Data Processing Agreement

📋 Note: This Data Processing Agreement ("DPA") is entered into between Hostao LLC ("Data Processor") and the Customer ("Data Controller") and is incorporated by reference into the BestEmail Terms of Service. By using BestEmail, you agree to the terms of this DPA.

1. Definitions

• "Controller" means the Customer (you), who determines the purposes and means of processing personal data.
• "Processor" means Hostao LLC, which processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable data protection laws including GDPR, DPDPA 2023, and CCPA.
• "Processing" means any operation or set of operations performed on personal data (collection, storage, use, disclosure, erasure, etc.).
• "Sub-processor" means any third party engaged by Hostao LLC to process personal data on behalf of the Controller.

2. Scope and Purpose

This DPA applies to the processing of personal data by Hostao LLC in connection with the provision of BestEmail services. Hostao LLC will process personal data only:

• For the purpose of providing the BestEmail email marketing platform
• In accordance with the Customer's documented instructions
• As necessary to comply with applicable law

3. Nature of Personal Data Processed

The personal data processed under this DPA may include:

• Email addresses and contact information of your subscribers
• Names, phone numbers, and demographic data you upload
• Email engagement data (opens, clicks, bounces)
• IP addresses and device information for tracking purposes
• Custom fields and tags you add to subscriber profiles

4. Processor Obligations

Hostao LLC shall:

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorised to process data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (Article 32 GDPR / Section 8 DPDPA)
• Not engage sub-processors without prior written authorisation from the Controller
• Assist the Controller in responding to data subject requests (access, erasure, portability, rectification)
• Notify the Controller of any personal data breach without undue delay and within 72 hours where feasible
• Delete or return all personal data upon termination of services
• Provide all information necessary to demonstrate compliance with this DPA

5. Controller Obligations

The Customer (Controller) agrees to:

• Have a lawful basis for collecting and processing subscriber personal data
• Obtain necessary consents from data subjects before uploading data to BestEmail
• Ensure that your use of BestEmail complies with all applicable laws including CAN-SPAM, GDPR, DPDPA 2023
• Not upload sensitive personal data (health, financial, biometric) without explicit consent

6. Sub-Processors

Hostao LLC currently uses the following categories of sub-processors:

• Cloud Infrastructure: AWS / Supabase (data storage and compute)
• Email Delivery: SMTP providers for email dispatch
• Analytics: Privacy-friendly analytics tools (no personal data shared)
• Payment Processing: Stripe / Razorpay (no subscriber data shared)

We will notify you of any changes to sub-processors with at least 14 days' notice.

7. Security Measures

Hostao LLC implements the following security measures:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and role-based permissions
• Regular security assessments and penetration testing
• SOC 2-aligned operational security practices
• Incident response procedures

8. International Data Transfers

BestEmail is operated by Hostao LLC, a US company. Data may be processed in the United States. For transfers from the EU/EEA, UK, or India, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) where required. By using BestEmail from these jurisdictions, you consent to this transfer.

9. Compliance with Indian DPDPA 2023

For Indian customers, Hostao LLC acknowledges its obligations under the Digital Personal Data Protection Act 2023:

• We will act as a "Data Fiduciary" with respect to your account data and as a "Data Processor" for your subscriber data
• We maintain a Grievance Officer for Indian data principals
• Grievance Officer: grievance@bestemail.in

10. Term and Termination

This DPA is effective for the duration of your BestEmail subscription. Upon termination, Hostao LLC will delete your personal data within 90 days unless retention is required by law.

11. Governing Law

This DPA is governed by the laws of the State of Wyoming, USA, consistent with the BestEmail Terms of Service.

12. Contact