flow-down. We impose on each sub-processor, by written contract, data-protection obligations no less protective than those in this DPA, in particular sufficient guarantees to implement appropriate technical and organisational measures meeting the GDPR. We remain fully liable to you for the performance of each sub-processor's obligations.

6.3 Notice and objection. We will give you reasonable advance notice of any intended addition or replacement of a sub-processor (by updating the versioned SUB_PROCESSORS.md list and notifying you by email or in-product notice). You may object on reasonable data-protection grounds within the notice period. If we cannot reasonably accommodate your objection, you may terminate the affected part of the Service, as your sole and exclusive remedy, in accordance with the Agreement.

---

7. International Transfers

7.1 We do not transfer Customer Personal Data outside the European Economic Area (EEA) except in accordance with Chapter V of the GDPR. Our primary processing for mail (OVHcloud, Amazon SES eu-west-1) takes place in the EU.

7.2 Where a transfer to, or access from, a third country occurs (in practice the United States, e.g. US parent-company access at a vendor), we rely on appropriate safeguards, namely (a) the SCCs as incorporated into the relevant sub-processor's data-processing agreement, and/or (b) the vendor's certification under the EU–US Data Privacy Framework where the destination is the United States, in each case supported by supplementary measures (including encryption in transit and, for sensitive customer data, encryption at rest) where appropriate.

7.3 To the extent the SCCs apply directly between you and us for any transfer, the SCCs are incorporated into this DPA by reference, with us as data importer and you as data exporter, and the relevant modules and options completed consistently with this DPA and SUB_PROCESSORS.md.

---

8. Assistance to the Controller

8.1 Data-subject requests. Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, in fulfilling your obligation to respond to data-subject requests under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). Many such requests can be self-served by you through the Service (data export, deletion, profile edits). If we receive a request directly from a data subject relating to Customer Personal Data, we will, where lawful, refer them to you and not respond on your behalf except on your instruction.

8.2 Articles 32–36. Taking into account the nature of processing and the information available to us, we will assist you in ensuring compliance with your obligations regarding security (Art. 32), personal-data-breach notification (Arts. 33–34), data-protection impact assessments (Art. 35), and prior consultation (Art. 36).

---

9. Breach Notification

9.1 We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, and in any event without undue delay where required to enable you to meet your own notification deadlines under Articles 33–34 GDPR. The notification will, to the extent then known, describe the nature of the breach, the likely consequences, and the measures taken or proposed, and will be updated as further information becomes available.

9.2 We will not make notifications to supervisory authorities or data subjects on your behalf unless we are legally required to do so or you instruct us in writing.

---

10. Audit

10.1 We will make available to you the information necessary to demonstrate compliance with the obligations in Article 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

10.2 To respect confidentiality, security, and the rights of other customers, audits will: (a) be on reasonable prior written notice (at least 30 days, save where a supervisory authority or applicable law requires sooner); (b) take place during business hours; (c) be limited to once per 12-month period unless a regulator requires otherwise or a breach has occurred; and (d) be satisfied, in the first instance, by our provision of relevant documentation, security summaries, and any third-party certifications or audit reports we hold. On-site inspection applies only where such materials are insufficient. Each party bears its own costs unless the audit reveals a material non-compliance by us.

---

11. Deletion or Return on Termination

11.1 On expiry or termination of the Agreement, and at your choice, we will delete or return all Customer Personal Data and delete existing copies, unless EU or Polish law requires storage of the personal data.

11.2 Return. While your Account is active and throughout the 7-day grace period after you request deletion, you may export Customer Personal Data using the Service's built-in data-export feature (a downloadable archive of your account data and messages, via a time-limited signed link), which satisfies the return obligation. The authoritative mail store remains in your OVHcloud mailbox.

11.3 Deletion / crypto-erasure. When you delete your Account, deletion is scheduled with a 7-day grace period; at the end of that period your per-customer encryption key is destroyed, rendering your encrypted Customer Personal Data — in our database and in any backups — permanently undecryptable (crypto-erasure). This achieves erasure even within backup-retention windows. Once the grace period ends, export is no longer possible.

11.4 Any retention beyond the above is limited to what EU or Polish law requires; such residual data remains subject to this DPA's confidentiality and security obligations for as long as it is retained.

---

12. Liability, Term, and Miscellaneous

12.1 Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, to the extent permitted by applicable law and without limiting either party's responsibilities under the GDPR.

12.2 This DPA takes effect on the effective date above (or, if later, when you accept the Agreement) and continues for as long as we process Customer Personal Data on your behalf.

12.3 This DPA is governed by the laws of Poland, consistent with the Agreement, without prejudice to mandatory data-protection law. The lead supervisory authority for WELLDONE is the Polish data-protection authority, UODO (*Urząd Ochrony Danych Osobowych*), ul. Stawki 2, 00-193 Warszawa, Poland.

12.4 If any provision is held unenforceable, the remainder remains in effect and the provision is modified to the minimum extent necessary.

---

Annex A — Details of Processing

  • Subject matter: Provision of the Sairaph Mail service (email mailboxes and domains, sending/receiving via REST API and MCP).
  • Duration: Term of the Agreement plus any law-required retention (Section 9/11).
  • Nature and purpose: Receiving, sending, relaying, storing, caching, indexing, encrypting, backing up, and deleting email and related Content to deliver the Service.
  • Types of personal data: Names, email addresses, message content, subjects, headers, attachments, recipient lists, and any other personal data the Customer includes in Content.
  • Categories of data subjects: The Customer's contacts, recipients, correspondents, end-users, and other individuals included in Content.
  • Controller: The Customer. Processor: WELLDONE (Sairaph Mail).

Annex B — Technical and Organisational Measures

See Section 5 and the Security section of the Privacy Policy.

Annex C — Sub-processors

See SUB_PROCESSORS.md (versioned; incorporated by reference).

---

Contact: WELLDONE, Aleja Wyzwolenia 11/6, 70-552 Szczecin, Poland (NIP PL8531508847) — privacy: privacy@sairaph.com.

If you have questions about these terms, contact us at privacy@sairaph.com.

*Sairaph Mail, operated by WELLDONE, Sairaph.com.*