Data Processing Agreement

1. "Data Controller" means the entity that determines the purposes and means of the processing of personal data.

2. "Data Processor" means VenMail LLC, which processes personal data on behalf of the Data Controller.

3. "Personal Data" means any information relating to an identified or identifiable natural person.

4. "Services" means the email and automation services provided by VenMail to the Data Controller.

5. "Data Subject" means the individual to whom personal data relates.

1. This DPA governs the processing of personal data in connection with the Services.

2. VenMail acts as a Data Processor, processing personal data solely on behalf of the Data Controller.

3. The purpose of processing is to provide email communication, automation, and related services.

4. Processing is limited to what is necessary for these specified purposes.

1. VenMail shall process personal data only in accordance with the Data Controller's documented instructions.

2. VenMail shall ensure that persons authorized to process personal data are committed to confidentiality.

3. VenMail shall implement appropriate technical and organizational security measures.

4. VenMail shall assist the Data Controller in fulfilling data subject rights requests.

5. VenMail shall notify the Data Controller without undue delay of any personal data breach.

1. Encryption of data at rest using AES-256 encryption standards.

2. Encryption of data in transit using TLS 1.3 or higher.

3. Regular security assessments and penetration testing.

4. Access controls based on the principle of least privilege.

5. Audit logging of all data processing activities.

6. Business continuity and disaster recovery procedures.

1. VenMail may engage sub-processors for providing the Services.

2. Sub-processors include cloud infrastructure providers and email delivery services.

3. VenMail shall maintain a list of all sub-processors and make it available to the Data Controller.

4. VenMail shall enter into data processing agreements with all sub-processors.

5. Data Controller may object to new sub-processors with reasonable notice.

1. VenMail shall assist the Data Controller in responding to data subject requests.

2. Assistance includes providing access, correction, deletion, and portability of personal data.

3. VenMail shall implement technical measures to enable data subject rights fulfillment.

4. Response time for data subject requests shall be within legally required timeframes.

5. VenMail shall document all data subject request handling activities.

1. VenMail shall delete or return personal data at the end of the provision of Services.

2. Deletion shall occur within 30 days of service termination unless required by law.

3. VenMail shall provide evidence of data deletion upon Data Controller request.

4. Backup data may be retained for security purposes but shall be deleted within 90 days.

5. Data deletion procedures shall be documented and audited regularly.

1. Personal data may be transferred to countries outside the Data Controller's jurisdiction.

2. Such transfers shall be protected by appropriate safeguards including Standard Contractual Clauses.

3. VenMail shall ensure all sub-processors comply with international data transfer requirements.

4. Data Controller shall be informed of any changes to international data transfer mechanisms.

5. VenMail shall maintain documentation of all international data transfers.

1. VenMail shall make available to the Data Controller all information necessary to demonstrate compliance.

2. VenMail shall allow for and contribute to audits, including inspections, by the Data Controller.

3. Audit rights shall be exercised with reasonable notice and during business hours.

4. VenMail shall provide compliance certifications and security reports upon request.

5. Audit findings shall be addressed within agreed timeframes.

1. This DPA remains in effect for the duration of the Services agreement.

2. Upon termination, VenMail shall continue to protect personal data as required by this DPA.

3. Termination does not release either party from obligations accrued during the term.

4. Data Controller may request early termination of specific processing activities.

5. Both parties shall cooperate in orderly transition of services upon termination.