Privacy PolicyTerms of ServiceData Processing Agreement

Data Processing Agreement

Last updated: December 15, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Resonia Inc ("Veil Mail," "Processor," "we," "us") and the customer ("Controller," "you") for the provision of email services.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Data Protection Laws" means GDPR, CCPA, and other applicable data protection regulations.

2. Scope and Purpose

This DPA applies to Personal Data that we process on your behalf when you use our email services. We process Personal Data solely to provide the services described in our Terms of Service, including:

  • Sending and delivering emails on your behalf
  • Scanning email content for PII protection
  • Tracking email delivery and engagement metrics
  • Managing subscriber lists and audience data
  • Providing analytics and reporting

3. Processor Obligations

As a Processor, we agree to:

  • Process Personal Data only on your documented instructions
  • Ensure that personnel processing Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to Data Subject requests
  • Assist you in ensuring compliance with security, breach notification, and impact assessment obligations
  • Delete or return Personal Data upon termination of services
  • Make available information necessary to demonstrate compliance with this DPA

4. Controller Obligations

As a Controller, you agree to:

  • Ensure you have a lawful basis for processing Personal Data
  • Provide clear instructions regarding the processing of Personal Data
  • Ensure that Data Subjects have been informed about the processing
  • Comply with all applicable Data Protection Laws

5. Sub-processors

We use the following categories of sub-processors to provide our services:

  • Email Delivery: SendGrid (Twilio Inc.) - for sending and delivering emails
  • Cloud Infrastructure: Google Cloud Platform - for hosting and data processing
  • Payment Processing: Stripe - for billing and subscription management
  • PII Detection: Google Cloud DLP - for scanning email content

We will notify you of any changes to sub-processors and provide you with an opportunity to object. A current list of sub-processors is available upon request.

6. Security Measures

We implement the following security measures:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest using AES-256
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Incident response and breach notification procedures
  • Employee security training and background checks
  • Physical security controls at data center facilities

7. Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests, including:

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Objection to processing

8. Data Breach Notification

In the event of a Personal Data breach, we will:

  • Notify you without undue delay (and in any event within 72 hours) after becoming aware of the breach
  • Provide information about the nature of the breach, categories of data affected, and remedial measures
  • Cooperate with you and provide reasonable assistance in managing the breach

9. International Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area. We ensure appropriate safeguards for such transfers through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Other lawful transfer mechanisms as required

10. Data Retention and Deletion

We retain Personal Data only for as long as necessary to provide our services. Upon termination of your account, we will delete or return Personal Data within 30 days, unless retention is required by law.

11. Audits

Upon reasonable notice, we will make available information necessary to demonstrate compliance with this DPA. For Enterprise customers, we can arrange for audits or inspections subject to confidentiality obligations and reasonable scheduling.

12. Term and Termination

This DPA remains in effect for the duration of our provision of services to you. Upon termination, our data processing obligations continue until all Personal Data has been deleted or returned.

13. Contact

For questions about this DPA or to exercise your rights, please contact our Data Protection Officer:

  • Email: dpo@veilmail.xyz
  • Address: Resonia Inc, [Address]

Request a Signed DPA

If you require a signed copy of this DPA for your records, please contact us at legal@veilmail.xyz.