Data Processing Agreement
UNMTA's Data Processing Agreement for GDPR and regulatory compliance.
UNMTA Data Processing Agreement
Effective Date: Feb 03, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between UNMTA LLC ("UNMTA," "Processor," "we," or "us") and the customer accepting this DPA ("Customer," "Controller," or "you").
This DPA applies to the extent that UNMTA processes Personal Data on behalf of Customer in connection with providing the Services.
1. Definitions
"Applicable Data Protection Law" means all laws and regulations relating to data protection and privacy applicable to the processing of Personal Data, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act ("CCPA"), and other applicable privacy laws.
"Controller" means the entity that determines the purposes and means of processing Personal Data.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person that UNMTA processes on behalf of Customer in connection with the Services.
"Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
"Processor" means an entity that processes Personal Data on behalf of a Controller.
"Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.
"Services" means the email infrastructure services provided by UNMTA under the Agreement.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries, as set forth in Annex A.
"Subprocessor" means any third party engaged by UNMTA to process Personal Data on behalf of Customer.
2. Scope and Roles
2.1 Roles of the Parties
For the purposes of Applicable Data Protection Law:
- Customer is the Controller of Personal Data processed through the Services
- UNMTA is the Processor acting on behalf of Customer
2.2 Subject Matter and Purpose
UNMTA processes Personal Data solely to provide the Services, which include:
- Transmitting email messages on Customer's behalf
- Processing delivery events (sent, delivered, bounced, deferred)
- Handling bounce notifications and complaint feedback
- Providing reporting and analytics on email delivery
2.3 Categories of Data Subjects
Data Subjects include individuals to whom Customer sends email through the Services, typically:
- Customer's customers and users
- Newsletter subscribers
- Business contacts
- Other recipients designated by Customer
2.4 Types of Personal Data
Personal Data processed may include:
- Email addresses
- Names (if included in email headers or content)
- Message metadata (subject lines, timestamps, message IDs)
- Delivery and engagement data
- IP addresses associated with email events
- Any other Personal Data contained in email content
2.5 Duration of Processing
UNMTA will process Personal Data for the duration of the Agreement, subject to the retention periods specified in Section 9.
3. Customer Obligations
As the Controller, Customer agrees to:
- Ensure that Customer has a lawful basis under Applicable Data Protection Law for the processing of Personal Data by UNMTA
- Provide all necessary privacy notices to Data Subjects regarding the processing of their Personal Data
- Obtain any required consents from Data Subjects for the processing
- Ensure that Personal Data provided to UNMTA is accurate and lawfully collected
- Comply with all Applicable Data Protection Law regarding Customer's use of the Services
- Not instruct UNMTA to process Personal Data in violation of Applicable Data Protection Law
4. UNMTA Obligations
4.1 Processing Instructions
UNMTA will:
- Process Personal Data only on documented instructions from Customer, unless required by law
- Treat the Agreement and this DPA as Customer's documented instructions for processing
- Inform Customer if, in UNMTA's opinion, an instruction infringes Applicable Data Protection Law
4.2 Confidentiality
UNMTA will ensure that personnel authorized to process Personal Data:
- Are subject to appropriate confidentiality obligations
- Process Personal Data only as necessary to provide the Services
4.3 Security
UNMTA will implement appropriate technical and organizational measures to protect Personal Data, including:
- Encryption of Personal Data in transit using TLS
- Encryption of Personal Data at rest
- Access controls limiting access to authorized personnel
- Regular security testing and vulnerability assessments
- Incident detection and response capabilities
- Secure development practices
UNMTA will regularly review and update security measures to maintain appropriate protection.
4.4 Subprocessing
UNMTA engages Subprocessors as listed on our Subprocessors page. By accepting this DPA, Customer provides general authorization for UNMTA to engage Subprocessors, subject to:
- UNMTA maintaining an up-to-date list of Subprocessors
- UNMTA imposing data protection obligations on Subprocessors that are materially similar to those in this DPA
- UNMTA remaining liable for the acts and omissions of Subprocessors
Notification of Changes: UNMTA will notify Customer of any intended changes to Subprocessors at least 14 days before the change takes effect. Customer may object to a new Subprocessor by providing written notice within 14 days of notification. If Customer objects and the parties cannot resolve the objection, Customer may terminate the affected Services.
4.5 International Transfers
UNMTA's infrastructure is located in the United States. Where Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to the United States, the transfer is governed by the Standard Contractual Clauses incorporated in Annex A.
5. Data Subject Rights
5.1 Assistance with Requests
UNMTA will assist Customer in responding to Data Subject requests to exercise their rights under Applicable Data Protection Law, including requests for:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure of Personal Data
- Restriction of processing
- Data portability
- Objection to processing
5.2 Request Handling
If UNMTA receives a request directly from a Data Subject:
- UNMTA will promptly notify Customer (unless prohibited by law)
- UNMTA will not respond directly to the Data Subject unless instructed by Customer or required by law
- Customer is responsible for responding to Data Subject requests
5.3 Technical Measures
UNMTA provides the following mechanisms to assist with Data Subject requests:
- Webhook delivery of events in real-time for Customer's own record-keeping
- Log shipping to Customer's S3-compatible storage
- Short retention periods (detailed in Section 9) that limit the Personal Data retained
Due to UNMTA's short data retention periods, Customer should configure data export to maintain records necessary to respond to Data Subject requests.
6. Security Incidents
6.1 Notification
UNMTA will notify Customer of any Security Incident without undue delay, and in any event within 72 hours of becoming aware of the incident, where the incident affects Personal Data processed on Customer's behalf.
6.2 Notification Contents
Notification will include, to the extent known:
- A description of the nature of the Security Incident
- The categories and approximate number of Data Subjects affected
- The categories and approximate number of Personal Data records affected
- The likely consequences of the Security Incident
- Measures taken or proposed to address the Security Incident
6.3 Cooperation
UNMTA will:
- Cooperate with Customer's investigation of the Security Incident
- Take reasonable steps to mitigate the effects of the Security Incident
- Provide additional information as it becomes available
6.4 Customer Responsibility
Customer is responsible for:
- Determining whether notification to supervisory authorities or Data Subjects is required
- Making any required notifications
7. Data Protection Impact Assessments
Upon Customer's request, UNMTA will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law and relating to UNMTA's processing of Personal Data.
8. Audit Rights
8.1 Audit Information
Upon Customer's written request (no more than once per year), UNMTA will provide:
- Documentation of security measures implemented
- Summary results of third-party security assessments or audits
- Relevant certifications or compliance reports
8.2 On-Site Audits
Customer may request an on-site audit of UNMTA's processing activities, subject to:
- At least 30 days' advance written notice
- Reasonable scope and duration
- Confidentiality obligations regarding any information disclosed
- Customer bearing the costs of the audit
- Audits conducted during normal business hours with minimal disruption
UNMTA may satisfy audit requests by providing audit reports from qualified third-party auditors.
9. Data Retention and Deletion
9.1 Retention Periods
UNMTA retains Personal Data for limited periods:
| Data Type | Retention Period |
|---|---|
| Log and event data | Up to 25 hours |
| Message data (queued/deferred) | Up to 7 days; deleted immediately upon delivery |
9.2 Deletion Upon Termination
Upon termination of the Agreement:
- UNMTA will delete Personal Data in accordance with the retention periods above
- Personal Data not subject to a specific retention period will be deleted within 30 days
- UNMTA may retain Personal Data as required by law, provided such data remains protected under this DPA
9.3 Data Export
Customer may export Personal Data at any time during the Agreement through:
- Webhooks (real-time event delivery)
- Log shipping to S3-compatible storage
Customer is responsible for configuring data export prior to termination.
10. Subprocessors
The current list of Subprocessors is maintained on our Subprocessors page, which serves as the authoritative source. This list may be updated in accordance with Section 4.4.
11. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement.
12. Conflict
In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data.
13. Term
This DPA is effective upon Customer's acceptance and continues until the Agreement terminates. UNMTA's obligations regarding Personal Data will survive termination to the extent necessary to complete deletion in accordance with Section 9.
Annex A: Standard Contractual Clauses
For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to UNMTA in the United States, the parties agree to be bound by the Standard Contractual Clauses adopted by the European Commission Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"), which are incorporated by reference.
Module Selection
The following Module applies:
Module Two: Transfer Controller to Processor
- Data exporter: Customer (Controller)
- Data importer: UNMTA LLC (Processor)
Clause Selections and Specifications
Clause 7 (Docking Clause)
The optional docking clause is included.
Clause 9 (Use of Sub-processors)
Option 2 (General written authorization) applies.
The data importer has the data exporter's general authorization for the engagement of sub-processors from the list maintained on the Subprocessors page. The data importer shall inform the data exporter of any intended changes to that list at least 14 days in advance.
Clause 11 (Redress)
The optional clause is not included.
Clause 17 (Governing Law)
Option 1 applies. The SCCs are governed by the law of Ireland.
Clause 18 (Choice of Forum and Jurisdiction)
Disputes shall be resolved by the courts of Ireland.
Annex I to the EU SCCs
A. List of Parties
Data Exporter:
- Name: The Customer identified in the Agreement
- Activities: Sending email communications to end users
- Role: Controller
Data Importer:
- Name: UNMTA LLC
- Address: 1500 N Grant St # 7048 Denver, CO 80203
- Contact:
- Activities: Providing email infrastructure services
- Role: Processor
B. Description of Transfer
| Element | Description |
|---|---|
| Categories of Data Subjects | Email recipients designated by the data exporter |
| Categories of Personal Data | Email addresses, names, message metadata, delivery events, IP addresses |
| Sensitive Data | None anticipated; data exporter should not send special category data through the Services |
| Frequency of Transfer | Continuous, as emails are sent through the Services |
| Nature of Processing | Transmission, temporary storage, delivery tracking, bounce/complaint processing |
| Purpose of Processing | Providing email delivery services as described in the Agreement |
| Retention Period | As specified in Section 9 of this DPA |
C. Competent Supervisory Authority
The competent supervisory authority is the supervisory authority of the EU Member State in which the data exporter is established, or where the data exporter is not established in the EU, the supervisory authority of the EU Member State where the data exporter's EU representative is established, or where data subjects are located.
Annex II to the EU SCCs: Technical and Organizational Measures
The data importer implements the following security measures:
Access Control:
- Role-based access controls
- Multi-factor authentication for administrative access
- Regular access reviews
Encryption:
- TLS encryption for data in transit
- Encryption at rest for stored data
Network Security:
- Firewall protection
- Intrusion detection systems
- DDoS mitigation
Infrastructure Security:
- Dedicated infrastructure per customer
- Network segmentation
- Secure server configuration
Monitoring and Logging:
- Security event logging
- Anomaly detection
- Regular log review
Personnel:
- Confidentiality agreements
- Security awareness training
- Background checks for personnel with data access
Incident Response:
- Documented incident response procedures
- Regular testing and updates
Business Continuity:
- Data backups
- Disaster recovery procedures
Annex B: UK International Data Transfer Addendum
For transfers of Personal Data from the United Kingdom to UNMTA in the United States, this UK International Data Transfer Addendum ("UK Addendum") supplements the EU SCCs.
Part 1: Tables
Table 1: Parties
- Start date: Effective Date of this DPA
- Parties: As specified in Annex I.A of the EU SCCs
- Key Contact: As specified in Annex I.A of the EU SCCs
Table 2: Selected SCCs, Modules and Selected Clauses
- Addendum EU SCCs: The EU SCCs as incorporated in Annex A, Module Two
Table 3: Appendix Information
- As set out in Annexes I and II of the EU SCCs
Table 4: Ending this Addendum when the Approved Addendum Changes
- Neither party may end this Addendum per Section 19 of the UK Addendum
Part 2: Mandatory Clauses
The Mandatory Clauses of the UK Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018, are incorporated by reference.
Annex C: Swiss Data Transfer Provisions
For transfers of Personal Data from Switzerland to UNMTA in the United States:
- The EU SCCs apply with the following modifications:
- References to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss Federal Act on Data Protection ("FADP")
- References to "EU," "Union," and "Member State" shall not be interpreted to exclude Data Subjects in Switzerland
- The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner
- The governing law is Swiss law, and disputes shall be resolved by Swiss courts
By accepting this DPA during account registration, Customer agrees to all terms above.
Last updated: Feb 03, 2026