Data Processing Agreement

Last updated: January 2025

Introduction

This Data Processing Agreement (DPA) governs the processing of personal data by defnd.email on behalf of business customers. This DPA supplements our Terms of Service and Privacy Policy.

Definitions

  • Data Controller: The entity that determines the purposes and means of processing personal data (you, the customer).
  • Data Processor: The entity that processes personal data on behalf of the controller (defnd.email).
  • Personal Data: Any information relating to an identified or identifiable natural person.

Scope of Processing

defnd.email processes data as necessary to provide encrypted communication services:

  • Encrypted email storage and delivery
  • Encrypted calendar, notes, and password vault
  • Account management and authentication

Security Measures

We implement comprehensive security measures including:

  • End-to-end encryption (XChaCha20-Poly1305)
  • Zero-knowledge architecture
  • Encrypted data at rest and in transit
  • Access controls and audit logging

Sub-processors

We use the following sub-processors, all located within the EU:

  • Infrastructure providers for hosting and storage
  • Payment processors for subscription billing

Data Subject Rights

We will assist you in responding to data subject requests for access, rectification, erasure, or portability, to the extent technically feasible given our zero-knowledge architecture.

Data Breach Notification

In the event of a data breach affecting your data, we will notify you within 48 hours of becoming aware of the breach, providing all available information about the incident.

International Transfers

All data is stored and processed within the European Union. We do not transfer personal data outside the EU.

Audit Rights

Upon reasonable request and subject to confidentiality obligations, we will provide information necessary to demonstrate compliance with this DPA.

Termination

Upon termination of services, we will delete or return all personal data within 30 days, except where retention is required by law.

Contact

For DPA-related inquiries:

support@defnd.email