DPA

This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Controller”) and Postlane (“Processor”) for the use of the Postlane service. It governs the processing of personal data that Postlane handles on your behalf as part of providing the service.

For the purposes of UK GDPR and EU GDPR Article 28, Postlane acts as a data processor when processing personal data on your instructions, and as a data controller for data it collects for its own purposes (such as your account data).

The subject matter of processing is the provision of the Postlane service, including draft post generation, post queue management, and licence verification. The duration of processing corresponds to the term of your Postlane subscription or active account, whichever is longer.

Postlane will process personal data only on your documented instructions, including those set out in our Terms of Service and this DPA, unless required to do otherwise by applicable law. In such cases, Postlane will inform you of that legal requirement before processing, unless prohibited by law.

Postlane will inform you without undue delay if, in its opinion, an instruction infringes applicable data protection law.

Postlane ensures that persons authorised to process personal data on its behalf have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, Postlane implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These include:

• –

  Encryption of personal data at rest and in transit (TLS 1.2+, AES-256)

• –

  Ongoing confidentiality, integrity, and availability assurance for processing systems

• –

  Regular testing and evaluation of technical and organisational security measures

• –

  Access controls limiting personal data access to authorised personnel on a need-to-know basis

• –

  Credential storage in OS-level keyrings, not application files or environment variables

• –

  Responsible disclosure programme — see /security for details

You authorise Postlane to engage the sub-processors listed at /subprocessors. Postlane will inform you of any intended changes to that list (additions or replacements), giving you the opportunity to object to such changes. All sub-processors are bound by data processing agreements providing equivalent protections to those in this DPA.

Where personal data is transferred outside the UK or EEA, Postlane relies on appropriate transfer mechanisms including standard contractual clauses (SCCs) as approved by the relevant supervisory authority, or adequacy decisions where applicable.

Postlane will assist you in fulfilling your obligations to respond to requests from data subjects exercising their rights under applicable data protection law. Where a data subject contacts Postlane directly regarding data processed on your behalf, Postlane will forward the request to you without undue delay and will not respond directly without your instruction, unless required by law.

Postlane will notify you without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting data processed on your behalf. The notification will include: the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of records affected, the likely consequences of the breach, and the measures taken or proposed to address the breach.

Postlane will make available to you all information necessary to demonstrate compliance with the obligations set out in this DPA, and will allow for and contribute to audits and inspections conducted by you or an auditor mandated by you, provided that such audits are conducted with reasonable notice, during normal business hours, and in a manner that minimises disruption to Postlane’s operations.

At your election, and upon termination of your account, Postlane will delete or return all personal data processed on your behalf, and delete any existing copies, unless applicable law requires storage of the personal data. You may request deletion at any time via the account deletion function in the desktop application or by contacting us.

This DPA and any dispute arising from it are governed by the law of England and Wales. The courts of England and Wales have exclusive jurisdiction over any disputes arising under this DPA.