Recitals
\n
This Data Processing Agreement ("DPA") supplements the Target SMTP Terms of Service and governs, pursuant to Art. 28 of Regulation (EU) 2016/679 ("GDPR"), the relationship between:
\n
\n- Davide Di Vietro, with operating office in Italy, acting as Data Processor ("Processor");
\n- the Target SMTP Customer, acting as Data Controller ("Controller").
\n
\n
The DPA applies to the processing of personal data of the recipients of emails sent by the Controller through the Service.
\n\n
1. Subject matter, nature and purpose of the processing
\n
\n- Subject matter: transmission of transactional and service emails on behalf of the Controller, collection of related events (delivered, bounced, opened, clicked, complaint, unsubscribe), technical logs, management of suppression lists.
\n- Nature: automated electronic processing.
\n- Purpose: delivery of the Service requested by the Controller.
\n- Duration: for the entire duration of the contract, plus the mandatory retention periods (90 days for logs, 12 months for bounces).
\n
\n\n
2. Categories of data subjects and data
\n
\n- Data Subjects: recipients of emails sent by the Controller (customers, users, contacts, employees).
\n- Categories of data: email address, name (if included by the Controller), message content, delivery metadata (recipient server IP, DKIM headers, outcome, timestamps), any interaction events (opens, clicks).
\n
\n\n
3. Processor's obligations
\n
The Processor undertakes to:
\n
\n- Process personal data only on documented instructions from the Controller (the sending parameters supplied by the Customer via SMTP/API constitute documented instructions);
\n- Ensure that persons authorized to process the data are bound by confidentiality;
\n- Implement Technical and Organizational Measures (TOMs) appropriate under Art. 32 GDPR (see Annex B);
\n- Assist the Controller, by appropriate technical and organizational measures, in responding to requests by Data Subjects exercising their rights (Arts. 15-22 GDPR);
\n- Assist the Controller in ensuring compliance with the obligations under Arts. 32-36 GDPR (security, breach notification, data protection impact assessment);
\n- Delete or return all personal data at the end of the relationship, subject to retention obligations imposed by Italian law;
\n- Make available to the Controller all information necessary to demonstrate compliance with this DPA, including through inspections or audits, with reasonable notice and respecting operational needs (max once per year, save for specific cause).
\n
\n\n
4. Sub-processors
\n
The Controller grants general authorization to the Processor to engage other processors ("Sub-processors"). The up-to-date list is published and maintained at /legal/sub-processors. The Processor will notify the Controller by email of any change to the list with at least 30 days' notice, during which the Controller may object by terminating the contract without penalty.
\n\n
5. Breach Notification
\n
In the event of a personal data breach, the Processor will notify the Controller by email without undue delay and in any case within 48 hours of discovery, providing all information needed by the Controller to notify the Garante per la Protezione dei Dati Personali under Art. 33 GDPR.
\n\n
6. Non-EEA data transfers
\n
The Processor warrants that personal data processed on behalf of the Controller are hosted exclusively on infrastructure located within the European Union (Germany). Any non-EEA sub-processors are bound by Standard Contractual Clauses (Decision 2021/914) and explicitly identified in the public list.
\n\n
7. End of processing
\n
At the end of the contract, upon Controller request within 30 days, the Processor will return or delete all personal data. After 30 days without instructions, the data are deleted save for legal obligations (e.g. invoicing).
\n\n
Annex A — Sub-processors list
\n
The up-to-date list is published, accessible and versioned at /legal/sub-processors.
\n\n
Annex B — Technical and Organizational Measures (TOMs)
\n
\n- Encryption in transit (TLS 1.2+) and at rest for credentials.
\n- User passwords hashed with bcrypt cost 12.
\n- Optional two-factor authentication (TOTP).
\n- Immutable audit log of administrative actions (12 months).
\n- Daily encrypted backups, 30-day retention, monthly restore test.
\n- Segregation of dev/staging/prod environments.
\n- Principle of least privilege for administrative access.
\n- Continuous monitoring, automated alerting, on-call rotation.
\n- Patch management with SLA of 7 days for high CVEs, 24 hours for critical.
\n- Documented disaster recovery plan, RPO 24h, RTO 4h.
\n- Annual staff training on data protection.
\n
\n\n
Acceptance
\n
This DPA is deemed accepted upon execution of the Terms of Service or use of the Service. A countersigned copy may be requested for documentary purposes at privacy@targetsmtp.it.
\n\n
Version 1.0 — in force from 14 May 2026.