Data Processing Addendum

This Addendum supplements the Terms of Service for customers subject to GDPR or equivalent regulations. By using Notify Vero you accept it. A counter-signed copy is available on request.

1. Roles

You are the Controller of subscriber data you upload. Notify Vero is the Processor, acting on your documented instructions.

2. Scope of processing

• Subject matter: delivery of marketing and transactional email.
• Duration: the term of your subscription, plus 30-day backup retention.
• Categories of data: email addresses, names, custom fields, engagement events.
• Categories of subjects: your subscribers and customers.

3. Sub-processors

We engage vetted sub-processors (cloud hosting, SMTP relays, payment) under written agreements that impose equivalent obligations. The current list is shared on request and we'll notify you 30 days before adding a new one.

4. Security

Encryption in transit (TLS 1.2+) and at rest (AES-256). Role-based access, audit logging, and least-privilege controls. See /security for details.

5. Sub-subject rights

We will assist you in responding to subject access, rectification, erasure, and portability requests within statutory timeframes.

6. International transfers

Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (Modules 2 and 3, June 2021). A signed copy is available on request.

7. Breach notification

We will notify you without undue delay (and within 72 hours) of becoming aware of any personal data breach affecting your data.

8. Termination

On termination we delete or return your data within 30 days, save for backups which cycle out within a further 30 days.

Request a counter-signed copy at legal@notifyvero.com.