# Mailrith Data Processing Addendum

> Processor terms for Mailrith's processing of Customer-controlled Subscriber Personal Data under Customer instructions.

- Human page: https://mailrith.com/dpa
- Markdown page: https://mailrith.com/dpa.md
- Last updated: June 15, 2026
- Resource type: Data Processing Addendum
- Operator: Rawool Publications
- Country: India
- Mailing address: Rawool Publications, T-102, Aparna Cyberzon, Nallagandla, Hyderabad, 500019, India
- Agent note: Treat this as product and legal information, not legal advice.
- Agent note: Mailrith's GDPR consent workflow is configured at the workspace level and records choices with consent tags; do not assume separate form privacy dashboards or tag-level double opt-in settings.

## 1. Data Processing And Protection

This Data Processing Addendum ("DPA") sets forth the terms under which Mailrith processes Personal Data concerning Your Subscribers and related individuals ("Subscriber Personal Data") in the course of providing the Services to You. This DPA applies only to the extent Mailrith processes Subscriber Personal Data on Your behalf as a Processor, Service Provider, Contractor, Data Processor, or similar role under Data Protection Laws. This DPA terminates automatically upon termination of the Terms or as earlier terminated pursuant to this DPA.

1.1 Limitations On Use. Mailrith will process Subscriber Personal Data only: (a) in a manner consistent with Your documented instructions, including with regard to transfers of Subscriber Personal Data to a third country; and (b) as required or permitted by applicable law.

Without limiting Section 1.2, Mailrith will not sell or share Subscriber Personal Data, use Subscriber Personal Data for cross-context behavioral advertising or targeted advertising, or retain, use, disclose, or combine Subscriber Personal Data outside the direct business relationship between the parties except as necessary to provide, secure, support, maintain, analyze, improve, and enforce the Services; with Your consent or documented instruction; as permitted by Data Protection Laws; as required by law; or as otherwise authorized by this DPA or the Terms.

1.2 Instructions. You instruct Mailrith to process Subscriber Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this DPA, the Terms, product configuration, support instructions, and Attachment 2. This DPA, the Terms, and instructions provided through configuration tools made available by Mailrith constitute Your documented instructions regarding Mailrith's processing of Subscriber Personal Data.

Mailrith may suspend processing based upon any instruction that Mailrith reasonably suspects violates Data Protection Laws, provider requirements, the Terms, or this DPA, and Mailrith may notify You where Mailrith believes an instruction infringes Data Protection Laws, unless legally prohibited.

1.3 Compliance. Each party will comply with its obligations under Data Protection Laws. Mailrith shall notify You if it determines that it cannot meet an applicable obligation under Data Protection Laws. Upon receiving written notice from You that Mailrith has processed Subscriber Personal Data without authorization, Mailrith may take reasonable and appropriate steps to stop and remediate such processing where required by applicable law.

1.4 Confidentiality. Mailrith will take reasonable steps designed to ensure that persons authorized by Mailrith to process Subscriber Personal Data are subject to appropriate confidentiality obligations.

1.5 Security. Taking into account the nature, scope, context, and purposes of processing, Mailrith will implement and maintain appropriate technical and organizational measures designed to protect Subscriber Personal Data against Security Incidents and to provide a level of protection required by Data Protection Laws applicable to Mailrith's processor obligations, subject to the Terms, this DPA, Customer configuration, provider dependencies, and the limitations described in Mailrith's Security page and applicable agreements.

1.6 Disposal. At Your choice and upon Your written request at the end of the provision of Services, Mailrith will make commercially reasonable efforts to return, export, delete, or anonymize Subscriber Personal Data, unless applicable law requires storage of such Subscriber Personal Data and except for Subscriber Personal Data archived on backup systems, retained in suppression, abuse-prevention, billing, dispute, legal, security, or provider records, or otherwise subject to technical limitations. Requests may be sent to support@mailrith.com.

1.7 Deidentified Data. You authorize Mailrith to process deidentified or aggregated data to operate, analyze, protect, support, and improve the Services. Mailrith will take reasonable measures designed to ensure Deidentified Data cannot reasonably be associated with a particular person, Customer, or Subscriber, will maintain and use Deidentified Data in deidentified form, and will not attempt to reidentify Deidentified Data except as permitted by Data Protection Laws.

1.8 Your Obligations. You are responsible for the accuracy, quality, legality, source, notice, consent, lawful basis, retention, deletion, and use of Subscriber Personal Data; for determining whether the Services are appropriate for Your processing; and for using available product controls lawfully.

Your obligations include providing required privacy notices, notices at collection, consent notices, cookie or tracking notices, unsubscribe notices, appeal notices, and other legally required disclosures; obtaining and recording required consent or another lawful basis; honoring withdrawal, opt-out, deletion, correction, access, portability, restriction, objection, authorized-agent, representative, and grievance rights; and maintaining records sufficient to demonstrate compliance where required.

Where the Services use cookies, unique identifiers, pixels, web beacons, link tracking, open tracking, device identifiers, or similar technologies in connection with Subscriber communications, hosted pages, forms, landing pages, or Customer-configured workflows, You are responsible for maintaining notice, consent, opt-in, opt-out, and preference mechanisms required by Data Protection Laws.

You may not submit special categories of Personal Data, sensitive personal information, children's data, health data, biometric identification data, genetic data, payment card numbers, government identity numbers, passwords, or similarly sensitive information to the Services unless You have all required authority and Mailrith has expressly approved the use in writing.

1.9 Usage Data. Notwithstanding anything to the contrary in this DPA, Mailrith may use and disclose data relating to the operation, support, and use of the Services for legitimate business purposes, including billing, account management, technical support, product development, sales and marketing, security, abuse prevention, compliance, analytics, and service improvement. To the extent such data is Personal Data under Data Protection Laws, Mailrith is the Controller of that data and processes it in accordance with the Privacy Policy and Data Protection Laws.

- [Mailrith Security](https://mailrith.com/security): Security information for safeguards, customer responsibilities, vulnerability reports, and incident notices.

## 2. Data Processing Assistance

2.1 Data Subject Rights Assistance. Mailrith's Services may provide controls to retrieve, correct, delete, export, restrict, suppress, unsubscribe, or otherwise manage Subscriber Personal Data. You may use those controls in connection with Your obligations under Data Protection Laws, including responding to requests from Data Subjects, Consumers, Subscribers, authorized agents, or similar individuals.

To the extent You are unable to independently access relevant Subscriber Personal Data within the Services, Mailrith will provide reasonable assistance, at Your expense where permitted by law, to help You respond to requests relating to Subscriber Personal Data processed under this DPA. If a request is made directly to Mailrith, Mailrith will not respond to the request directly without Your authorization unless legally required to do so, and Mailrith may direct the requester to You where permitted by law.

If Mailrith is legally required to respond directly to a request concerning Subscriber Personal Data, Mailrith will provide commercially reasonable notice to You and, where legally permitted, a copy or summary of the request.

You are responsible for verifying requests, determining whether a request is valid, responding within applicable timelines, using available tools correctly, providing required appeals or grievance processes, and completing actions in Customer-connected Providers and external systems.

2.2 Security Assistance. Taking into account the nature of processing and information available to Mailrith, Mailrith will provide commercially reasonable information and assistance to help You comply with obligations to secure Subscriber Personal Data.

2.3 Security Incident Notice And Assistance. Mailrith will notify You without undue delay after becoming aware of a Security Incident affecting Subscriber Personal Data to the extent required by Data Protection Laws applicable to Mailrith's processor obligations or this DPA, subject to law-enforcement, security, confidentiality, technical, and availability limitations. Mailrith may take commercially reasonable steps to investigate, mitigate, and minimize the effects of the Security Incident.

A notice, investigation, mitigation, or support response regarding a Security Incident is not an admission of fault, liability, or violation of law.

2.4 Data Protection Impact Assessment And Prior Consultation Assistance. Taking into account the nature of processing and information available to Mailrith, Mailrith will provide commercially reasonable assistance with data protection impact assessments and regulator consultations to the extent required by Data Protection Laws and applicable to Mailrith's processing of Subscriber Personal Data.

## 3. Audits

3.1 General Assistance. Mailrith will make available to You information reasonably necessary to demonstrate Mailrith's compliance with its express obligations under this DPA to the extent required by Data Protection Laws applicable to Mailrith's processor obligations. Such information and audit results are Mailrith confidential information unless applicable law requires otherwise.

3.2 Audit Reports And Review. Upon Your written request not more than once per year, and subject to reasonable confidentiality, security, availability, and scope controls, Mailrith may make available documentation, policies, summaries, certifications or reports if available, written responses, support-assisted review, or other reasonable information to help confirm Mailrith's compliance with this DPA.

If the information provided is insufficient and an audit is required by Data Protection Laws applicable to Mailrith's processor obligations, Mailrith will allow for and contribute to audits, including inspections, conducted by You or an auditor mandated by You, provided the audit is limited to Your own Subscriber Personal Data and Mailrith's applicable processor obligations; scheduled to avoid disruption; handled under confidentiality; and conducted without access to Mailrith source code, systems, internal tools, provider accounts, confidential business information, or other Customers' data.

Mailrith may decline or limit audit activity that is duplicative, unlawful, unsafe, disruptive, outside the scope of this DPA, requested by a competitor, or inconsistent with confidentiality, security, service continuity, provider obligations, or the rights of other Customers.

## 4. Subprocessors

4.1 Appointment Of Subprocessors. You authorize Mailrith to use subcontractors and service providers to process Subscriber Personal Data in connection with providing the Services, each a Subprocessor. You specifically consent to Mailrith's appointment of the Subprocessors identified in Attachment 3.

4.2 Objection Right For New Subprocessors. Mailrith may update the Subprocessor list from time to time. Where required by Data Protection Laws or a separate written agreement, Mailrith will provide commercially reasonable notice at least 10 days before engaging a new Subprocessor that materially affects Subscriber Personal Data, unless exigent security, availability, legal, provider, or service-continuity circumstances require a shorter period.

You may object to a new Subprocessor only on reasonable, specific, and documented data-protection grounds by contacting support@mailrith.com within five business days after notice. Mailrith and You will cooperate in good faith to resolve Your objection.

If the parties cannot reasonably resolve the objection within 10 days after Mailrith receives it, Mailrith may make available alternatives, limit the affected feature, or allow You to stop using the affected Service as Your sole and exclusive remedy unless applicable law requires otherwise.

4.3 Liability. Mailrith will impose data protection obligations on Subprocessors that are no less protective of Subscriber Personal Data than those required by this DPA in substance, to the extent applicable to the Subprocessor's services. Mailrith remains responsible for Subprocessors it appoints to process Subscriber Personal Data to the extent required by Data Protection Laws and applicable transfer terms, subject to the exclusions and limitations in the Terms, this DPA, and applicable law.

Customer-connected Providers are not Mailrith Subprocessors merely because You connect, configure, authorize, or use them with the Services. You are responsible for reviewing Customer-connected Providers separately.

## 5. Data Transfers

5.1 Transfer Mechanisms. Mailrith and its service providers may process Subscriber Personal Data in countries other than the country where You or a Subscriber is located. Where Data Protection Laws require a safeguard for a restricted transfer, Mailrith may rely on SCCs, the UK Addendum, the UK IDTA, Swiss transfer terms or modifications, adequacy decisions, derogations, Your instructions, or another available transfer mechanism.

5.2 SCCs. If Data Protection Laws require SCCs for a transfer of Subscriber Personal Data, the parties agree that the SCCs apply as incorporated by reference and are deemed executed as of the effective date of this DPA. Module Two (controller to processor) applies where You are the Controller and Mailrith is the Processor. You are the data exporter and Mailrith is the data importer.

5.2.1 Transfers Subject To The GDPR. For Subscriber Personal Data subject to the GDPR, the SCCs are completed as follows: Clause 7 optional docking language does not apply; audits under Clause 8.9 are conducted according to Section 3 of this DPA; Clause 9 Option 2 applies and changes to Subprocessors are notified according to Section 4 of this DPA; Clause 11 optional language does not apply; Clauses 17 and 18 use the laws and courts of Ireland, unless Data Protection Laws require another EU member-state law or forum; the annexes are deemed completed by Attachment 2, Attachment 3, and the security measures described in this DPA and Mailrith's Security page; and the competent supervisory authority is determined according to Clause 13 and the GDPR.

5.3 UK Transfers. If Subscriber Personal Data subject to the UK GDPR is subject to a restricted transfer, the parties agree that the UK Addendum applies to the SCCs for that transfer unless the UK IDTA or another lawful UK transfer mechanism is required or agreed. The information required to complete the UK Addendum or UK IDTA is deemed completed by the information in this DPA, including Attachment 2 and Attachment 3, to the extent applicable. Neither party may terminate the UK Addendum or UK IDTA under an optional termination right in those terms without the other party's written consent, unless applicable law requires otherwise.

5.4 Swiss Transfers. If Subscriber Personal Data subject to the FADP is subject to a restricted transfer, the parties agree that the SCCs apply with Swiss-law modifications required or recognized by competent Swiss authorities. References to the GDPR will be read to include the FADP where applicable; references to EU member states will not prevent Data Subjects in Switzerland from exercising rights in Switzerland; and, where the transfer is governed by the FADP, the competent supervisory authority will be the Swiss Federal Data Protection and Information Commissioner to the extent required.

Where Data Protection Laws require a transfer assessment, supplementary measures, or transfer-related information, Mailrith may provide commercially reasonable information regarding Mailrith's processing of Subscriber Personal Data, subject to confidentiality, security, availability, and legal limitations.

5.5 Alternative Transfer Mechanism. If Mailrith is required or permitted to adopt an alternative transfer mechanism under Data Protection Laws, that alternative transfer mechanism will apply automatically instead of or in addition to the mechanisms described in this DPA to the extent it complies with Data Protection Laws, and the parties will take commercially reasonable actions or execute commercially reasonable documents necessary to give effect to that mechanism.

5.6 Data Privacy Framework. Mailrith does not claim certification under the EU-US, UK-US, or Swiss-US Data Privacy Framework unless Mailrith separately publishes such certification.

## 6. Limitation Of Liability

Each party's and all of its affiliates' liability arising out of or relating to this DPA, including liability arising under incorporated transfer terms or the Standard Contractual Clauses, is subject to the exclusions and limitations of liability in the Terms to the maximum extent permitted by applicable law.

Nothing in this DPA is intended to restrict rights that Data Subjects have under Data Protection Laws or applicable transfer terms.

Nothing in this DPA increases the liability limits, expands the remedies, or creates additional warranties beyond those expressly stated in the Terms or another written agreement signed by Mailrith.

No security, privacy, GDPR, support, documentation, feature, marketing, subprocessor, or compliance material expands Mailrith's liability, remedies, service commitments, warranties, or obligations under this DPA unless this DPA or another written agreement signed by Mailrith expressly states otherwise.

Nothing in this DPA limits, excludes, or modifies liability only to the extent such liability cannot be limited, excluded, or modified under applicable law.

## 7. Miscellaneous

If there is a conflict between this DPA and the Terms regarding Mailrith's processing of Subscriber Personal Data as a processor, service provider, contractor, or similar role, this DPA controls for that conflict only. The Terms control all other matters. To the extent there is any conflict between this DPA and applicable Standard Contractual Clauses or UK transfer terms, the applicable transfer terms will control for that conflict.

Except as expressly stated in the SCCs, UK Addendum, or UK IDTA, the governing-law and forum-selection provisions in the Terms apply to disputes arising out of this DPA where the Terms contain such provisions.

Except as specifically amended or modified by this DPA, the Terms remain unchanged and in full force and effect.

This DPA does not create service-level commitments, warranties, representations, guarantees, professional duties, fiduciary duties, or obligations for Mailrith beyond the express obligations in this DPA and obligations that cannot be waived under Data Protection Laws applicable to Mailrith's processor obligations.

Mailrith's privacy, security, GDPR overview, documentation, support, feature, and marketing pages are informational only and do not form part of this DPA except to the extent this DPA expressly incorporates them.

No supplement, modification, or amendment of this DPA will be binding unless made in writing and accepted by each party to this DPA.

This DPA does not require Mailrith to disclose privileged information, confidential business information, information about other Customers, security-sensitive information, source code, internal tools, provider credentials, or information that Mailrith is prohibited from disclosing.

This DPA does not create third-party beneficiary rights except to the extent required by Data Protection Laws or the Standard Contractual Clauses where applicable.

Capitalized terms not defined in this DPA have the meanings given in the Terms or applicable Data Protection Laws.

## Attachment 1 - Definitions

CCPA means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and any regulations promulgated thereunder, each as amended, superseded, or replaced.

Controller means controller, business, and analogous variations of those terms under Data Protection Laws.

Customer, You, and Your mean the person or entity that accepted the Terms, uses the Services, or controls the relevant Mailrith account or workspace, and on whose behalf Mailrith processes Subscriber Personal Data under this DPA.

Customer-connected Providers means third-party services, accounts, providers, applications, endpoints, scripts, pixels, tracking code, APIs, webhooks, SMTP services, email delivery APIs, AI providers, CRMs, DNS providers, payment tools, analytics tools, Facebook Lead Ads connections, or similar services that You select, connect, configure, authorize, or cause the Services to interoperate with, other than a Subprocessor appointed by Mailrith under this DPA.

Data Privacy Framework means the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework, each as amended, superseded, or replaced.

Data Protection Laws means privacy, data protection, and data security laws applicable to the processing of Subscriber Personal Data, including GDPR, UK GDPR, Swiss privacy law, CCPA/CPRA, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, India's Digital Personal Data Protection Act, 2023 and related rules when in force and applicable, and similar laws to the extent they apply.

Data Privacy Framework Principles means the principles and supplemental principles contained in the relevant Data Privacy Framework, each as amended, superseded, or replaced.

Deidentified Data means information that cannot reasonably be linked to or associated with You, a Data Subject, a Consumer, a Subscriber, or another identifiable individual.

FADP means the Swiss Federal Act on Data Protection and related ordinances, each as amended, superseded, or replaced.

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended, superseded, or replaced.

Mailrith Systems means the facilities, systems, equipment, hardware, software, and provider services that Mailrith and Mailrith's Subprocessors use to process Subscriber Personal Data.

Personal Data means personal data, personal information, and analogous variations of those terms under Data Protection Laws.

Process and Processing mean any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, making available, alignment, combination, restriction, erasure, or destruction.

Processor means processor, service provider, contractor, data processor, and analogous variations of those terms under Data Protection Laws.

SCCs means the European Commission Standard Contractual Clauses for international transfers of personal data adopted under Commission Implementing Decision (EU) 2021/914, as amended, superseded, or replaced.

Security Incident means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Subscriber Personal Data processed by Mailrith under this DPA.

Services means the Mailrith websites, applications, hosted pages, APIs, developer tools, documentation, support channels, and related services described in the Terms.

Subscribers means individuals whose email address or other information is included in Your distribution lists, workspace, imports, forms, landing pages, broadcasts, sequences, automations, communications, or related Customer-controlled workflows in the Services.

Subscriber Personal Data means Customer-controlled Personal Data or Personal Information about Your Subscribers, leads, form submitters, landing page submitters, email recipients, Users, and similar individuals processed by Mailrith on Your behalf through the Services.

Terms means the then-current Mailrith Terms of Service or another written agreement signed by Mailrith that expressly governs Your use of the Services.

UK Addendum means the International Data Transfer Addendum to the European Commission Standard Contractual Clauses issued under the UK Data Protection Act 2018, as amended, superseded, or replaced.

UK GDPR means the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 and related legislation, each as amended, superseded, or replaced.

UK IDTA means the International Data Transfer Agreement issued under the UK Data Protection Act 2018, as amended, superseded, or replaced.

Users means individuals accessing or using the Services through Your account or workspace.

## Attachment 2 - Scope Of Processing

Data exporter: You.

Data importer: Mailrith.

Subject matter and duration: Mailrith processes Subscriber Personal Data if and when provided by You in the course of providing the Services and until the Terms terminate or expire, subject to this DPA, the Terms, Your instructions, and applicable law.

Nature and purpose: processing Subscriber Personal Data in connection with and for the purpose of Mailrith providing, securing, supporting, maintaining, troubleshooting, improving, and enforcing the Services pursuant to the Terms and Your instructions.

Processing activities: email marketing, Subscriber management, hosted forms, hosted landing pages, email broadcasts, sequences, automations, tags, segments, reporting, imports, exports, public APIs, webhooks, consent workflows, unsubscribe handling, suppression, and connected integrations.

Types of Subscriber Personal Data: names, email addresses, Subscriber status, tags, segments, custom fields, consent choices, suppression records, unsubscribe records, bounce records, complaint records, email engagement events, form submissions, landing page submissions, source records, IP-derived details where available, device or usage data where available, Customer-created content, and any other Personal Data supplied by You or Users through the Services.

The types of Subscriber Personal Data may include, to the extent provided by You or Users, direct identifying information; device identification, traffic, usage, cookie, online navigation, location, browser, and access-device information; demographic information; employment details; personal interests or preferences; purchase-history or marketing-preference information, excluding full payment card details handled by payment providers; and publicly available profile information.

Categories of Data Subjects: Users, Subscribers, leads, form submitters, landing page submitters, email recipients, and similar individuals.

Special categories: the Services are not designed for special categories of Personal Data, health data, biometric identification data, genetic data, payment card numbers, government identity numbers, passwords, children's data, or similarly sensitive information in Subscriber fields or Customer Content. To the extent such data is submitted to the Services, it is determined and controlled by You in Your sole discretion.

Frequency of transfers: continuous for as long as You use the relevant Services.

Retention period: for the term of Your account or workspace and thereafter as described in this DPA, the Privacy Policy, the Terms, Your instructions, and applicable law.

## Attachment 3 - Subprocessor List

Last updated: June 15, 2026.

Mailrith's Subprocessors may include infrastructure, database, storage, security, payment, service-email, avatar, support, and operational providers. Provider use may vary by environment, feature, Customer configuration, and connected services.

Each Subprocessor entry identifies the Subprocessor name, services performed, and countries or regions where Subscriber Personal Data may be processed. Provider countries and regions may change where a provider changes support, security, hosting, backup, or operational locations.

Subprocessors may process Subscriber Personal Data in the countries or regions where they maintain infrastructure, support, security, billing, storage, backup, or operational personnel, subject to applicable transfer mechanisms where required.

- Cloudflare: application hosting, edge security, Workers, storage, queues, rate limiting, Turnstile, Hyperdrive, custom hostnames where configured, and related infrastructure. Countries/regions: United States and global edge, security, support, and infrastructure locations.
- PlanetScale: production database hosting, connection management, storage, backup, and related database infrastructure where configured. Countries/regions: United States and other provider infrastructure, support, backup, and operational locations.
- Dodo Payments: checkout, billing, subscription, invoice, and payment-method workflows. Countries/regions: United States, India, and other provider payment, support, compliance, and operational locations.
- Amazon Web Services: Mailrith-controlled service email delivery where configured. Countries/regions: United States and selected AWS infrastructure, support, backup, and operational locations.
- Automattic (Gravatar): Subscriber avatar image lookup using hashed Subscriber email addresses where displayed. Countries/regions: United States and other provider support and operational locations.

## Contact

Questions about Mailrith's DPA or Customer instructions can be sent to support@mailrith.com.
