Data Processing Agreement
Our DPA governs how Nuntly processes personal data on your behalf in compliance with the GDPR.
Last updated
This Data Processing Agreement ('DPA') forms part of the agreement between Nuntly and the customer that has accepted Nuntly's Terms of Service (the 'Customer'). It is incorporated by reference into those Terms and governs the processing of personal data that Nuntly carries out on the Customer's behalf when the Customer uses the Nuntly email delivery platform (the 'Services').
This DPA applies automatically to every Customer that uses the Services and becomes legally binding when the Customer accepts the Terms of Service. A signature is not required for it to take effect. A counter-signed copy is available on request, and the signature blocks at the end are provided for reference.
All Customer Personal Data processed through the Services is hosted and processed within the European Union, so no Standard Contractual Clauses are required for that processing. For its own account and website operations, Nuntly acts as an independent controller and relies on a limited set of ancillary processors that may operate in the United States under the EU-US Data Privacy Framework. Those processors never handle the content of the Customer's email. See section 3 and Annex 3.
1. Definitions
Terms not defined here have the meaning given in the General Data Protection Regulation (Regulation (EU) 2016/679, the 'GDPR').
- 'Customer Personal Data' means personal data that Nuntly processes on behalf of the Customer through the Services, as described in Annex 1.
- 'Account Data' means personal data relating to the Customer's relationship with Nuntly, including the names and contact details of the individuals the Customer authorises to access its account, and billing information.
- 'Usage Data' means data about the use of the Services that Nuntly processes to provide, secure, optimise and maintain them, such as activity logs and aggregate metrics.
- 'Controller', 'Processor', 'Data Subject', 'Personal Data', 'Processing' and 'Supervisory Authority' have the meanings given in Article 4 of the GDPR.
- 'Sub-processor' means any third party engaged by Nuntly to process Customer Personal Data.
- 'Data Protection Law' means the GDPR and any national law that implements or supplements it.
2. Roles and scope of processing
For the purposes of this DPA, the Customer acts as Controller and Nuntly acts as Processor with respect to Customer Personal Data. Where the Customer is itself a processor acting on behalf of a third-party controller, Nuntly acts as a sub-processor.
Nuntly processes Customer Personal Data only on the Customer's documented instructions, including with regard to transfers, unless required to do otherwise by Union or Member State law. The Customer's documented instructions are set out in this DPA, in the Terms of Service, and through the Customer's configuration and use of the Services. If Nuntly is required by law to process Customer Personal Data for any other purpose, it will inform the Customer of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.
The subject matter, duration, nature, purpose, categories of data subjects and categories of personal data are described in Annex 1.
3. Nuntly as an independent controller
With respect to Account Data and Usage Data, Nuntly acts as an independent controller, not as a processor or joint controller with the Customer. Nuntly processes Account Data to manage the customer relationship, handle billing, authenticate users, prevent fraud and abuse, secure the Services, and comply with its legal obligations. Nuntly processes Usage Data to provide, secure, optimise and maintain the Services. This processing is governed by Nuntly's Privacy Policy.
The ancillary sub-processors that support Nuntly's account and website operations, such as payment processing and bot protection, process only Account Data and never the content of the Customer's email. They are identified on the sub-processors page referenced in Annex 3. Account Data and Usage Data are outside the scope of the Customer Personal Data that Nuntly processes as a Processor under this DPA.
4. Nuntly's obligations as processor
Nuntly shall:
- process Customer Personal Data only on the documented instructions of the Customer, as described in section 2;
- ensure that persons authorised to process Customer Personal Data are bound by an appropriate obligation of confidentiality;
- implement the technical and organisational measures described in Annex 2, in accordance with Article 32 of the GDPR;
- respect the conditions in section 7 for engaging a Sub-processor;
- taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects under Chapter III of the GDPR, as described in section 9;
- assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Nuntly, as described in sections 10 and 11;
- at the choice of the Customer, delete or return all Customer Personal Data after the end of the provision of the Services, as described in section 12;
- make available to the Customer the information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, as described in section 13.
Nuntly shall immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Law.
5. Customer's obligations as controller
The Customer shall:
- comply with its own obligations as Controller under Data Protection Law, including establishing a lawful basis for the processing and providing required notices to Data Subjects;
- ensure that its instructions for the processing of Customer Personal Data comply with Data Protection Law;
- be responsible for the accuracy, quality and lawfulness of the Customer Personal Data and of the means by which it acquired that data;
- not send through the Services any special categories of personal data described in Article 9 of the GDPR unless it has implemented the additional safeguards required by law.
The Customer warrants that it has a valid legal basis and has obtained all consents and provided all notices required under Data Protection Law for the Customer Personal Data it sends through the Services and for Nuntly's processing of that data on the Customer's instructions.
Notwithstanding section 15 and any limitation of liability in the Terms of Service, the Customer shall indemnify Nuntly against any claim, fine or loss (including reasonable legal costs), to the extent such indemnification is permitted by applicable law, arising from the Customer's breach of this section (including the warranty above) or of its other obligations as Controller under this DPA, including any Customer Personal Data that is unlawful or that constitutes a special category of personal data sent without the safeguards required by law. This is in addition to the indemnity in the Terms of Service.
6. Security measures
Nuntly implements and maintains the technical and organisational measures set out in Annex 2 to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk to Data Subjects.
Nuntly may update these measures from time to time, provided that the updates do not materially reduce the overall level of protection of Customer Personal Data.
7. Sub-processors
The Customer provides a general authorisation for Nuntly to engage the Sub-processors listed in Annex 3 and on the sub-processors page, which is kept up to date.
Nuntly shall impose on each Sub-processor, by way of a contract, data protection obligations that are no less protective than those set out in this DPA. Nuntly remains fully liable to the Customer for the performance of each Sub-processor's obligations.
Nuntly shall inform the Customer of any intended addition or replacement of a Sub-processor at least 30 days in advance, giving the Customer the opportunity to object on reasonable data protection grounds before the new Sub-processor begins processing Customer Personal Data. If the Customer does not object within that period, the Sub-processor is deemed accepted. Where a change is required to address a security, legal or service-continuity issue, Nuntly may engage the Sub-processor on shorter notice and inform the Customer as soon as practicable. A Customer can subscribe to change notifications at support@nuntly.com. If the Customer objects and the objection cannot be resolved, the Customer may terminate the affected Services.
8. International data transfers
All Customer Personal Data is hosted and processed within the European Union (Dublin, Ireland). The sub-processors that process Customer Personal Data operate within the EU, as described in Annex 3. Because no Customer Personal Data is transferred outside the European Economic Area, Standard Contractual Clauses are not required. If Nuntly ever needs to transfer Customer Personal Data outside the EEA, it will first put in place a valid transfer mechanism under Chapter V of the GDPR and update this DPA accordingly.
Account Data handled by ancillary sub-processors may be processed in the United States under the EU-US Data Privacy Framework, as described in section 3. That processing does not involve Customer Personal Data.
9. Data subject rights
Taking into account the nature of the processing, Nuntly shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in responding to requests from Data Subjects to exercise their rights of access, rectification, erasure, restriction, portability and objection.
Where the Services provide self-service features that allow the Customer to access, correct, delete or export Customer Personal Data, the Customer shall use those features to fulfil such requests. If a request cannot be fulfilled through the Services, the Customer can contact support@nuntly.com for assistance. Assistance that goes beyond the self-service features of the Services is provided at a reasonable cost.
If Nuntly receives a request directly from a Data Subject relating to Customer Personal Data, it will not respond to the request other than to direct the Data Subject to the Customer, unless legally required to do otherwise, and will promptly notify the Customer.
10. Personal data breaches
Nuntly shall notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notification shall describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
Nuntly shall cooperate with the Customer and take reasonable steps to mitigate the effects of the breach. The Customer is responsible for any notification to a Supervisory Authority or to affected Data Subjects that Data Protection Law requires of it as Controller.
Nuntly's notification of, or response to, a personal data breach is not an acknowledgement of fault or liability.
11. Data protection impact assessments
Taking into account the nature of the processing and the information available to Nuntly, Nuntly shall provide reasonable assistance to the Customer with any data protection impact assessment and any prior consultation with a Supervisory Authority that the Customer is required to carry out under Articles 35 and 36 of the GDPR. Where this assistance requires significant effort, it is provided at a reasonable cost.
12. Deletion and return of data
On termination of the Services, and at the choice of the Customer, Nuntly shall delete or return all Customer Personal Data and delete existing copies, unless Union or Member State law requires continued storage.
During the term, message logs and event data are retained according to the Customer's plan, which is up to 30 days by default and longer on plans that include extended retention. On termination, or on a deletion request, Customer Personal Data is deleted from production systems, and residual copies held in encrypted backups are deleted within 7 days as backups age out. A Customer can request deletion at support@nuntly.com or through the data request page.
13. Audits and information
Nuntly shall make available to the Customer the information reasonably necessary to demonstrate compliance with Article 28 of the GDPR, including the contents of this DPA, the sub-processors page, and Nuntly's published security documentation.
Where the Customer reasonably requires further information, or wishes to conduct an audit, the Customer can submit a request at support@nuntly.com. The parties shall agree in advance on the scope, timing and reasonable cost of any audit so as to minimise disruption to Nuntly's operations and to protect the confidentiality and security of other customers' data. Audits shall take place no more than once per year, except where required by a Supervisory Authority or following a personal data breach.
Nuntly retains the records necessary to demonstrate its compliance with Article 28 of the GDPR for the duration of the Services and for a reasonable period thereafter. These records are not the Customer Personal Data described in section 12 and are kept independently of it.
14. Order of precedence
In the event of a conflict between this DPA, the Terms of Service and Nuntly's Privacy Policy on the subject matter of the processing of Customer Personal Data, the order of precedence is: first this DPA, then the Terms of Service, then the Privacy Policy.
15. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that those limitations and exclusions do not apply to: (a) the Customer's indemnity under section 5; (b) liability for death or personal injury caused by negligence; (c) gross negligence or wilful misconduct; or (d) any liability that cannot be limited or excluded under applicable law, including Data Protection Law.
16. Term and termination
This DPA takes effect when the Customer accepts the Terms of Service and remains in force for as long as Nuntly processes Customer Personal Data. The provisions that by their nature should survive termination, including sections 5 (warranty and indemnity), 12, 13 and 15, survive the end of this DPA.
17. Governing law
This DPA is governed by the law of France and is subject to the same jurisdiction and dispute resolution provisions as the Terms of Service, without prejudice to any mandatory rights of Data Subjects or powers of a Supervisory Authority under Data Protection Law.
Annex 1. Details of the processing
Subject matter. Provision of the Nuntly email delivery platform, including the sending, receiving, tracking and analytics of email on the Customer's behalf.
Categories of Data Subjects. The senders and recipients of the Customer's email, and any individuals whose personal data the Customer includes in message content or metadata. This is determined by the Customer.
Categories of Personal Data. Email addresses, message subject lines, message content (including any personal data the Customer chooses to include), message headers and metadata, delivery and engagement event data (such as opens and clicks where tracking is enabled), and the IP addresses and user-agent information associated with those events.
Special categories of Personal Data. None are intended to be processed. The Customer is responsible for not sending special categories of personal data through the Services unless it has implemented the safeguards required by law.
Frequency of the processing. Continuous, for the duration of the Services.
Nature of the processing. Transmission, delivery, receipt and storage of email messages; generation of delivery, engagement and analytics events; delivery of webhooks; and detection and prevention of fraud, abuse and security incidents affecting the Services.
Purpose of the processing. To allow the Customer to send and receive email reliably to and from its users and recipients through the Services, and to keep the Services secure by detecting and preventing fraud, abuse and security incidents.
Duration and retention. For the term of the Services. Retention and deletion are described in section 12.
Annex 2. Technical and organisational measures
Nuntly maintains the following measures, appropriate to the risk:
- Security governance. A documented information security and incident response process governs the detection, assessment, mitigation and notification of personal data breaches, as described in section 10.
- Access control. Access to systems that process Customer Personal Data follows the principle of least privilege and is restricted to authorised personnel. Administrative access requires multi-factor authentication.
- Infrastructure security. The Services run on Amazon Web Services infrastructure in the European Union. That infrastructure is independently audited against SOC 2 Type II and ISO 27001.
- Encryption in transit. All connections to the Services and between internal components use TLS.
- Encryption at rest. Customer Personal Data is encrypted at rest, with keys managed by a dedicated key management service.
- Network segmentation. Production systems run in isolated private networks with controlled ingress and egress.
- Logging and monitoring. Access to and operations on production systems are logged and monitored, and alerts are configured for anomalous activity.
- Backup and recovery. Databases are backed up automatically every day. Backups are encrypted and retained for 7 days.
- Confidentiality. Personnel with access to Customer Personal Data are bound by confidentiality obligations.
- Data location. All processing of Customer Personal Data takes place within the European Union.
Annex 3. List of sub-processors
Nuntly publishes the authoritative and current list of its sub-processors, with their purpose and location, on the sub-processors page, which is kept up to date. That page is the single source of truth for this annex.
The sub-processors that process Customer Personal Data (the content of the Customer's email and the related delivery and engagement events) operate within the European Union. The remaining sub-processors support Nuntly's own account and website operations, process only Account Data, and do not access the content of the Customer's email. Where any of those ancillary sub-processors operates outside the European Union, it does so under the EU-US Data Privacy Framework.
Signature
The signature blocks below are provided for reference purposes only. This DPA becomes legally binding when the Customer accepts the Terms of Service, and a signature is not required for it to take effect. A Customer that needs a counter-signed copy for its records can request one at support@nuntly.com.
Processor (Nuntly)
- Name: Olivier Bazoud
- Title: Founder
- Entity: Nuntly (Entreprise individuelle), 5 Villa Verges, 92320 Chatillon, France
- SIREN: 940 049 836
- Date: June 24, 2026
- Signature: ____________________________
Controller (Customer)
- Name: ____________________________
- Company: ____________________________
- Title: ____________________________
- Date: ____________________________
- Signature: ____________________________