Powered by Smartsupp
Skip to content

AI Features Are Here! Discover why teams choose Emailgistics AI 

Data Processing Agreement and GDPR / UK GDPR Statement

This Data Processing Agreement is made by and between Emailgistics (“We”, “Our,” “Us”) and you (“Customer”, “User,” “You”).

This Agreement is incorporated into the Emailgistics Terms of Service and applies in respect of the provision of the Services to the Customer if the Processing of Customer Personal Data (as defined below) is subject to the GDPR and/or the UK GDPR, only to the extent the Customer is a Controller of Customer Personal Data and Emailgistics is a Processor. The Agreement is intended to satisfy the requirements of Article 28(3) of the GDPR and Article 28(3) of the UK GDPR. This Agreement shall be effective for the term of the contract between You and Us.

1. Definitions

1.1 For the purposes of this Agreement:

1.1.1. “Customer Personal Data” means the Personal Data described under Annex 1 of this Agreement, in respect of which the Customer is the Controller.

1.1.2. “Data Protection Legislation” means all applicable legislation relating to data protection and privacy including without limitation:

  • Regulation (EU) 2016/679 (“EU GDPR”),
  • the UK GDPR (as defined below),
  • the UK Data Protection Act 2018,
  • the EU ePrivacy Directive 2002/58/EC,
  • and all local laws and regulations implementing, supplementing or replacing any of the foregoing,

in each case as amended, repealed, consolidated or replaced from time to time.

1.1.3. “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

1.1.4. “UK GDPR” means the EU GDPR as incorporated into the laws of England and Wales, Scotland and Northern Ireland pursuant to section 3 of the European Union (Withdrawal) Act 2018, as amended.

1.1.5. “Personal Data”, “Data Subject”, “Personal Data Breach”, “Process”, “Processor” and “Controller” will have the meaning given to them in the applicable Data Protection Legislation (including EU GDPR or UK GDPR, as applicable).

1.2 

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

2. Processing of Customer Personal Data

2.1 

The parties acknowledge and agree that Customer is the Controller of Customer Personal Data and Emailgistics is the Processor of that data. Emailgistics will only Process Customer Personal Data on behalf of and in accordance with the Customer’s documented instructions and for no other purpose. Emailgistics is hereby instructed to Process Customer Personal Data to the extent necessary to enable Emailgistics to provide the Services in accordance with the Terms of Service.

2.2 

If Emailgistics cannot Process Customer Personal Data in accordance with Customer’s instructions due to a legal requirement under any applicable law of the European Union, a Member State, or the United Kingdom, Emailgistics will:

  1. Promptly notify the Customer of such inability, providing reasonable detail; and 
  2. Cease all Processing of the affected Customer Personal Data (other than secure storage) until such time as the Customer issues new lawful instructions.

Emailgistics will immediately inform Customer if, in its opinion, an instruction infringes the applicable Data Protection Legislation.

2.3 

Each party will comply with its respective obligations under the applicable Data Protection Legislation. Customer shall ensure that it has obtained all necessary rights and consents required to allow Emailgistics to Process Customer Personal Data in accordance with this Agreement.

2.4 International Transfers

Transfers from the EEA

Customer authorizes Emailgistics to transfer Customer Personal Data from the European Economic Area (“EEA”) to Canada, the United States, or other locations outside the EEA, provided that such transfers are made in compliance with applicable Data Protection Legislation, including, where required, reliance on an adequacy decision or the implementation of appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

Transfers from the United Kingdom

Where Customer Personal Data is transferred from the United Kingdom to Canada:

  • Such transfers rely on the United Kingdom’s adequacy regulations recognizing Canada (commercial organizations subject to PIPEDA) as providing an adequate level of protection.
  • Emailgistics represents that it is a commercial organization subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Accordingly, no separate International Data Transfer Agreement (IDTA) or UK Addendum is required for such transfers.

If Emailgistics transfers UK Personal Data to a third country that is not subject to an adequacy regulation, Emailgistics will ensure that transfer mechanisms comply with the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs.

3. Confidentiality

3.1 

Emailgistics will ensure that any person whom We authorize to Process Customer Personal Data on Our behalf is subject to confidentiality obligations in respect of that Customer Personal Data.

4. Security Measures

4.1 

Emailgistics will implement appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

4.2 

Emailgistics will, at the Customer’s request and subject to the Customer paying all of Our fees at prevailing rates, and all expenses, provide the Customer with reasonable assistance as necessary for the fulfilment of the Customer’s obligation to keep Customer Personal Data secure.

5. Sub-Processing

5.1 

Customer authorizes Emailgistics to appoint sub-Processors to perform specific services on Our behalf which may require such sub-Processors to Process Customer Personal Data. If Emailgistics engages a sub-Processor to Process any Customer Personal Data, it will:

  • Inform Customer of any intended changes concerning the addition or replacement of such sub-Processors and Customer will have an opportunity to object to such changes on reasonable grounds within thirty (30) calendar days after being notified. If the parties are unable to resolve such objection, either party may terminate the agreement by providing written notice to the other party; and 
  • Enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor the same obligations that apply to Emailgistics under this Agreement. Where any of its sub-Processors fails to fulfil its data protection obligations, Emailgistics will be liable to the Customer for the performance of its sub-Processors’ obligations.

Where UK GDPR applies, sub-processing shall comply with the requirements of Article 28 UK GDPR.

6. Data Subject Rights

6.1 

Emailgistics will, at the Customer’s request and subject to the Customer paying all of Our fees at prevailing rates, and all expenses, provide the Customer with assistance necessary for the fulfilment of the Customer’s obligation to respond to requests for the exercise of Data Subjects’ rights. Emailgistics shall not respond to such requests without Customer’s prior written consent and written instructions. Customer shall be solely responsible for responding to such requests.

7. Personal Data Breaches

7.1 

Emailgistics will notify the Customer as soon as practicable after it becomes aware of any Personal Data Breach affecting any Customer Personal Data. At the Customer’s request and subject to the Customer paying all of Our fees at prevailing rates, and all expenses, Emailgistics will promptly provide the Customer with all reasonable assistance necessary to enable the Customer to notify relevant security breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the applicable Data Protection Legislation. Customer is solely responsible for complying with data incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any data incidents.

8. Data Protection Impact Assessment; Prior Consultation

8.1 

Emailgistics will, at the Customer’s request and subject to the Customer paying all of Our fees at prevailing rates, and all expenses, provide the Customer with reasonable assistance to facilitate:

  • Conducting data protection impact assessments if the Customer is required to do so under the applicable Data Protection Legislation; and 
  • Consulting with data protection authorities, if the Customer is required to engage in consultation under the applicable Data Protection Legislation,

in each case solely to the extent that such assistance is necessary and relates to the Processing by Emailgistics of the Customer Personal Data, taking into account the nature of the Processing and the information available to Emailgistics.

9. Deletion of Customer Personal Data

9.1 

Emailgistics will return or delete, at Customer’s choice, Customer Personal Data to the Customer after the end of the provision of Services relating to the Processing, and delete existing copies unless applicable European Union, Member State, or United Kingdom law requires storage of the data.

10. Information

10.1 

Emailgistics will, at Customer’s request and subject to the Customer paying all of Our fees at prevailing rates, and all expenses, provide the Customer with all information necessary to enable the Customer to demonstrate compliance with its obligations under the applicable Data Protection Legislation, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, to the extent that such information is within Emailgistics’ control and We are not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party, and provided that such audits shall be carried out with reasonable notice during regular business hours not more often than once per year.

11. Liability

11.1 

Each party’s liability towards the other party under or in connection with this Agreement will be limited in accordance with the provisions of the Terms of Service.

11.2 

The Customer acknowledges that Emailgistics is reliant on the Customer for direction as to the extent to which We are entitled to Process Customer Personal Data on behalf of Customer in performance of the Services. Consequently Emailgistics will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by Emailgistics, to the extent that such action or omission resulted directly from the Customer’s instructions or from Customer’s failure to comply with its obligations under the applicable data protection law.

12. Supervisory Authority

Where Processing is subject to UK GDPR, references to supervisory authorities shall be construed as references to the UK Information Commissioner’s Office (ICO). Where Processing is subject to EU GDPR, references shall be construed as references to the relevant EU supervisory authority.

13. General Provisions

13.1 

With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and the general Terms of Service, the provisions of this Agreement shall prevail.

ANNEX 1

DESCRIPTION OF PROCESSING

A. Subject Matter and Duration of Processing

Subject Matter:
Processing of Customer Personal Data in connection with the provision of email management, analytics, and workflow optimization services by Emailgistics.

Duration:
 The duration of processing shall commence on the Effective Date of the Terms of Service and continue for the term of the service agreement, including any renewal periods, and thereafter for such period as necessary to complete data deletion or return obligations under Section 9 of this Agreement.

B. Nature and Purpose of Processing

Nature of Processing:
 Emailgistics will perform the following processing activities on Customer Personal Data:

  • Collection
  • Recording
  • Organization
  • Structuring
  • Storage
  • Adaptation or alteration
  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination or otherwise making available
  • Alignment or combination
  • Restriction
  • Erasure or destruction

Purpose of Processing:
 The purpose of processing is to:

  • Provide email management and organization services
  • Generate analytics and reporting on email usage and patterns
  • Enable workflow automation and optimization
  • Facilitate team collaboration on email handling
  • Provide customer support and troubleshooting services
  • Maintain and improve the Services
  • Comply with legal obligations

C. Types of Personal Data

Customer Personal Data processed by Emailgistics may include:

Email Content Data:

  • Email subject lines
  • Email body content
  • Email metadata (sender, recipient, timestamps, headers)
  • Attachment file names
  • Email thread history

Account and Authentication Data:

  • Usernames
  • Encrypted passwords or authentication tokens
  • Account preferences and settings
  • IP addresses
  • Device information
  • Login timestamps

Usage and Analytics Data:

  • Email volume metrics
  • Response time data
  • Email categorization and tagging information
  • User interaction patterns
  • Workflow performance metrics

Communication Data:

  • Support ticket information
  • Chat logs with customer service
  • Feedback and survey responses

D. Categories of Data Subjects

Data Subjects whose Personal Data may be processed include:

  • Customer Employees: Individuals employed by the Customer who use the Services
  • Customer Contractors and Consultants: Independent contractors, temporary workers, or consultants authorized by Customer to use the Services
  • Customer Business Contacts: Individuals who communicate with the Customer via email (including customers, vendors, partners, and prospects of the Customer)
  • End Users: Individuals whose email communications are managed through the Customer’s use of the Services

E. Special Categories of Personal Data

The parties acknowledge that the Services are not intended for processing Special Categories of Personal Data as defined under Article 9 UK GDPR (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, genetic data, sex life or sexual orientation).

However, email content may inadvertently include such data. Customer is responsible for:

  • Instructing users not to include Special Categories of Personal Data in emails processed through the Services
  • Implementing appropriate safeguards if Special Categories of Personal Data must be processed
  • Ensuring lawful basis exists for any such processing

If Special Categories of Personal Data are processed, Customer warrants that it has:

  • A lawful basis under Article 6 UK GDPR
  • An Article 9 condition for processing Special Categories
  • Conducted appropriate Data Protection Impact Assessments where required

F. Processing Operations

Specific processing operations performed by Emailgistics include:

  1. Email Ingestion and Storage:
  • Accessing Customer’s shared mailbox contents using APIs such as Microsoft Graph
  • Retrieving and storing email metadata
  • Retrieving and temporarily processing email content for workflow rules evaluation
  1. Analysis and Classification:
  • Generation of analytics dashboards and reports
  1. Workflow Automation:
  • Automated routing and assignment of emails
  • Triggering notifications and alerts
  1. Search and Retrieval:
  • Indexing email metadata for searchability
  • Providing search functionality to authorized users
  • Generating reports and exports
  1. Access Control:
  • Managing user permissions and access levels
  • Audit logging of user activities
  • Authentication and authorization processes
  1. Backup and Recovery:
  • Regular backups of Customer Personal Data
  • Disaster recovery procedures
  • Business continuity measures
  1. Data Export and Deletion:
  • Export of Customer Personal Data upon request
  • Secure deletion in accordance with retention policies
  • Provision of deletion certificates where requested

G. Location of Processing

Primary Processing Locations:

  • Canada (c1 region data center location)
  • United States (us1 region data center location)

Additional Locations: Sub-processors may process data in additional locations as specified in the Sub-Processors list. All international transfers shall comply with Section 2.4 of this Agreement.

H. Technical and Organizational Measures

Summary of security measures implemented by Emailgistics (detailed Security Documentation available upon request to [[email protected]]):

Technical Measures:

  • Encryption of data in transit (TLS 1.2 or higher)
  • Encryption of data at rest (AES-256 or equivalent)
  • Automated backup systems with encryption
  • Secure software development lifecycle

Organizational Measures:

  • Confidentiality agreements for all personnel
  • Background checks for employees with data access
  • Security awareness training programs
  • Incident response procedures
  • Regular security audits and assessments
  • Access control policies (least privilege principle)
  • Vendor management and due diligence procedures
  • Business continuity and disaster recovery plans

I. Sub-Processors

Emailgistics maintains a current list of sub-processors which is available upon request to [email protected]. The list as of 12 February 2026 was as follows.

  • Cloud Infrastructure Provider: Microsoft Azure Canada/US
  • Database Services Provider: MongoDB Atlas (Running in Azure Canada and US data centres)
  • AI service provider (only if features enabled by Customer): Microsoft Azure Foundry US
  • AI service provider (only if features enabled by Customer): Gemini Developer API File Search (Global)