Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Code Cutter Limited, a company registered in England and Wales (company number 08453060) with registered office at Unit 96 The Maltings Business Centre, Stanstead Abbotts, Ware, Herts, SG12 8HG, trading as Mailbuttons (the "Processor," "we," "our," or "us"), and you (the "Controller," "you," or "your"). It governs the processing of personal data in accordance with applicable data protection laws, including the UK General Data Protection Regulation, the EU General Data Protection Regulation, and the UK Data Protection Act 2018.

The Processor implements security controls aligned with the ISO/IEC 27001:2022 control framework. The Processor's policies have been authored to this framework; the formal certification audit commences on the first paid Business contract — see the Trust Center for current compliance status.

2. Definitions

3. Scope and Purpose of Processing

3.1 Categories of Personal Data

The Processor may process the following categories of personal data on behalf of the Controller:

• Contact information (names, email addresses, phone numbers)
• Account and authentication data
• Email content and metadata
• Usage and analytics data
• Payment and billing information
• Communication preferences and settings
• Technical data (IP addresses, device information)

3.2 Categories of Data Subjects

• Controller's customers and end users
• Controller's employees and representatives
• Individuals whose email addresses are processed through the Service
• Website visitors and service users

3.3 Processing Activities

The Processor will process personal data for the following purposes:

• Providing AI email automation and routing services
• Processing and analyzing email content for automation purposes
• Managing user accounts and authentication
• Providing customer support and technical assistance
• Monitoring service performance and security
• Complying with legal and regulatory obligations
• Improving service functionality and user experience

4. Processor Obligations

4.1 Processing Instructions

The Processor shall:

• Process personal data only on documented instructions from the Controller
• Not process personal data for any purpose other than those specified in this DPA
• Immediately inform the Controller if any instruction violates applicable data protection laws
• Ensure that persons authorized to process personal data are bound by confidentiality obligations

4.2 Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and vulnerability testing
• Employee training on data protection and security
• Incident response and breach notification procedures
• Physical security measures inherited from UK data-centre suppliers
• Security controls aligned with the ISO/IEC 27001 control framework

4.3 Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject rights requests, including:

• Access requests
• Rectification and erasure requests
• Data portability requests
• Restriction of processing requests
• Objection to processing requests

5. Sub-processors

5.1 Authorization

The Controller provides general authorization for the Processor to engage sub-processors, provided that:

• The Processor maintains a list of current sub-processors
• The Processor provides reasonable notice of any intended changes
• The Controller has the right to object to new sub-processors
• Sub-processors are bound by the same data protection obligations

5.2 Current Sub-processors

The Processor currently engages the following sub-processors. This list mirrors the canonical sub-processor list maintained at /trust. If the two surfaces diverge, the Trust Center is authoritative.

6. Data Transfers

Customer data, including email content and the audit logs derived from it, is stored within the United Kingdom and the European Economic Area. Where a sub-processor located outside the UK / EEA is engaged (notably Cloudflare for DNS and edge protection, and Anthropic for opt-in LLM inference), the Processor may transfer personal data to that sub-processor subject to appropriate safeguards, including:

• The UK International Data Transfer Addendum to the EU Standard Contractual Clauses (the UK Addendum)
• EU Standard Contractual Clauses (Commission Decision (EU) 2021/914)
• UK or EU adequacy decisions where in force
• Supplementary technical and organisational safeguards as required

7. Data Breach Notification

In the event of a personal data breach, the Processor shall:

• Notify the Controller without undue delay and within 24 hours of becoming aware
• Provide detailed information about the nature and scope of the breach
• Assist the Controller in meeting its breach notification obligations
• Take immediate steps to contain and remediate the breach
• Cooperate with any regulatory investigations

8. Data Retention and Deletion

The Processor shall:

• Retain personal data only for as long as necessary to fulfill the purposes specified in this DPA
• Delete or return personal data upon termination of the service agreement
• Provide certification of deletion upon request
• Comply with any specific retention requirements specified by the Controller

9. Audits and Compliance

The Processor shall:

• Maintain records of all processing activities
• Conduct regular security assessments and audits
• Provide audit reports and compliance evidence upon request, under NDA where required
• Allow for reasonable audits by the Controller or its representatives
• Operate security controls aligned with the ISO/IEC 27001:2022 framework; pursue formal certification on a schedule published on the Trust Center

10. Liability and Indemnification

Each party shall be liable for any damages caused by its breach of this DPA. The Processor's liability for data protection violations shall be limited to direct damages, excluding indirect, consequential, or punitive damages.

The Controller shall indemnify the Processor against any claims arising from the Controller's violation of applicable data protection laws or breach of this DPA.

11. Term and Termination

This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller. Upon termination:

• The Processor shall cease all processing of personal data
• The Processor shall delete or return all personal data
• The Processor shall provide certification of deletion
• Confidentiality obligations shall survive termination

12. Governing Law and Jurisdiction

This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this DPA are subject to the exclusive jurisdiction of the courts of England and Wales.

13. Contact Information

For any questions regarding this Data Processing Agreement, please contact us: