Mailday Data Processing Addendum (DPA)

Last updated: 2026-05-13

This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Customer" or "Controller") and CreatorGeek, Inc. d/b/a Mailday ("Mailday" or "Processor") for the provision of the Mailday Service (the "Agreement"). This DPA reflects the parties' agreement regarding the processing of Personal Data subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

By executing this DPA, the Customer enters into it on behalf of itself and, where applicable, its Affiliates that use the Service.

1. Definitions

• "Applicable Data Protection Laws" means GDPR, UK GDPR, the Swiss Federal Act on Data Protection, the CCPA/CPRA, and other state, federal, or international laws governing the processing of Personal Data, as applicable.
• "Controller," "Processor," "Personal Data," "Processing," "Data Subject," and "Special Categories of Personal Data" have the meanings given in the GDPR (or, where the CCPA applies, the corresponding terms "Business," "Service Provider/Contractor," and "Personal Information").
• "Subprocessor" means any third party engaged by Mailday to Process Personal Data on its behalf.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office.

2. Roles and scope

2.1 Roles

The Customer is the Controller and Mailday is the Processor of Personal Data Processed under the Agreement. Where the CCPA applies, the Customer is the Business and Mailday is a Service Provider.

2.2 Subject matter and duration

Subject matter: Processing of Personal Data to provide the Service. Duration: the term of the Agreement, plus retention periods set out in the Privacy Policy.

2.3 Nature and purpose

To enable Customer to operate member and workspace workflows, including assigned email inboxes, social platform integrations, AI-assisted drafting and replies, invoicing, payouts, and reporting.

2.4 Categories of Data Subjects

Customer's authorized users; companies and viewers; recipients of email and social communications; other individuals whose data appears in Customer Data.

2.5 Categories of Personal Data

Identifiers (name, email, phone), profile data, business contact information, communications content (email body and attachments), social media content and metadata, analytics, financial transaction metadata, IP addresses, device/usage information, and AI prompts and outputs.

2.6 Special categories

The Service is not designed for Special Categories of Personal Data. Customer agrees not to upload such data except as strictly necessary and at its own risk.

3. Processor obligations

Mailday will:

(a) Process Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required by law;

(b) Ensure that personnel authorized to Process Personal Data are bound by confidentiality;

(c) Implement appropriate technical and organizational measures as described in Annex II to ensure a level of security appropriate to the risk;

(d) Engage Subprocessors only in accordance with Section 5;

(e) Taking into account the nature of the Processing, assist Customer with responding to Data Subject requests and complying with its obligations under Articles 32–36 GDPR;

(f) At Customer's choice, delete or return all Personal Data after termination, subject to legal retention requirements;

(g) Make available information necessary to demonstrate compliance and allow for and contribute to audits as described in Section 7;

(h) Immediately inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.

4. Customer obligations

Customer represents and warrants that:

(a) It has provided all required notices and obtained all required consents and legal bases for Personal Data Processing;

(b) Its instructions comply with Applicable Data Protection Laws;

(c) It will not upload Special Categories of Personal Data except as permitted by Section 2.6;

(d) It is responsible for the security of its credentials and the configuration choices it makes in the Service.

5. Subprocessors

5.1 General authorization

Customer authorizes Mailday to engage Subprocessors to Process Personal Data, including those listed in our Subprocessor List.

5.2 Notice of changes

Mailday will provide notice (via email or via the Subprocessor List, with subscribe option) of new or replacement Subprocessors at least 15 days before they begin Processing. Customer may object on reasonable data-protection grounds within that period.

5.3 Subprocessor obligations

Mailday will impose data-protection obligations on Subprocessors no less protective than those in this DPA and remains liable for Subprocessor performance.

6. International transfers

6.1 EU/EEA transfers

Where Mailday Processes Personal Data subject to GDPR outside the EEA to a country without an adequacy decision, the Module Two SCCs (Controller-to-Processor) are incorporated by reference and apply, with: Clause 7 (Docking) included; Clause 9(a) Option 2 selected (general written authorization for Subprocessors), 15-day notice period; Clause 11(a) optional language not included; Clause 17 Option 1, governing law of Ireland; Clause 18 forum and jurisdiction: Ireland.

6.2 UK transfers

Where Personal Data is subject to UK GDPR, the UK Addendum to the SCCs is incorporated and forms part of this DPA.

6.3 Swiss transfers

For Personal Data subject to Swiss data protection law, the SCCs apply with references to GDPR construed as references to the Swiss FADP and the supervisory authority being the Swiss Federal Data Protection and Information Commissioner (FDPIC).

7. Audits

7.1 Audit reports

On Customer's reasonable written request not more than once per year, Mailday will provide responses to a reasonable security questionnaire and, when available, third-party audit reports (such as SOC 2 Type II).

7.2 On-site audits

Customer may conduct on-site audits where required by Applicable Data Protection Laws or supervisory authorities. Audits will be at Customer's expense, on at least 30 days' notice, during normal business hours, and subject to confidentiality.

8. Security incidents

Mailday will notify Customer without undue delay and, where feasible, no later than 72 hours, after becoming aware of a Personal Data Breach. Mailday's incident response contact is security@mailday.ai.

9. Data subject requests

If Mailday receives a request from a Data Subject relating to Customer's Personal Data, it will redirect the Data Subject to Customer and assist Customer in responding to the extent legally required.

10. CCPA / U.S. state privacy law terms

Mailday acts as a Service Provider (and, where applicable, Contractor or Processor under other state laws). Mailday:

(a) Will Process Personal Information only for the business purposes specified in the Agreement;

(b) Will not sell or share (as those terms are defined under CCPA/CPRA) Personal Information;

(c) Will not retain, use, or disclose Personal Information outside the direct business relationship or for any purpose other than the specified business purposes;

(d) Will not combine Personal Information received from Customer with Personal Information from other sources, except as permitted by 11 CCR § 7050(b);

(e) Will comply with applicable CCPA/CPRA obligations and provide the same level of protection as required by CCPA;

(f) Will notify Customer if it determines it can no longer meet its obligations under CCPA.

11. Liability

Each party's liability arising under this DPA is subject to the limitations of liability in the Agreement.

12. Order of precedence

In the event of conflict, the order of precedence is: (1) the SCCs and UK Addendum, (2) this DPA, (3) the Agreement.

13. Term and termination

This DPA takes effect on the date the Agreement begins and continues until the Agreement ends, except that provisions which by their nature should survive (security, confidentiality, audit) survive termination.

Annex I — Description of processing

A. List of parties

• Controller / Data Exporter: the Customer as identified in the Agreement.
• Processor / Data Importer: CreatorGeek, Inc. d/b/a Mailday, 465 California St, San Francisco, CA 94101, USA. Contact: privacy@mailday.ai.

B. Categories of Data Subjects: as described in Section 2.4.

C. Categories of Personal Data: as described in Section 2.5.

D. Special categories of data: none, except as inadvertently included in Customer Data; see Section 2.6.

E. Frequency of transfer: continuous, for the duration of the Agreement.

F. Nature and purpose of processing: as described in Section 2.3.

G. Retention period: as described in the Privacy Policy.

H. Competent supervisory authority (SCC Clause 13): the Irish Data Protection Commission for EEA transfers; the Information Commissioner's Office for UK transfers; the FDPIC for Swiss transfers.

Annex II — Technical and organizational measures

Mailday implements the following measures:

1. Encryption: TLS 1.2+ in transit; AES-256 at rest.
2. Access control: role-based access, least-privilege, mandatory MFA for personnel, periodic access reviews.
3. Personnel: confidentiality obligations, background checks where lawful, training.
4. Network and infrastructure security: VPC isolation, security groups, WAF, Amazon GuardDuty for EC2 threat detection.
5. Message handling: size limits and source checks on inbound and outbound messages and attachments; deeper malware scanning on roadmap.
6. Logging and monitoring: centralized audit logging, anomaly detection.
7. Vulnerability management: regular scanning and patching; coordinated vulnerability disclosure.
8. Incident response: documented plan; 24/7 on-call; notification per Section 8.
9. Backups: encrypted backups with 90-day retention.
10. Resilience: redundancy, geographic distribution within hosting regions, restoration testing.
11. Vendor management: due diligence; written contracts; periodic review.
12. Privacy by design: data minimization, purpose limitation, retention limits, role separation.

A current summary of measures is available at mailday.ai/security.

Annex III — List of Subprocessors

This Annex incorporates by reference our up-to-date Subprocessor List. Mailday provides at least 15 days' notice before engaging a new Subprocessor or replacing an existing one. Customer may subscribe to updates at the same URL or by emailing privacy@mailday.ai.

Execution

This DPA is effective on the latest signature date below (the "Effective Date") and supersedes any prior data-protection terms between the parties.

This DPA may be executed by:

• Counterpart signature (including DocuSign or other electronic signature): Customer's authorized signatory completes the block below and returns to legal@mailday.ai.
• Click-through acceptance in the Mailday product, where Customer's account administrator clicks "Accept DPA" in account settings.
• Reference in the Agreement: where Customer's master service order or order form expressly incorporates this DPA, no separate signature is required.

For Customers requiring a fully signed DPA for procurement records, contact legal@mailday.ai.

Contact

• Legal / DPA signature: legal@mailday.ai
• Privacy: privacy@mailday.ai
• Mail: CreatorGeek, Inc., 465 California St, San Francisco, CA 94101