Data Processing
Agreement.

1. Parties and definitions

1.1. This Data Processing Agreement ("DPA") is entered into between:

• The Customer identified in the Order Form (the "Controller"); and
• BIG BOX Hosting d.o.o., Trg republike 3, Floor 2, 1000 Ljubljana, Slovenia (the "Processor").

(each a "party", together the "parties").

1.2. Definitions. In this DPA, the following terms have the following meanings:

• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
• "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Sub-processor", "Personal Data Breach", and "Supervisory Authority" have the meanings ascribed to them in Article 4 of the GDPR;
• "Customer Personal Data" means Personal Data uploaded to, transmitted through, or otherwise processed by the Services on the Controller's instructions;
• "Services" means the services provided by the Processor to the Controller under the Order Form, the Terms of Service, and any related agreement;
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021;
• "Sub-processor List" means the list of sub-processors authorised to process Customer Personal Data, as set out in Annex II and as updated from time to time in accordance with section 5.

1.3. Capitalised terms used in this DPA without definition have the meanings given to them in the Terms of Service.

2. Scope and roles

2.1. The Controller is the data controller and the Processor is the data processor in respect of Customer Personal Data, as those terms are defined in GDPR Article 4.

2.2. Subject matter and duration. The subject matter of the processing is the provision of the Services. The duration of the processing is the duration of the contract between the parties, plus any post-termination period during which the Processor is required to retain Customer Personal Data under section 9.

2.3. Nature and purpose. The nature and purpose of the processing are set out in Annex I of this DPA.

2.4. Categories of Data Subjects and Personal Data. The categories of Data Subjects whose Personal Data is processed, and the categories of Personal Data processed, are set out in Annex I.

2.5. Documented instructions. The Processor will process Customer Personal Data only on documented instructions from the Controller. The Order Form, the Terms of Service, and this DPA constitute the Controller's documented instructions. Additional instructions may be issued by the Controller in writing (including by email to [email protected]) and will be acknowledged by the Processor before being acted upon.

2.6. Compliance with EU law. If the Processor is required by EU or member state law to process Customer Personal Data otherwise than as instructed by the Controller, the Processor will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3. Obligations of the Processor

3.1. Confidentiality of personnel. The Processor will ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, in accordance with GDPR Article 28(3)(b).

3.2. Security of processing. The Processor will implement the technical and organisational measures set out in Annex III to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32.

3.3. Assistance with Data Subject rights. Taking into account the nature of the processing, the Processor will assist the Controller, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under GDPR Articles 12-23.

3.4. Assistance with security and notification obligations. The Processor will assist the Controller in ensuring compliance with the obligations under GDPR Articles 32-36 (security of processing, notification of personal data breaches, communication to data subjects, data protection impact assessments, prior consultation), taking into account the nature of the processing and the information available to the Processor.

3.5. Personal Data Breach notification. The Processor will notify the Controller of any Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 48 hours of becoming aware of the breach. The notification will include the information specified in GDPR Article 33(3) to the extent it is available to the Processor at the time of notification, with subsequent updates as further information becomes available.

3.6. Records of processing. The Processor maintains a written record of all categories of processing activities carried out on behalf of the Controller, in accordance with GDPR Article 30(2). The record is available to the Controller and to the competent Supervisory Authority on request.

4. Audit rights

4.1. The Processor will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4.2. Audit frequency and scope. The Controller may conduct one audit per calendar year at its own expense, on at least 30 days' written notice to the Processor, during normal business hours and in a manner that does not unreasonably interrupt the Processor's normal operations. The Controller may conduct more frequent audits where required by a competent Supervisory Authority or where there is reasonable evidence of a material breach of this DPA.

4.3. Confidentiality of audits. The Controller and any auditor it mandates will treat all information obtained in the course of an audit as confidential information of the Processor, subject to the confidentiality obligations in section 7.3 of the Terms of Service.

4.4. Audit reports. In lieu of conducting an audit under section 4.2, the Controller may rely on independent third-party audit reports made available by the Processor (where applicable), provided that such reports cover the period and scope relevant to the Controller's compliance obligations.

5. Sub-processors

5.1. General authorisation. The Controller grants the Processor general authorisation to engage Sub-processors, subject to the conditions in this section.

5.2. Current sub-processors. The current Sub-processor List is set out in Annex II of this DPA and is also published at /trust/#subprocessors. The list is updated whenever a Sub-processor is added or removed.

5.3. Notification of changes. The Processor will notify the Controller of any intended changes to the Sub-processor List at least 30 days before the change takes effect, with sufficient information to enable the Controller to assess the impact of the change.

5.4. Right to object. The Controller may object to the addition of a new Sub-processor on reasonable grounds (typically because the new Sub-processor is unable or unwilling to provide the same level of data protection as required under this DPA). The objection must be communicated to [email protected] within the 30-day notification period. If the Processor is unable to address the Controller's reasonable concerns, the Controller may terminate the affected portion of the Services without penalty by giving written notice within 30 days of receipt of the Processor's response.

5.5. Sub-processor agreements. The Processor will impose contractual obligations on each Sub-processor that are no less protective than those imposed on the Processor under this DPA, in accordance with GDPR Article 28(4).

5.6. Liability for Sub-processors. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations under the relevant sub-processor agreement.

6. International data transfers

6.1. The Processor will not transfer Customer Personal Data to any third country or international organisation outside the European Economic Area or Switzerland, without the Controller's prior written consent and the implementation of one of the safeguards set out in GDPR Chapter V (typically the SCCs in Commission Implementing Decision (EU) 2021/914).

6.2. Where Sub-processors are established in third countries that have received a current adequacy decision from the European Commission under GDPR Article 45, the adequacy decision constitutes the safeguard for the transfer. Where Sub-processors are established in third countries without an adequacy decision, the SCCs will be incorporated into the relevant sub-processor agreement.

6.3. The Processor's current sub-processor architecture is engineered to avoid international data transfers outside the EEA and Switzerland in the normal course of operation, as documented at /trust/#subprocessors.

7. Standard Contractual Clauses (where applicable)

7.1. Where the Controller is established outside the EEA in a third country that has not received an adequacy decision, and the processing of Customer Personal Data by the Processor constitutes a transfer of personal data within the meaning of GDPR Chapter V, the parties enter into the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as set out in Annex IV of this DPA.

7.2. The applicable module is Module Three (processor-to-processor) where the Controller is itself a processor for an upstream controller, or Module Two (controller-to-processor) where the Controller is the controller of the relevant Personal Data.

7.3. The optional clauses in the SCCs are selected as follows: docking clause (Clause 7) — applicable; redress mechanism (Clause 11) — independent dispute resolution body not selected; governing law (Clause 17) — the law of the EEA member state most closely connected to the processing, defaulting to Slovenian law where no other connection is more appropriate; choice of forum (Clause 18) — the courts of Ljubljana, Slovenia.

8. Deletion or return of Customer Personal Data

8.1. Upon termination of the contract, the Controller may, by written instruction within 30 days of termination, require the Processor to: (a) return all Customer Personal Data to the Controller in a structured, commonly used, machine-readable format consistent with EU Data Act (Regulation 2023/2854/EU) cloud-portability requirements; or (b) delete all Customer Personal Data from the Processor's systems.

8.2. Absent contrary instruction within the 30-day period, the Processor will delete Customer Personal Data from production systems within 30 days of termination, and from backup systems within 90 days of termination.

8.3. Statutory retention. The Processor may retain Customer Personal Data beyond the periods in section 8.2 only to the extent and for the period required by EU or Slovenian law, in particular the Slovenian Companies Act (ZGD-1) on accounting and the Slovenian Tax Procedure Act (ZDavP-2). Such retained data is processed solely for compliance with the legal obligation and is not used for any other purpose.

8.4. Certification of deletion. Upon written request, the Processor will provide the Controller with a written certification of deletion within 30 days of completion of the deletion process described in section 8.1 or 8.2.

Annex I — Description of the processing

A. Categories of Data Subjects. The Customer Personal Data processed under this DPA concerns the following categories of Data Subjects:

• Recipients of email communications transmitted by the Controller through the Services (typically subscribers, customers, employees, or other contacts of the Controller);
• Senders or other natural persons whose Personal Data is included in email metadata or content transmitted through the Services;
• End-users of any application operated by the Controller that uses the Services for transactional or marketing email transmission.

B. Categories of Personal Data. The Customer Personal Data processed under this DPA may include the following categories of Personal Data:

• Identification and contact data: name, email address, postal address, telephone number, where transmitted in email content or metadata;
• Communication data: subject lines, message content, message timestamps, message-id headers, delivery status (accepted, delivered, bounced, deferred, complained);
• Engagement data: open events, click events, unsubscribe events, where the Customer has configured the Services to record such data;
• Technical data: IP addresses (sender or recipient), user-agent strings (where included in webhook payloads), authentication results (SPF, DKIM, DMARC).

C. Special categories of Personal Data. The Services are not designed to process special categories of Personal Data within the meaning of GDPR Article 9 (data revealing racial or ethnic origin, political opinions, religious beliefs or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person's sex life or sexual orientation). The Controller warrants that it will not transmit special categories of Personal Data through the Services without prior agreement with the Processor and the implementation of appropriate additional safeguards.

D. Nature of the processing. The processing consists of: receipt, queueing, authentication signing, routing, delivery to upstream mailbox providers, recording of delivery outcomes, retention of metadata for the periods set out in the Privacy Policy, and disposal of message content after final disposition.

E. Purpose of the processing. Provision of the Services as set out in the Order Form.

F. Duration of the processing. Duration of the contract plus the retention periods set out in the Privacy Policy and section 8 of this DPA.

Annex II — Authorised Sub-processors

The Sub-processor List is published in real time at /trust/#subprocessors. The list as of the effective date of this DPA is reproduced below for convenience.

All Sub-processors are domiciled within the European Union. No transfers to third countries occur in the normal course of operation. Last updated: 2026-01-30.

Annex III — Technical and organisational measures

The Processor implements the following technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32. The measures below summarise the controls documented in detail at /trust/#technical.

A. Encryption. Encryption at rest using LUKS (dm-crypt with LUKS2 metadata) and AES-256-XTS on every storage volume. Encryption in transit using TLS 1.3 minimum on customer-facing endpoints. Internal control-plane traffic encrypted via WireGuard tunnels with rotating keys.

B. Access controls. Production system access restricted to a named operations team with hardware-token multi-factor authentication (YubiKey 5 series), SSH key authentication, and VPN tunnel from managed devices. No password-based fallback. Privilege escalation logged in audit system reviewed within seven days. Quarterly access matrix review.

C. Logging and monitoring. Audit logs retained on append-only storage in a separate jurisdiction from production data, signed with hardware-module-held keys. Audit logs retained for seven years in accordance with NIS2 (Slovenian transposition, ZInfV-1) requirements.

D. Network architecture. Self-operated provider-independent IPv4 and IPv6 address space. No transit through US infrastructure on normal-state paths. Direct peering sessions at major European internet exchanges (DE-CIX, AMS-IX, LU-CIX, SIX Ljubljana, SwissIX, Netnod, RIX). Three Tier-1 transit providers per PoP for redundancy.

E. Vulnerability management. Weekly OpenVAS scans against CVE feed. Critical findings remediated within 48 hours. High findings within seven days. Patch deployment via Ansible against green-blue staging pattern.

F. Incident response. Documented runbook with 7-minute first-response SLA for Severity 1 and 2 incidents. Customer notification within 30 minutes of confirmed classification. Post-mortem within 72 hours of resolution. 24/7/365 on-call rotation with two paired engineers.

G. Backups and disaster recovery. 3-2-1 backup architecture with copies in three jurisdictions (Slovenia production, Switzerland primary backup, Iceland secondary backup). RTO four hours for full PoP loss. RPO one hour via continuous WAL streaming. Tabletop exercises twice annually.

H. Personnel. All operations personnel under contractual confidentiality obligations. Background checks on hire. Annual security awareness training. Documented offboarding procedure including immediate revocation of all access on contract termination.

I. Physical security. All facilities Tier III certified per TIA-942. Biometric access control plus mandatory escort for non-personnel. 24/7 on-site security. CCTV with 90-day retention. Environmental controls (power, cooling, fire suppression) compliant with operator industry standards.

Execution

This DPA is executed by the parties' acceptance of the Order Form or equivalent electronic acceptance mechanism on the Processor's website. By entering into the Order Form, the Controller confirms its agreement to this DPA and to the technical and organisational measures set out in Annex III.

Where the Controller requires execution by formal signature (typical for regulated industries with internal procurement frameworks that require wet-ink or qualified electronic signature), the Controller may request a counter-signed copy of this DPA from [email protected]. The Processor will respond within two business days.

The Processor is also willing to execute Controller-supplied DPAs that map to substantively the same set of obligations as this DPA. Such Controller-supplied DPAs are subject to legal review of typically less than two business days. Substantial deviations from the obligations in this DPA may require commercial discussion before execution.