Data Processing Agreement
Last updated: 2026-06-25
1. Roles
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (the “Customer”) and Codius Kft. (operating Spamless.dev). For email and account data processed through the Service, the Customer is the data controller and Codius Kft. acts as the data processor under Article 28 GDPR (and, where applicable, as a sub-processor for the Customer’s own controllers).
2. Scope and purpose of processing
- Subject matter: provision of email spam filtering, quarantine, security analysis and related features.
- Nature & purpose: real-time inspection, scoring, quarantine, relay and logging of email to detect spam, phishing and malware.
- Duration: for the term of the Service plus the retention periods set out in the Privacy Policy.
- Categories of data: email headers, content, attachments, sender/recipient addresses, IP addresses, and account/contact data.
- Data subjects: the Customer’s personnel and any individuals who send mail to, or receive mail through, the Customer’s domains.
3. Processor obligations
- Process personal data only on the Customer’s documented instructions, including for international transfers.
- Ensure persons authorised to process data are bound by confidentiality.
- Implement appropriate technical and organisational measures (Article 32): encryption in transit (TLS) and at rest, least-privilege access, secrets management, audit logging.
- Assist the Customer with data-subject requests and with security, breach-notification and impact-assessment obligations.
- Notify the Customer without undue delay after becoming aware of a personal-data breach.
- Delete or return personal data at the end of the Service, subject to legal retention.
- Make available information necessary to demonstrate compliance and allow for audits.
4. Sub-processors
The Customer authorises the engagement of the sub-processors below. We impose data-protection terms no less protective than this DPA and remain liable for their performance. We will give notice of intended changes so the Customer may object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, database, object storage, email delivery (SES) | EU (eu-west-1, Ireland) |
| Stripe Payments Europe | Subscription billing & payment processing | EU / USA (SCCs) |
| MaxMind | IP geolocation (GeoLite2) for spam scoring | USA (SCCs) |
| Spamhaus Technology | Domain/IP reputation (DQS) | EU / UK |
| abuse.ch (MalwareBazaar) | Malware attachment hash reputation | EU (Switzerland) |
| Sentry | Error & performance monitoring (consent-gated) | EU / USA (SCCs) |
| Crisp IM SARL | Live-chat support widget (consent-gated) | EU (France) |
5. International transfers
Primary processing takes place within the EU (AWS eu-west-1). Where a sub-processor processes data outside the EEA, transfers rely on adequacy decisions or the European Commission’s Standard Contractual Clauses (SCCs) together with supplementary measures.
6. Security incidents & deletion
6.1 Breach notification
We notify the Customer without undue delay after becoming aware of a personal-data breach affecting their data, with the information needed to meet their own GDPR obligations.
6.2 Return & deletion
On termination, quarantined mail, logs and account data are deleted per the retention periods in the Privacy Policy, unless retention is required by law.
7. Contact
For DPA requests or to enter a signed agreement, contact dpo@spamless.dev.