ice.email

Data Processing Agreement

Last updated: February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ice.email ("Processor") and the user ("Controller") and governs the processing of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.

"Processing" means any operation performed on Personal Data, including collection, storage, alteration, retrieval, use, disclosure, or erasure.

"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 GDPR.

2. Processing Details

Subject Matter and Duration

The Processor will process Personal Data for the duration of the service agreement to provide email hosting, marketing automation, and related communication services.

Nature and Purpose

Processing includes storing, transmitting, and managing email messages, subscriber lists, campaign analytics, and user account information to deliver the ice.email service.

Types of Personal Data

Email addresses, names, IP addresses, email content, subscriber metadata, campaign interaction data (opens, clicks), and account credentials.

Categories of Data Subjects

Account holders (Controller's employees/agents), email recipients, and marketing subscribers.

3. Data Controller Obligations

  • Ensure a lawful basis for processing Personal Data (e.g., consent, legitimate interest, contractual necessity).
  • Provide clear privacy notices to Data Subjects regarding the processing of their data.
  • Ensure that marketing emails comply with applicable anti-spam laws and include unsubscribe mechanisms.
  • Promptly notify the Processor of any Data Subject requests that require the Processor's assistance.

4. Data Processor Obligations

  • Process Personal Data only on documented instructions from the Controller unless required by law.
  • Ensure all personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure security of processing.
  • Assist the Controller in responding to Data Subject requests and regulatory obligations.
  • Delete or return all Personal Data upon termination of the service, at the Controller's choice.

5. Sub-processors

The Processor will not engage any Sub-processor without prior written authorization from the Controller. The Processor maintains a list of approved Sub-processors and will notify the Controller of any intended changes at least 30 days in advance.

Current Sub-processors

Hetzner Online GmbH (infrastructure hosting, Germany) - Server and data storage.

6. Data Subject Rights

The Processor will assist the Controller in fulfilling obligations to respond to Data Subject requests, including:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (Article 17 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to restriction of processing (Article 18 GDPR)

7. Security Measures

The Processor implements the following technical and organizational measures:

TLS 1.3 encryption in transit
AES-256 encryption at rest
Role-based access control
Multi-factor authentication
Regular security audits
Intrusion detection systems
Automated backup systems
Incident response procedures

8. Breach Notification

The Processor will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification will include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. Audit Rights

The Processor will make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR obligations and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller. Audits shall be conducted with reasonable notice and during normal business hours.

10. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination:

  • The Processor will cease processing Personal Data on behalf of the Controller.
  • At the Controller's election, the Processor will delete or return all Personal Data within 30 days.
  • The Processor will provide certification of data deletion upon request.

Questions?

For questions about this Data Processing Agreement, please contact our Data Protection Officer at dpo@ice.email.