23 years from Stockholm
Data Processing Agreement

Data Processing Addendum

This Data Processing Addendum (DPA) forms part of the agreement between the Customer (acting as data controller) and Authorize Hosting (acting as data processor) for the provision of email infrastructure services. It defines the terms on which Authorize Hosting processes personal data on behalf of the Customer, in accordance with Article 28 of the General Data Protection Regulation (GDPR), the Swedish Data Protection Act, and applicable data protection laws.

1. Parties, scope, and interpretation

This DPA is entered into between the Customer (acting as data controller, referred to as "Controller") and Authorize Hosting, a Swedish private company with registered address at Nybrokajen 7, Våning 4, 11148 Stockholm, Sweden (acting as data processor, referred to as "Processor"). The Customer and the Processor are individually referred to as a "Party" and collectively as the "Parties".

This DPA applies to the extent that the Processor processes personal data on behalf of the Controller in the course of providing the email infrastructure services described in the applicable service agreement (the "Services"). Where a service agreement, the Terms and Conditions, or the Privacy Policy conflict with this DPA on matters of data processing under Article 28 GDPR, this DPA prevails for such matters.

Terms used in this DPA have the meanings assigned in the GDPR unless otherwise defined. In particular: "Personal Data", "Data Subject", "Controller", "Processor", "Processing", "Supervisory Authority", and "Personal Data Breach" have the meanings set out in Article 4 GDPR.

2. Subject matter and nature of processing

The subject matter of the processing is the provision of email infrastructure services by the Processor to the Controller, including routing, delivery, reputation management, and associated operational functions. The nature of the processing consists of transmitting, queuing, logging, and archiving email messages and associated metadata as directed by the Controller's configuration and use of the Services.

The purpose of the processing is to enable the Controller to send email to the Controller's recipients using the Processor's infrastructure. The duration of the processing is the duration of the service agreement plus any applicable post-termination retention period defined in Section 12 of this DPA.

3. Types of personal data and categories of data subjects

The categories of personal data processed by the Processor on behalf of the Controller typically include the following, though the specific data elements depend on the Controller's configuration and message content.

Categories of personal data and data subjects, April 2026
CategoryDescription
Recipient identifiersEmail addresses of recipients to whom the Controller transmits messages; associated display names where included in the message envelope
Message metadataSend timestamps, message identifiers, subject lines (where retained for logging), authentication results, delivery status codes, bounce classifications
Message contentEmail body content including HTML and plain-text parts, attachments, headers, and any personal data the Controller includes in messages
Engagement dataWhere tracking pixels or link-click tracking are configured by the Controller, associated open and click events with timestamps, user agents, and IP addresses of recipient activity
Sender identificationFrom addresses, Reply-To addresses, sender domain information, and authentication signatures as configured by the Controller
Support contextPersonal data contained in support communications, sample messages shared for troubleshooting, deliverability investigation data provided by the Controller

The categories of data subjects whose personal data is processed under this DPA typically include: recipients to whom the Controller sends email through the Services; employees, contractors, or agents of the Controller who access the Services on the Controller's behalf; and individuals whose personal data may appear in the content of messages transmitted through the Services.

4. Obligations of the Controller

The Controller is responsible for the lawfulness of the processing that occurs through the Services. In particular, the Controller warrants and represents that:

(a) the Controller has a valid legal basis under Article 6 GDPR (or any applicable equivalent under other data protection law) for the processing of personal data through the Services;

(b) where the processing involves special categories of personal data under Article 9 GDPR or personal data relating to criminal convictions under Article 10 GDPR, the Controller has a valid additional legal basis and has implemented appropriate safeguards;

(c) the Controller has provided, or will provide, any transparency notices required under Articles 13 and 14 GDPR to data subjects whose personal data is processed through the Services;

(d) the Controller has responded or will respond to data subject rights requests as required under Articles 12 to 22 GDPR, with such assistance from the Processor as is described in Section 8 of this DPA;

(e) the Controller's instructions to the Processor comply with applicable law and do not require the Processor to act in a manner that would constitute a violation of the GDPR, of Swedish law, or of European Union law.

The Controller is responsible for determining the purposes and means of processing, for configuring the Services in accordance with those purposes, and for the content of messages transmitted through the Services. The Processor does not determine the purposes and means of processing of Personal Data that the Controller transmits through the Services.

5. Obligations of the Processor

The Processor shall, in respect of the Personal Data processed on behalf of the Controller:

(a) process the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or Swedish law to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b) ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) implement and maintain the technical and organisational security measures set out in Section 7 of this DPA and in Exhibit B, in accordance with Article 32 GDPR;

(d) respect the conditions for engaging subprocessors set out in Section 6 of this DPA;

(e) assist the Controller, through appropriate technical and organisational measures and insofar as this is possible, to fulfil the Controller's obligation to respond to requests for exercising the data subject rights laid down in Articles 15 to 22 GDPR, as described in Section 8;

(f) assist the Controller in ensuring compliance with the obligations in Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to the Processor;

(g) at the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of Services relating to processing, and delete existing copies unless applicable law requires storage, as described in Section 12;

(h) make available to the Controller all information necessary to demonstrate compliance with the obligations in Article 28 GDPR and allow for and contribute to audits, including inspections, as described in Section 11.

The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other applicable data protection provisions.

6. Subprocessors

The Controller grants the Processor general written authorisation to engage subprocessors for the processing of Personal Data, subject to the conditions in this Section 6. The current list of approved subprocessors is set out in Exhibit A of this DPA and is updated as subprocessors change.

Where the Processor engages a new subprocessor or replaces an existing subprocessor with a different entity for the processing of Personal Data on behalf of the Controller, the Processor shall provide the Controller with prior notice of such change with reasonable advance notice (ordinarily at least thirty (30) days before the subprocessor begins processing Personal Data), enabling the Controller to object to the change. Notice is provided by email to the account contact address and by updating the subprocessor list at Exhibit A published at this URL.

If the Controller has a legitimate objection to a new or replacement subprocessor based on reasonable grounds relating to the subprocessor's ability to comply with data protection obligations, the Controller may notify the Processor of the objection in writing within fourteen (14) days of the Processor's notice. The Parties shall discuss in good faith to resolve the objection, which may include the Processor offering a commercially reasonable alternative or the Controller terminating the affected Service without penalty for the remainder of the then-current term.

The Processor shall impose on each subprocessor, by means of a written contract, data protection obligations substantively equivalent to those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. The Processor remains fully liable to the Controller for the performance of any subprocessor's obligations.

7. Technical and organisational measures

The Processor implements technical and organisational measures appropriate to the risk, as required by Article 32 GDPR, to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. A summary of these measures is set out in Exhibit B of this DPA.

The Processor reviews and updates its technical and organisational measures periodically based on emerging threats, technology developments, and regulatory guidance. The Processor shall notify the Controller of material changes to the technical and organisational measures that adversely affect the security of Personal Data, with reasonable advance notice where practical.

The measures described in Exhibit B represent the baseline applicable to the Services. For specific customer requirements that require measures beyond the baseline — for example, customer-dedicated infrastructure, enhanced logging, or specific certifications — such additional measures may be agreed in the service agreement and priced accordingly.

8. Data subject rights assistance

Where a data subject exercises a right under Articles 15 to 22 GDPR by contacting the Controller, and the Controller requires assistance from the Processor to respond to the request, the Processor shall provide reasonable assistance to the Controller. Such assistance includes, as appropriate to the specific right being exercised:

Access and portability (Articles 15 and 20). Providing information held by the Processor that pertains to the specific data subject, to the extent such information can be retrieved using reasonable technical means given the nature of the Services.

Rectification (Article 16). Supporting the Controller in propagating corrections to Personal Data where the Controller is unable to make corrections directly through the Services' interfaces.

Erasure (Article 17). Deleting Personal Data of a specific data subject from Processor-controlled systems upon documented instruction from the Controller, subject to applicable retention requirements and to technical feasibility.

Restriction (Article 18). Implementing technical controls that restrict processing of identified Personal Data upon documented instruction from the Controller.

Objection (Article 21). Supporting the Controller in ceasing processing to which a data subject has validly objected, subject to any legitimate grounds the Controller relies on to continue processing.

Where a data subject contacts the Processor directly to exercise a right under Articles 15 to 22 GDPR, the Processor shall refer the data subject to the Controller and notify the Controller of the contact without undue delay, unless applicable law requires otherwise.

9. Personal Data Breach notification

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller. The Processor shall provide the Controller with sufficient information to allow the Controller to meet its own obligations under Articles 33 and 34 GDPR to the extent such obligations apply.

The notification to the Controller shall include, to the extent known at the time of notification and updated as additional information becomes available: a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; the name and contact details of the Processor's data protection point of contact where more information can be obtained; a description of the likely consequences of the Personal Data Breach; and a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller in good faith to investigate and remediate the Personal Data Breach, and shall document the Personal Data Breach and the measures taken in response in accordance with Article 33(5) GDPR.

10. International data transfers

The Processor primarily processes Personal Data within the European Economic Area (EEA). Where Personal Data is transferred outside the EEA — for example, because a subprocessor operates internationally or because the Controller directs transmission of email to recipients outside the EEA — such transfers are conducted under appropriate safeguards permitted by Chapter V of the GDPR.

Where an adequacy decision from the European Commission covers the destination jurisdiction, the adequacy decision is the basis for transfer. Where no adequacy decision applies, the Processor relies on Standard Contractual Clauses (SCCs) in the form adopted by the European Commission on 4 June 2021 under Commission Implementing Decision (EU) 2021/914, or any successor form. The Parties agree that these SCCs are incorporated into this DPA by reference, with the Controller as the "data exporter" and the Processor or relevant subprocessor as the "data importer", and with module 2 (controller-to-processor) or module 3 (processor-to-processor) as applicable to the specific transfer.

Where transfers involve the United States, the Processor assesses whether the EU-US Data Privacy Framework (adopted July 2023) is available as a transfer mechanism for a US-based subprocessor self-certified under that framework. Where the Framework is unavailable or insufficient for the specific transfer, the Processor falls back to SCCs supplemented by measures identified through a transfer impact assessment (TIA) conducted in line with guidance from the European Data Protection Board.

The Processor shall provide the Controller with a copy of the executed SCCs applicable to specific subprocessor transfers upon reasonable request.

11. Audits

The Processor makes available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in Article 28 GDPR and this DPA, and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to the terms of this Section 11.

The Processor may satisfy audit obligations in the first instance by providing the Controller with up-to-date third-party audit reports, certifications, or attestations where such documentation addresses the relevant subject matter of the audit. Where the Controller determines in good faith that such documentation is insufficient for the Controller's compliance needs, the Controller may request an on-site audit under the following conditions:

(a) audits occur no more than once per twelve (12) month period, except where required more frequently by the Supervisory Authority or by applicable law, or where there is a reasonable suspicion of non-compliance arising from a specific incident;

(b) audits are conducted with reasonable advance notice, ordinarily at least thirty (30) days, at mutually agreed times during normal business hours, in a manner that minimises disruption to the Processor's operations;

(c) auditors are bound by written confidentiality obligations substantively equivalent to those between the Controller and the Processor;

(d) the scope of the audit is limited to matters relevant to the Processor's processing of Personal Data on behalf of the Controller under this DPA; the Processor may redact or refuse access to information that does not relate to this processing, that relates to other customers of the Processor, or that the Processor is legally prohibited from disclosing;

(e) each Party bears its own costs incurred in connection with the audit, unless the audit identifies a material breach of this DPA by the Processor, in which case the Processor bears reasonable audit costs.

The Processor shall cooperate in good faith with the Supervisory Authority in the exercise of the Supervisory Authority's powers under Article 58 GDPR.

12. Return or deletion of Personal Data

Upon termination or expiry of the applicable service agreement, or at any earlier written request of the Controller, the Processor shall, at the Controller's choice, either return to the Controller or delete all Personal Data processed on behalf of the Controller, and delete existing copies, unless applicable law requires continued storage.

The Controller shall make its choice in writing within thirty (30) days after termination or expiry. In the absence of an instruction from the Controller within that period, the Processor shall delete the Personal Data in accordance with its standard deletion procedures. Return is typically accomplished by providing an export in a commonly used, machine-readable format; specific export formats and procedures are as described in the applicable service documentation.

Deletion under this Section 12 does not apply to Personal Data that the Processor is required to retain under applicable law (for example, billing and invoicing records retained under Swedish tax and accounting law), or to Personal Data retained in backup systems pending routine backup cycle completion. Personal Data retained in backups is deleted in the ordinary course as backup cycles complete, and is protected by the technical and organisational measures described in Exhibit B during any residual retention period.

The Processor shall, upon request, confirm to the Controller in writing that return or deletion has been completed.

13. Liability and limitation

Each Party's liability under this DPA is subject to the limitations set out in the service agreement and in the Terms and Conditions, and is subject to the mandatory provisions of the GDPR concerning liability of controllers and processors under Article 82.

Nothing in this DPA excludes or limits a data subject's rights or the liability of either Party towards data subjects under Article 82 GDPR. Nothing in this DPA excludes or limits liability that cannot be excluded or limited under Swedish law or applicable mandatory data protection law.

14. Term and termination

This DPA takes effect upon execution of the applicable service agreement or upon the Customer's first use of the Services, whichever occurs first, and remains in force for the duration of the service agreement plus the period required for the Processor to complete return or deletion of Personal Data under Section 12. Termination of this DPA does not discharge obligations that by their nature survive termination, including confidentiality, liability for prior breach, and post-termination return or deletion obligations.

15. Governing law and dispute resolution

This DPA is governed by the laws of Sweden, consistent with the governing law of the Terms and Conditions. Disputes arising out of or in connection with this DPA are resolved through arbitration under the Rules of Arbitration of the International Chamber of Commerce (ICC) seated in Stockholm, Sweden, consistent with the dispute resolution procedure in the Terms and Conditions. Nothing in this Section limits the jurisdiction of the Supervisory Authority to investigate or enforce matters under its remit.

Exhibit A — Subprocessors

The following is the current list of subprocessors engaged by the Processor for the processing of Personal Data on behalf of Controllers as of the effective date of this DPA. The list is updated as subprocessors change, and updates are notified to Controllers in accordance with Section 6.

Authorize Hosting subprocessors, April 2026
SubprocessorProcessing activityLocationTransfer mechanism
Primary data-centre operatorInfrastructure hosting; physical hardware; network transitSweden (EU)Processing within EEA — no transfer mechanism required
Secondary data-centre operatorRedundancy; disaster recovery; backup infrastructureGermany (EU)Processing within EEA — no transfer mechanism required
Payment processor — cardCredit and debit card transaction processingEuropean UnionProcessing within EEA — no transfer mechanism required
Payment processor — PayPalPayPal and PayPal balance transaction processingLuxembourg (EU) with US parent infrastructureEU entity primary; SCCs for any US transfer component; EU-US Data Privacy Framework where applicable
Payment processor — cryptocurrencyBitcoin and USDT transaction processingEuropean UnionProcessing within EEA — no transfer mechanism required
Helpdesk and ticketing softwareCustomer support ticket management and communicationEuropean UnionProcessing within EEA — no transfer mechanism required
Accounting and invoicing softwareInvoice generation; billing records; VAT reportingSweden (EU)Processing within EEA — no transfer mechanism required
DNS and CDN providerDNS resolution for customer-facing infrastructure; content delivery for static assetsGlobal with EU edgeSCCs for any non-EEA components; limited Personal Data exposure (typically IP addresses only)
Transactional email infrastructureCustomer-facing service communications (account notifications, invoices)Processor-operated within EEAProcessing within EEA — no transfer mechanism required

Specific subprocessor identities and contact details are provided to Controllers upon written request and are reconfirmed at each annual review or upon material change. The subprocessor list above describes categories and locations; the specific legal entity names are maintained in the service agreement documentation to permit updates without requiring amendment of the public DPA page.

Exhibit B — Technical and organisational measures

The following is a summary of the technical and organisational measures implemented by the Processor to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. Measures are reviewed periodically and may be updated; material changes that adversely affect the security of Personal Data are notified to Controllers in accordance with Section 7 of this DPA.

B.1 Pseudonymisation and encryption

Personal Data is encrypted in transit using current TLS standards (TLS 1.2 or higher, preferring TLS 1.3 where supported by both endpoints). Credentials and secret material at rest are encrypted using industry-standard algorithms and key management practices. Bulk Personal Data at rest is encrypted using AES-256 or equivalent. Pseudonymisation is applied to aggregate analytics data where re-identification is not required for the processing purpose.

B.2 Ongoing confidentiality, integrity, availability, and resilience

Access to systems processing Personal Data is governed by the principle of least privilege, implemented through role-based access controls. Administrative access requires multi-factor authentication. Personnel with access to Personal Data are subject to written confidentiality obligations and appropriate background checks. Integrity is protected through change management procedures, code review, and cryptographic verification of software updates. Availability is supported by redundant infrastructure, geographical redundancy across primary (Sweden) and secondary (Germany) data centres, documented backup and restoration procedures with regular restoration testing, and capacity planning. Resilience is supported by incident response procedures, tabletop exercises, and documented recovery time objectives (RTO) and recovery point objectives (RPO) for each service line.

B.3 Restoration of availability and access

In the event of a physical or technical incident, the Processor restores availability and access to Personal Data in a timely manner through documented disaster recovery procedures. Backups are taken at frequencies appropriate to the data category and tested for restorability at defined intervals. Critical infrastructure is designed to tolerate single-component failure without data loss or extended unavailability.

B.4 Testing, assessment, and evaluation

The Processor conducts regular testing, assessment, and evaluation of the effectiveness of technical and organisational measures, including vulnerability scanning, penetration testing on a periodic basis, security configuration review, access control audit, and incident post-mortems following any significant event. Findings are tracked through remediation and reported to senior management.

B.5 Physical security

Data-centre facilities where infrastructure processing Personal Data is located are operated by qualified data-centre operators with documented physical security controls including perimeter security, access control with identity verification, video surveillance, environmental controls (fire suppression, climate control, power redundancy), and 24/7 operations. Documentation of physical security controls is provided by the data-centre operator under non-disclosure and is available to Controllers upon reasonable request for audit purposes.

B.6 Personnel measures

Personnel with access to Personal Data receive data protection training at onboarding and periodic refresher training thereafter. Access to Personal Data is granted based on documented business need and removed promptly when no longer required. Personnel are subject to written confidentiality obligations that survive termination of employment or contract. Background checks are conducted for personnel whose role involves access to production systems, consistent with Swedish employment law.

B.7 Third-party management

Subprocessors engaged by the Processor are subject to written contracts imposing data protection obligations substantively equivalent to those in this DPA. Due diligence is conducted on subprocessors prior to engagement and periodically thereafter. Subprocessor performance against data protection obligations is monitored.

B.8 Incident response

The Processor maintains documented incident response procedures that define detection, triage, containment, eradication, recovery, and post-incident review steps. The procedures include the notification flow for Personal Data Breaches under Section 9 of this DPA. Incident response is tested through periodic exercises.

B.9 Documentation

The Processor maintains records of processing activities as required by Article 30 GDPR, data protection impact assessments (DPIAs) where applicable, and other documentation demonstrating compliance with the GDPR. Such documentation is made available to Supervisory Authorities upon request and to Controllers in the scope and manner described in Section 11 (Audits) of this DPA.