Terms of use

On one side, the recipient of the services (hereinafter, “THE CLIENT”), who declares that:

THE CLIENT are of legal age and have sufficient legal capacity to understand and accept these terms for the provision of the services offered by MAILRELAY and that THE CLIENT have read and understood the service conditions and accept them without any reservation.

On the other side, CPC Servicios Informáticos Aplicados a Nuevas Tecnologías S.L. (hereinafter “MAILRELAY”).

Both parties agree to subject the provision of services to the following clauses:

1.- PURPOSE

This agreement governs the terms and conditions of the service for sending electronic communications (email, SMS, notifications, landing pages, and other functionalities) provided by MAILRELAY, in accordance with the features contracted by THE CLIENT.

MAILRELAY reserves the right to change, whenever deemed appropriate, any technical specifications in order to offer an improved service to THE CLIENT.

2.- TERM OF THE AGREEMENT

2.1.- This agreement shall have an initial term of TWELVE (12) MONTHS starting from the date service is activated.

2.2.- Upon expiry of the initially agreed term, these terms shall automatically renew for successive periods of the same duration—unless either party expresses its intention not to renew through reliable notification to the other party at least three months before the expiration of the initial term or any extension thereof.

2.3.- If THE CLIENT subscribes to prepaid credit or SMS packages and exhausts their allocated sendings within ten (10) days without purchasing an equal or larger credit package, MAILRELAY may automatically terminate this Agreement without prior notice.

2.4.- For month-to-month subscription plans without a fixed term, THE CLIENT may request service cancellation at any time, provided that such cancellation is communicated at least ten (10) calendar days before the renewal date of the upcoming month. The cancellation notice must be submitted via the channels established by MAILRELAY, including the Client’s private area or a written request to [email protected]. If cancellation is submitted with less than ten days’ notice, MAILRELAY reserves the right to issue and charge THE CLIENT for the next month’s fee. This shall not imply tacit renewal or additional commitment. This clause ensures the proper planning of contracted services and fulfills related technical and administrative obligations. THE CLIENT acknowledges and accepts this condition upon subscribing to a month-to-month plan without permanence, in accordance with Article 27 of Spain’s LSSI‑CE.

2.5.- If THE CLIENT exceeds the limits of emails or subscribers under their monthly or subscription plan within the current month, the system shall block further sendings until the plan is upgraded, the agreement term is advanced, or the next monthly cycle begins.

2.6.- An account will be deleted if inactive for one (1) year, until termination of its paid plan, or if it violates acceptable-use criteria set forth in our abuse and anti-spam policy.

2.7.- Free account may be terminated unilaterally at any time without notice or compensation.

3.- ACCESS CREDENTIALS

3.1.- MAILRELAY shall provide THE CLIENT with identification code and personal password for access. THE CLIENT is responsible for their safekeeping and confidentiality. Any misuse is the sole responsibility of THE CLIENT. In case of loss, THE CLIENT shall request credential recovery via established channels, ensuring compliance with GDPR and LSSI.

3.2.- THE CLIENT may change their personal password at any time.

3.3.- MAILRELAY ensures exclusivity regarding the identification code and confidentiality concerning THE CLIENT’s personal password.

3.4.- In case of password loss or forgetfulness, THE CLIENT shall notify MAILRELAY as soon as possible so that a replacement password is issued under maximum security conditions.

3.5.- All credential communications and service-related notifications shall be sent to the email address provided by THE CLIENT, who confirms that such address is valid, active, and checked at least once every seven (7) days. Any change must be communicated in writing.

3.6.- MAILRELAY reserves the right, under Spain’s LSSI‑CE (Article 34/2002), to block access to its platform at any time and without prior notice if use violates applicable Spanish or international law, public morals or custom, fundamental rights, or may be offensive. Sending advertising content requiring authorization from the author or regulatory bodies is prohibited. MAILRELAY shall not be liable for third‑party content transmitted, hosted, or accessed.

3.7.- Password recovery shall occur via sending to one of the administrator emails created in the control panel or the account registration email, preferably via the “Recover password” option or by contacting support. If THE CLIENT wishes to disable password recovery via the registration email (if different from administrator emails), THE CLIENT must notify MAILRELAY in writing.

4.- USE OF SERVICES

4.1.- THE CLIENT represents that THE CLIENT understand the hardware, software, and communication requirements for using the service.

4.2.- THE CLIENT agrees to use the service in compliance with all applicable legislation, including but not limited to LSSI CE (Law 34/2002), Organic Law 3/2018, EU Regulation 2016/679 (GDPR), and where applicable, the U.S. CAN SPAM Act. Specifically prohibited are:

  • Sending unsolicited emails, SMS, or other communications (SPAM).
  • Using contact lists obtained without consent or legitimate basis.
  • Identity impersonation, SCAM or phishing.
  • Transmitting illegal, defamatory, fraudulent content or content infringing third-party rights.
  • Any use that adversely affects MAILRELAY’s reputation, operations, or infrastructure.

MAILRELAY may block or send service upon detecting:

  • Bounce rates over 25%
  • Spamtraps
  • Unverified lists
  • Domains or Ips blacklisted.

THE CLIENT shall indemnify MAILRELAY against any claims, damages, penalties, or costs (including legal fees) arising from misuse of the service, legal action triggered by violations of these conditions, or use of MAILRELAY. MAILRELAY reserves the right to monitor account activity and may suspend service or terminate this agreement immediately upon breach.

4.3.- All electronic communications via this service must include an unsubscribed link. The link must be visible, functional, cost-free, accessible in no more than two clicks, and does not require credentials or email entry. Unsubscribes must be processed within seventy‑two (72) hours.

4.4.- MAILRELAY may temporarily suspend services at any time and without notice for maintenance, updates, improvements, or configuration.

4.5.- MAILRELAY shall not use any information or databases provided or stored by THE CLIENT for purposes other than the contracted service. Such data will not be shared or disclosed to third parties without THE CLIENT’s prior written consent. MAILRELAY shall not use THE CLIENT’s database for its own or third-party mailings without authorization. MAILRELAY shall implement the technical and organizational security measures described in Annex C (Article 32 GDPR). However, it is not responsible for events beyond its control such as malicious hacker attacks or equipment theft. MAILRELAY does not access or view personal data uploaded by THE CLIENT except for technical support under documented request or in abuse‑policy investigations.

4.6.- MAILRELAY commits to respecting intellectual property rights to files provided by THE CLIENT for distribution, making every effort to preserve privacy and security.

4.7.- MAILRELAY reserves the right to change technical specifications as needed to improve service.

4.8.- Upon agreement termination by either party or payment incident, tracking links in sent messages shall be deactivated, and THE CLIENT’s data shall be deleted per Annex A.

4.9.- In case of breaches per 4.2 or 4.3, MAILRELAY may terminate the agreement with immediate effect. Such termination shall not exempt THE CLIENT from payment of fees due up to effective cancellation, nor liability for misuse damages, including IP reputation damage, third-party penalties, or listing in blacklists.

4.10.- Platform functionalities, applications, tutorials, and videos are illustrative; actual application depends on the contracted plan and version.

4.11.- THE CLIENT may use the basic features of the Mailrelay platform on its free plan, subject to these terms. Point 6 of this agreement are not applicable to the free plan. TTo the maximum extent permitted by law, MAILRELAY disclaims all obligations or liabilities related to free account, including support, warranties, and indemnification. The free plan is offered without guarantee of availability, support, continuity, or data integrity. MAILRELAY may modify, limit, or terminate this plan without notice. Under the free plan, MAILRELAY is not obligated to provide personalized technical support or guarantee the continued maintenance of specific features. Incidents will be addressed on a non-priority basis and will not generate any right to compensation.

The use of a sender from a domain other than the one used to create the free account is prohibited. Likewise, the ownership or use of multiple free accounts by the same account holder, entity, organization, or group with the same or similar identity is prohibited. Detecting duplication or breach of these rules, MAILRELAY may immediately suspend or delete the affected accounts without prior notice and without compensation.

5.- INTELLECTUAL AND INDUSTRIAL PROPERTY

5.1.- Content and services provided under this agreement are subject to industrial and intellectual property rights belonging to MAILRELAY or third parties. THE CLIENT undertakes not to use them without prior written permission from MAILRELAY or respective rights holders. Exploitation for commercial purposes is strictly forbidden. THE CLIENT also agrees to respect third-party IP rights in content disseminated through the service, indemnifying MAILRELAY against any related claims.

5.2.- MAILRELAY may require THE CLIENT to justify any relevant matters. If THE CLIENT fails to do so, MAILRELAY may immediately remove such content and terminate this agreement without indemnity.

5.3.- THE CLIENT agrees to comply with all national and international laws on intellectual property rights in relation to content uploaded or sent via the platform, including domains. THE CLIENT declares THE CLIENT hold necessary rights, licenses, and consents for texts, images, databases, files, logos, or any IP-protected elements. MAILRELAY is not liable for client-provided content nor related third-party claims.

THE CLIENT accepts full responsibility and indemnifies MAILRELAY from any claims, penalties, or litigation involving such content. MAILRELAY may request documentation of rights at any time and remove infringing content immediately, even without notice, if legally required or to protect third parties.

5.4.- MAILRELAY reserves the right to pursue legal actions as it deems appropriate.

6.- LIABILITY OF MAILRELAY

6.1.- MAILRELAY shall enable THE CLIENT to independently import contacts, design newsletters, and send communications.

6.2.- MAILRELAY is not liable for damages arising from force majeure, unforeseeable events not avoidable despite due diligence, or any circumstances outside its control.

6.3.- MAILRELAY is not liable for claims regarding the quality, reliability, accuracy, or correctness of information, opinions, programs, data, services, or any content accessed by THE CLIENT or disseminated by THE CLIENT.

6.4.- MAILRELAY shall make best efforts to maintain acceptable compliance with contractual obligations but does not guarantee continuity, data integrity, or access to stored/transmitted Information. It is not liable for unauthorized third-party access, loss, or corruption of CLIENT data.

6.5.- MAILRELAY shall ensure third parties implement adequate safeguards and shall remain responsible for any breach caused by their failure to comply.

6.6.- Temporary service interruptions, whether involuntary, internal/external, or voluntary for service improvements, shall not entitle THE CLIENT to claims for damages. MAILRELAY shall take necessary measures for service resume and waive THE CLIENT’s hosting fees for non-functional periods.

6.7.- MAILRELAY is not liable for service interruptions due to maintenance, force majeure, external attacks, or causes beyond its control. Its maximum liability shall not exceed the total amount paid by THE CLIENT in the twelve (12) months prior to the incident. Indirect damages, loss of profits, reputational damage, or data loss due to causes beyond reasonable control are expressly excluded.

7.- LIABILITY OF THE CLIENT

7.1.- THE CLIENT is responsible for any illicit use of the service or sending of unauthorized advertising that harms MAILRELAY’s reputation or service. Registration of associated IP/domain addresses on spam or blocklists (e.g., URIBL, SURBL, SORBS, SPAMCOP, SPAMHAUS, or ISP blacklists such as Google, Microsoft, Yahoo!, AOL, GoDaddy) shall be considered material breach, and THE CLIENT shall indemnify MAILRELAY accordingly. MAILRELAY reserves the right to seek compensation through legal means regardless of whether damages were suffered by MAILRELAY or others.

7.2.- As stated in Section 4.3, THE CLIENT must include a clearly visible and legible unsubscribe link in commercial emails based on consent. Unsubscription must be automatic in no more than two clicks, without requesting password or email. Unsubscriptions must be processed within three days. MAILRELAY may verify compliance.

7.3.- Automatic exclusion: To ensure send quality and prevent spam, THE CLIENT authorizes MAILRELAY to automatically remove from lists:

  • invalid or incorrect email addresses
  • recipients who have unsubscribed or are deemed incompatible with commercial messaging.

Best practices recognized by industry operators apply.

7.4.- Recipient/User Information Disclosure: THE CLIENT is solely responsible for informing recipients or users that:

  • Third-party tools like MAILRELAY may be used.
  • Tracking systems and cookies may be used to capture behavioral data (e.g., IP, read time/date, clicks).
  • Tracked data will be transferred to MAILRELAY.

8.- ADDITIONAL SERVICES OR EXTENSIONS

8.1.- THE CLIENT may request additional services beyond those originally requested by emailing [email protected]. Any additional services are subject to the terms of this agreement.

8.2.- Extra work such as claim management, blacklist removal, IP changes, or custom development shall be invoiced at 150€/hour (minimum one hour), billed upon execution or at agreement termination/extension.

9.- AGREEMENT MODIFICATION

MAILRELAY may modify these terms by notifying THE CLIENT fifteen (15) days in advance. Continued use implies acceptance.

10.- SUSPENSION AND TERMINATION OF SERVICE

MAILRELAY may suspend the service, in whole or in part, in case of non-payment, fraudulent use, breach of these terms, impact on its infrastructure, or legal requirement. Such suspensions shall not give rise to any right to compensation.

THE CLIENT may terminate the contract in accordance with the provisions of Clause 2:

  • For contracts with an initial duration of twelve (12) months and automatic renewals, termination must be communicated in a reliable manner at least three (3) months prior to the expiration date of the initially agreed term or any of its renewals.
  • In the case of subscription plans without commitment, THE CLIENT may request cancellation at any time, provided that it is notified at least ten (10) calendar days before the renewal date of the next monthly period, as detailed in Clause 2.4.
  • In the case of prepaid bundles or SMS bundles, the provisions of Clause 2.3 shall apply.

No refunds shall be made for unused resources, except in cases of early termination attributable to MAILRELAY.

11.- BACKUPS

THE CLIENT must periodically back up data in their MAILRELAY account and related databases. MAILRELAY is not liable for data alteration or loss due to chance, mismanagement by CLIENT, or force majeure. Additional backup services may be contracted independently.

12.- PRIVACY & DATA PROCESSING POLICY

MAILRELAY acts as data processor under Article 28 GDPR. MAILRELAY shall be considered reliable. Data shall be processed as per this agreement and not transferred outside the EEA except under standard contractual clauses. Appropriate technical and organizational measures shall be applied, and personal data shall be processed according to instructions set forth in Annex A.

THE CLIENT guarantees legally adequate bases for processing (e.g., explicit consent) and indemnifies MAILRELAY from any liability arising from failure in this respect.

13.- ELECTRONIC COMMERCIAL COMMUNICATIONS

13.1.- THE CLIENT allows MAILRELAY to send promotional communications and offers, governed by the LSSI along with commercial and advertising laws.

13.2.- THE CLIENT may opt out of receiving such communications at any time via postal mail to the address in the header.

13.3.- MAILRELAY complies with Organic Law 3/2018 and EU Regulation 2016/679, ensuring correct processing of personal data. Each data collection form shall inform users of data processing particulars, controller, rights (access, rectification, cancellation, objection), purpose, and third-party data sharing. Consent will be sought for commercial communications in compliance with Law 34/2002.

13.4.- MAILRELAY may use THE CLIENT’s logo/image in a success case publication on its or third-party websites.

14.- JURISDICTION

This agreement is governed by Spanish law. Any dispute shall be subject to the courts of Madrid, with express waiver of any other jurisdiction.

15.- INVALIDITY

15.1.- If any clause is deemed invalid or unenforceable, such invalidity shall only affect the clause or part thereof. Remaining provisions remain in full force, as if the invalid part had not been included.

16.- ADDITIONAL CONDITIONS

16.1.- VAT is excluded. Payment shall be made in advance at contracting.

16.2.- The max validity of a pay-per-use credit package is twelve (12) months. If the initial package is used up, THE CLIENT has 30 days to request a new package of equal or greater value, otherwise the agreement terminates, and the account is deleted.

16.3.- In monthly mode, the contracted package is billed monthly in advance; unused messages cannot be carried over.

16.4.- In SMS packages, THE CLIENT may add new credits without signing a new agreement.

16.5.- The maximum email size is 100 Kb. Emails exceeding that size count as an additional message per 100 Kb increment.

16.6.- Additional emails beyond plan limits are billed 0,01€ each. If THE CLIENT requests a block upon exceeding the limit, MAILRELAY shall implement necessary safeguards.

16.7.- The free plan may be terminated by either party at any time without penalty.

16.8.- For each ten days of delayed payment or payment-system incident attributable to THE CLIENT, MAILRELAY charges an additional 5% management fee. MAILRELAY reserves the right to temporarily suspend service upon any payment-related incident until resolved.

16.9.- SMS credit usage depends on destination country, costs, and message encoding:

  • GSM-7 / ASCII Encoding: Allows up to 160 characters per SMS. However, certain special characters (e.g: \ ^ ~ [ ] { } | ~ €) count as two characters each, thereby reducing the total number of characters permitted per message.
  • Unicode Encoding: Used for special characters, emojis, or non-Latin alphabets. In this case, up to 70 characters are allowed per SMS. Every 70 Unicode characters will be counted as one SMS.
  • If a message exceeds these character limits, it will be automatically split into multiple segments, increasing the total number of credits used. For example, a message containing 117 Unicode characters will be counted as two SMS segments (since each segment is limited to 70 Unicode characters)

MAILRELAY publishes credit tables by country; THE CLIENT must review prior. Non-standard lists may lead to word-adjusted credits.

16.10.- If SMS costs exceed available balance, THE CLIENT must recharge. Otherwise, SMS will not be sent.

16.11.- SMS to landlines, premium-rate, or non-geographic numbers (e.g., 118, 803, 902, 91) is prohibited.

16.12.- MAILRELAY reserves the right to accept or reject any order or request without liability for damages or other consequences.

16.13.- Purchasing a prepaid package entitles THE CLIENT to create up to ten (10) free additional user accounts credited from the same balance. Additional users beyond this limit cost 100€ per block of 10 accounts, billed upfront or upon activation.

17.- RETURN POLICY

17.1.- No refunds for payments made online.

18.- OBSERVATIONS

THE CLIENT confirms having read and expressly accepted these service terms. In accordance with Organic Law 3/2018, personal data will be added to MAILRELAY owned files for invoicing and commercial communications. THE CLIENT may exercise rights of access, rectification, cancellation, and objection at C/ Nardo, 12 – 28250 Torrelodones (Madrid), Spain. Use, manipulation, reproduction, or distribution of this information by third parties is strictly prohibited. The contact data provided by THE CLIENT is valid for all notices regarding this agreement.

ANNEX A: DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement (“DPA”) governs the processing of personal data by THE CLIENT, as the data controller, who manages personal data through services provided on the MAILRELAY platform, and CPC Servicios Informáticos Aplicados a Nuevas Tecnologías, S.L., with registered address at Calle Nardo 12, 28250 Torrelodones (Madrid), Spain, NIF B83964601, as service provider and data processor, in accordance with applicable data protection laws.

Collectively referred to as “the Parties.”

PREAMBLE

  • A.- The Controller and Processor have entered into a principal service agreement —“Terms and General Conditions” (the “Main Agreement”)—under which the Processor provides electronic communications services (email, SMS, notifications, landing pages, and related functionalities) to the Controller.
  • B.- In performance of the Main Agreement, the Processor will access and process personal data on behalf of the Controller.
  • C.- The Parties wish to define their respective rights and obligations concerning personal data processing, in compliance with EU Regulation 2016/679 (GDPR), Spain’s Organic Law 3/2018 on Data Protection and Digital Rights (LOPDGDD), and other applicable data protection rules.

1.- DEFINITIONS

  • “Personal Data”: Any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller under the Main Agreement.
  • “Data Subject”: The natural person to whom the Personal Data relates.
  • “Controller”: The person or entity that determines the purposes and means of processing. Here, THE CLIENT.
  • “Processor”: The person or entity that processes personal data on behalf of the Controller. Here, MAILRELAY.
  • “Processing”: Any operation performed on Personal Data—automated or not—such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, deletion, or destruction.
  • “Personal Data Breach”: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
  • “Supervisory Authority”: The independent public authority established by an EU member state to oversee GDPR compliance.

2.- PURPOSE & SCOPE

This DPA sets the terms under which MAILRELAY processes personal data on behalf of THE CLIENT, within the scope of electronic communication services detailed in Annex B.

3.- NATURE AND OBJECTIVES OF PROCESSING

3.1.- Purpose: The Processor will process personal data exclusively for delivering the email, SMS, notifications, landing pages, and related services as instructed by the Controller under the Main Agreement, in compliance with GDPR and LOPDGDD.

3.2.- Categories of Personal Data: As listed in Annex B (e.g., identification, contact details, interaction data).

3.3.- Categories of Data Subjects: As listed in Annex B (e.g., subscribers, leads, clients).

3.4.- Duration: Processing lasts for the term of the Main Agreement. Upon termination, the Processor will either delete or return all personal data and existing copies, unless EU or Member State law requires storage.

4.- PROCESSOR OBLIGATIONS

The Data Processor undertakes to:

4.1.- Process personal data solely based on the documented instructions of the Data Controller and always within the European Union.

4.2. Ensure that any persons authorised to process personal data are bound by confidentiality obligations or are subject to an appropriate legal obligation of confidentiality.

4.3.- Implement and maintain appropriate technical and organisational security measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. These measures shall include, without limitation, those described in Annex C.

4.4.- Assist the Data Controller, insofar as possible, by appropriate technical and organisational measures, in fulfilling their obligation to respond to requests for the exercise of the Data Subjects’ rights (access, rectification, erasure, restriction, portability, and objection). If a Data Subject contacts the Data Processor directly to exercise their rights, the Data Processor shall promptly forward the request to the Data Controller and shall not respond unless expressly authorised by the Data Controller.

4.5.- Assist the Data Controller in complying with their obligations related to the security of processing (Article 32 GDPR), the notification of personal data breaches to the supervisory authority and data subjects (Articles 33 and 34 GDPR), the conduct of data protection impact assessments (Article 35 GDPR), and prior consultations (Article 36 GDPR).

4.6.- Notify the Data Controller without undue delay of any personal data breach of which it becomes aware, and in any case within a maximum of 72 hours from the moment MAILRELAY becomes aware of it, providing at least the following information:

  • The nature of the breach.
  • The categories and approximate number of affected data subjects.
  • The categories and approximate number of affected personal data records.
  • The name and contact details of the Data Protection Officer or other contact point where further information can be obtained.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

4.7.- Make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor authorised by them. The reasonable costs of such audits shall be borne by the Data Controller, as well as any tasks assigned to the Data Processor that arise from these audits.

4.8.- At the end of the provision of the processing services, delete or return all personal data to the Data Controller, at the Data Controller’s choice, and delete all existing copies unless storage of personal data is required by applicable law.

5.- SUB-PROCESSORS

5.1.- Pursuant to Articles 28.2 and 28.4 of Regulation (EU) 2016/679 (GDPR), THE CLIENT expressly authorises MAILRELAY, in its capacity as Data Processor, to engage other processors (sub-processors) to carry out processing activities necessary for the performance of the contracted service, provided such sub-processors offer sufficient guarantees to implement appropriate technical and organisational measures so that processing complies with applicable data protection legislation.

As of the date of this Agreement, the authorised sub-processors are:

  • Net Real Solutions, S.L.U., established in Spain, sub-processor providing SMS delivery infrastructure, used solely as part of the Mailrelay service.
  • Intergo Telecom Ltd, established in Cyprus and operating in Spain, sub-processor providing SMS delivery infrastructure, used solely as part of the Mailrelay service.

5.2.- MAILRELAY shall enter into a written agreement with each sub-processor in accordance with Article 28 GDPR, imposing the same obligations as those set out in this Agreement, particularly in relation to confidentiality, security, cooperation with the exercise of data subjects’ rights, and implementation of appropriate technical and organisational measures.

5.3.- MAILRELAY shall maintain an updated list of authorised sub-processors. In the event of adding or replacing any sub-processor, MAILRELAY shall inform THE CLIENT in advance, with at least five (5) business days’ notice, so that the CLIENT may raise any justified objection. If no objection is raised within that period, tacit consent shall be deemed to have been granted.

5.4.- MAILRELAY shall remain fully liable to THE CLIENT for the performance of sub-processors’ obligations under this Agreement and applicable data protection laws. However, MAILRELAY shall not be liable for damages, claims or penalties directly resulting from actions or omissions of such sub-processors if it has exercised due diligence in their selection and supervision and has formalized the required agreements.

5.5.- MAILRELAY shall not be liable for the acts or omissions of sub-processors if it has acted with due diligence in their selection, supervision and contractual formalization in accordance with Article 28 GDPR.

6.- OBLIGATIONS OF THE CLIENT (DATA CONTROLLER)

The data controller declares and guarantees that:

6.1.- It is solely responsible for determining the purposes and means of the processing of personal data.

6.2.- It has obtained and will maintain the appropriate legal bases (e.g., consent or legitimate interest) for the processing of personal data and their transfer to the Data Processor in accordance with the GDPR and applicable data protection laws.

6.3.- It is responsible for the accuracy, completeness, quality and lawfulness of the personal data and of how such personal data were obtained.

6.4.- It has complied and will comply with all applicable laws and regulations concerning data protection, including providing appropriate privacy notices to Data Subjects.

6.5.- It has fulfilled its obligations concerning data protection impact assessments and prior consultations with the supervisory authority, where required.

7.- INTERNATIONAL DATA TRANSFERS

7.1.- The Data Processor shall not transfer personal data to a third country outside the European Union without the prior written authorization of the Data Controller.

7.2.- In the event the Data Processor engages sub-processors located outside the European Economic Area (EEA), it shall ensure valid international transfer mechanisms are in place (e.g., EU Standard Contractual Clauses) and notify the Data Controller accordingly.

8.- GOVERNING LAW AND JURISDICTION

This DPA shall be governed by and interpreted in accordance with Spanish law. For the resolution of any dispute or controversy arising from this DPA, the Parties submit to the jurisdiction of the courts of Madrid, expressly waving any other jurisdiction that may correspond to them.

9.- DATA PROTECTION CONTACT

Any queries regarding data processing should be addressed to [email protected] or through the channel indicated in the user panel.

10.- FINAL CLAUSES

10.1.- Amendments: Any modification of this DPA shall be made in writing and signed by both Parties.

10.2.- Precedence: In case of conflict between the provisions of this DPA and the Main Agreement, the provisions of this DPA shall prevail with respect to personal data processing.

10.3.- Severability: If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

10.4.- Costs: Any additional tasks or documentation required by the Data Controller that go beyond the legally necessary specifications shall be borne by the Controller and quoted for prior approval.

ANNEX B: DESCRIPTION OF THE PROCESSING

Categories of personal data processed:

  • Identification data (First name, Last name).
  • Contact data (email address, phone number, where SMS functionalities are used).
  • Email interaction data (opens, clicks, bounces, unsubscribes).
  • Demographic or customized data (e.g., gender, age, city, preferences, and other fields defined by THE CLIENT when voluntarily provided to enable segmentation).

Categories of data subjects:

  • Subscribers or recipients of electronic communications are managed by the controller (email, SMS, landing pages, forms, or other lead capture functionalities).
  • Current customers of the data controller.
  • Prospective customers or leads captured through forms or other means integrated in the Mailrelay platform.

Specific Purposes of the Processing by the Processor:

MAILRELAY shall process the data exclusively for the purpose of providing the services contracted by THE CLIENT and always following their documented instructions. Specific purposes include:

  • Automated and/or scheduled sending of email marketing and SMS campaigns (notifications, newsletters, commercial communications, etc.).
  • Management of subscriber lists, and segmentation based on criteria defined by THE CLIENT.
  • Analysis and measurement of campaign performance, including statistics on deliverability, opens, clicks, conversions, and unsubscribes.
  • Management of subscription forms, user preferences and unsubscribe requests.
  • Storage, display, and export of data hosted by THE CLIENT in their account.

Estimated Duration of Processing:

MAILRELAY shall retain and process personal data for the entire duration of the main contract governing service provision, and until the Data Controller explicitly requests deletion or return of the data.

Once the contract has ended, MAILRELAY may retain the data in a blocked state solely for the time necessary to address potential legal, contractual or regulatory responsibilities, in accordance with applicable law.

ANNEX C: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

The Data Processor implements and maintains, among others, the following security measures:

Infrastructure-level Security Measures:

  • Hosting in European data centers located in Germany, managed by Core-Backbone GmbH, featuring restricted physical access control, CCTV, power redundancy, and proper climate control.
  • 24/7 monitoring of network infrastructure and servers, with automated alerts for abnormal behavior.
  • Perimeter protection through firewalls, traffic filtering and DDoS mitigation measures.
  • Intrusion Detection and Prevention Systems (IDS/IPS) are configured and monitored by the internal technical team.

Software and Data-level Security Measures:

  • Encryption of data in transit via TLS protocols for all external communications (including control panel access and email delivery).
  • Encryption of backup data at rest using internally managed encryption keys.
  • Role-based access control and least privilege principles.
  • Multi-factor authentication (2FA) enabled for administrative access and internal panels.
  • Daily encrypted backups stored on independent infrastructure (Amazon Web Services, within the EEA), with periodic restore tests and a documented contingency plan.
  • Logging of access and operations retained according to log retention policies and made available for internal audits or at the Controller’s request.
  • Priority application of security updates and critical patches through a controlled management process.

Organizacional measures:

  • Internal information security policy, reviewed at least annually, governing data handling, access, and incident response procedures.
  • Confidentiality clauses in all employment contracts of staff with access to personal data.
  • Regular training for technical staff and employees on data protection, IT security and regulatory compliance.
  • Annual or event-driven security risk assessments.
  • Documented incident management procedures, including notifications to the Data Controller in accordance with GDPR deadlines.