Last updated: January 12, 2026 · Version 1.4
Note: This DPA is automatically incorporated into your contract with us if you sign up for a Pro or Enterprise plan and the Service is used to process personal data on behalf of a business or organization. Consumers using Mailcedar for personal mail don't need it — our Privacy Policy covers you.
1. Parties
This Data Processing Addendum ("DPA") supplements the Terms of Service between you ("Customer," "Controller") and Mailcedar Mail Ltd. ("Mailcedar," "Processor"). In the event of conflict, this DPA prevails over the Terms with respect to the processing of Personal Data.
2. Definitions
Terms not defined here have the meaning given in Regulation (EU) 2016/679 (GDPR) or, where applicable, the UK Data Protection Act 2018.
3. Processing details
| Subject matter | Provision of the Mailcedar email service |
|---|---|
| Duration | For as long as the Service is provided to Customer plus retention periods specified in §11 of the Privacy Policy |
| Nature & purpose | Hosting, routing, and storage of email; authentication; backup; abuse prevention |
| Types of personal data | Email addresses, mailbox contents (including any personal data inside), authentication credentials, sign-in metadata, billing data |
| Categories of data subjects | Customer's authorized users, recipients of mail sent from/to Customer's mailboxes, anyone whose data appears in Customer's mail |
4. Processor obligations
Mailcedar shall:
- Process Personal Data only on documented instructions from Customer, including with respect to international transfers, unless required by Canadian or EU law.
- Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
- Implement and maintain the technical and organizational security measures set out in the Security Schedule (Annex II).
- Assist Customer in fulfilling its obligations to respond to data subject rights requests, security incident notifications, data protection impact assessments, and prior consultations with supervisory authorities.
- At Customer's choice, delete or return all Personal Data upon termination, except where law requires retention.
- Make available all information necessary to demonstrate compliance and allow for audits as set out in §7.
5. Subprocessors
Customer authorizes Mailcedar to use the subprocessors listed below. Mailcedar will notify Customer at least 30 days before adding or replacing a subprocessor; Customer may object within that period, and if a reasonable accommodation can't be reached, terminate the Service.
| Subprocessor | Service | Location |
|---|---|---|
| iWeb Technologies Inc. | Data centre (colocation only — no data access) | Montréal, QC, Canada |
| Stripe Payments Canada Ltd. | Payment processing | Toronto, ON, Canada (EU customers routed via Stripe Payments Europe Ltd., Dublin) |
| Wildbit LLC (Postmark) | Transactional system mail | USA |
| Cloudflare, Inc. | CDN for marketing site only — not mail path | Global |
6. International transfers
Where Personal Data of EU/EEA/UK data subjects is transferred to Mailcedar in Canada, transfers rely on the European Commission's adequacy decision for Canada (Decision 2002/2/EC).
Where Personal Data is further transferred from Canada to subprocessors in non-adequate jurisdictions, Mailcedar uses the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) and the UK Addendum where applicable. Copies of executed SCCs are available on request.
7. Audits
Mailcedar engages Cure53 to conduct an annual independent security audit and makes the report available to Customer under NDA.
Customer may conduct one additional audit per year at Customer's expense with at least 30 days' written notice, during business hours, in a manner that does not unreasonably disrupt Mailcedar's operations. For Customer audits requiring physical access, Mailcedar may require the auditor to sign a confidentiality agreement.
8. Personal data breaches
Mailcedar will notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach affecting Customer's data. The notification will include, to the extent then known:
- The nature of the breach, including categories and approximate number of data subjects and records affected.
- The likely consequences.
- Measures taken or proposed to address the breach and mitigate adverse effects.
- The contact point at Mailcedar for additional information.
9. Data subject rights
Mailcedar provides tools that enable Customer to respond to data subject access, rectification, erasure, and portability requests directly (Settings → Account in the webmail). For requests Customer cannot fulfill via those tools, Mailcedar will provide reasonable assistance within 14 days of written request, free of charge for up to 2 such requests per calendar year per Customer account.
10. Term and termination
This DPA continues for as long as Mailcedar processes Personal Data on Customer's behalf. Upon termination, Mailcedar will, at Customer's option, delete or return all Personal Data within 30 days, subject to legal retention requirements (e.g., billing records under Canadian tax law).
Annex I — Standard Contractual Clauses module
Where required, the parties incorporate Module Two (Controller to Processor) of the EU SCCs, with the following clause-specific elections:
- Clause 7 (Docking): not used.
- Clause 9 (Use of sub-processors): Option 2 (general written authorization), 30 days' notice.
- Clause 11 (Redress): independent dispute resolution body — not selected.
- Clause 17 (Governing law): law of British Columbia, Canada.
- Clause 18 (Forum): courts of British Columbia.
Annex II — Security measures
Mailcedar implements the following technical and organizational measures:
- Pseudonymisation and encryption. Per-mailbox encryption at rest with AES-256-GCM. TLS 1.3 for transport.
- Ongoing confidentiality, integrity, availability and resilience. Redundant infrastructure across two data centre rooms; geographically diverse backups; documented incident response process.
- Restoration of availability. Backups tested quarterly. Documented RTO of 4 hours and RPO of 1 hour for in-region failures.
- Regular testing. Annual penetration test by Cure53; quarterly internal vulnerability scans.
- Access controls. Production access requires 2FA + hardware token + named, reviewed access requests. Quarterly access reviews.
- Logging. All production access is logged immutably; logs retained 12 months.
- Personnel. Background checks on all employees with production access. Confidentiality agreements. Security training annually.
How to execute this DPA
If you are a Pro customer who needs a counter-signed DPA, email legal@mailcedar.com from the email address registered to your billing contact. We'll send a copy via DocuSign for both parties to sign. There is no charge.