Legal · Data Processing Agreement

DPA, Art. 28 GDPR.

A real Data Processing Agreement between pulsemail (BLUN — Processor) and you, the Sender (Controller). Covers sub-processors, technical measures, transfers, audit rights, and termination. Auto-accepted upon use of the Service; signed paper copy available on request.

Effective 2026-05-04
Processor BLUN · Mayk Biletti
Legal basis Art. 28 GDPR

1. Parties

This Data Processing Agreement (the "DPA") is entered into between the Controller and the Processor identified below, in connection with the underlying pulsemail service contract (the "Principal Agreement").

Controller

The Sender / Customer

Company name:

[fill in legal entity / sole-trader name]

Registered address:

[fill in registered address]

Contact:

[fill in privacy contact + email]

Signing officer:

[fill in name + role]
Processor

pulsemail (BLUN)

Trade name: BLUN

Owner: Mayk Biletti (sole proprietor)

Address: Sportplatzgasse 32b, 2443 Leithaprodersdorf, Austria

Email: blun.ai.app@gmail.com

Service brand: pulsemail / send.blun.ai

Tax status: Kleinunternehmer §6 Abs.1 Z 27 UStG

2. Subject matter & duration

The Processor processes personal data of the Controller's email subscribers ("Recipients") on behalf of the Controller for the sole purpose of providing the email-sending services described in the Principal Agreement. The duration of processing is co-extensive with the Principal Agreement: this DPA enters into force on the start date of the Principal Agreement and ends 30 days after its termination, subject to Section 10.

3. Nature & purpose of processing

  • Storage of Recipient contact data (email address, optional fields supplied by the Controller).
  • Transmission of email messages composed by the Controller, on the Controller's instruction.
  • Capture of delivery, open, and click telemetry generated by Recipient interaction with those messages.
  • Maintenance of a per-Controller suppression list (unsubscribes, hard bounces, complaints) for compliance.
  • Provision of dashboard, API, and webhook surfaces through which the Controller manages the above.
  • Pre-send compliance scanning (sender authentication, list-hygiene, suppression checks).

4. Categories of data subjects & data

Categories of data subjects

The Controller's email subscribers, customers, leads, transactional recipients — collectively the Recipients.

Categories of personal data

  • Email address (mandatory).
  • Name and other optional profile fields supplied by the Controller (e.g. country, locale, custom merge tags).
  • Consent state and timestamp, source of signup attribution, double-opt-in confirmation timestamp where applicable.
  • Suppression status: unsubscribe, hard bounce, soft bounce, spam complaint.
  • Engagement events: opens, clicks (with click target), forwards.
  • IP address at time of open or click (truncated to /24 for IPv4, /48 for IPv6 by default).
  • User-agent string of the email client at time of open.

The Processor does not request and does not knowingly process special categories of data per Art. 9 GDPR. The Controller undertakes not to upload special-category data without prior written agreement.

5. Obligations of the Processor

Per Art. 28(3) GDPR, the Processor shall:

  • (a) process Recipient personal data only on documented instructions from the Controller, including transfers to third countries (account configuration, dashboard actions, API calls, and explicit written instructions all qualify as documented instructions);
  • (b) ensure that personnel authorised to process the personal data have committed to confidentiality or are under an appropriate statutory confidentiality obligation;
  • (c) implement appropriate technical and organisational measures per Art. 32 GDPR — see Annex 2 (Section 7);
  • (d) respect the conditions of Art. 28(2) and 28(4) for engaging another processor — see Annex 1 (Section 6);
  • (e) assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, in fulfilling its obligation to respond to data-subject requests under Chapter III GDPR (Art. 12-23);
  • (f) assist the Controller in ensuring compliance with Art. 32-36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and information available to the Processor;
  • (g) at the Controller's choice, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage;
  • (h) make available to the Controller all information necessary to demonstrate compliance with Art. 28, and allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor — see Section 5.2.

5.1 Personal data breach

The Processor notifies the Controller of any personal data breach without undue delay and within no more than 72 hours of becoming aware, providing all information reasonably required by the Controller to comply with its own Art. 33 notification obligation.

5.2 Audit rights

The Controller may audit the Processor's compliance with this DPA once per calendar year on no less than 30 days' written notice. The Processor satisfies routine audit obligations by providing its current ISO/SOC reports, sub-processor list, and TOM documentation. On-site audits are conducted at the Controller's expense, during business hours, and subject to confidentiality undertakings.

Annex 1

6. Authorised sub-processors

The Controller hereby grants the Processor general authorisation to engage the sub-processors listed below. The Processor will inform the Controller of any intended addition or replacement of sub-processors at least 30 days in advance, giving the Controller the opportunity to object. Notification is via in-app banner and email to the Controller's registered admin contact.

Sub-processor Location Service Transfer basis
Hetzner Online GmbH Gunzenhausen, Germany (DE) Hosting, storage, sending infrastructure, encrypted backups EU only — no transfer
Stripe Payments Europe Ltd. Dublin, Ireland (IE) Payment processing for paid plans (Controller billing only) EU; onward US under EU-US DPF + SCCs
BLUN AI gateway Hetzner DE (in-house, EU) Subject-line suggestions, send-time optimisation, copy review EU only — no transfer
Apple Push Notification Service United States Dashboard push notifications (only if Controller opts in) EU-US DPF + SCCs
Google (Firebase Cloud Messaging) Ireland / United States Dashboard push notifications (only if Controller opts in) EU-US DPF + SCCs
Expo (650 Industries, Inc.) United States Push dispatch for the optional pulsemail mobile app EU-US DPF + SCCs

The Processor warrants that contracts with each sub-processor impose data-protection obligations no less protective than those contained in this DPA.

Annex 2

7. Technical and organisational measures

The Processor implements the following measures per Art. 32 GDPR. The list is reviewed annually and updated as the threat landscape evolves; the current version is always the version published at this URL.

Encryption at rest

LUKS full-disk encryption on all production servers and backup volumes. Database column-level encryption for credentials.

Encryption in transit

TLS 1.3 for all dashboard, API, webhook, and SMTP traffic. HSTS preloaded; STARTTLS enforced on outbound where the receiving MX supports it.

Access control

Role-based access control on the dashboard. Mandatory MFA for admin and operator roles. SSH-key-only on infrastructure; no password authentication.

Audit logging

Append-only audit log of admin actions, data exports, sub-processor configuration changes, and key data-subject events. 12-month retention.

Backup & recovery

Encrypted off-host backups with 30-day rolling retention. Backups stored only within EU. Quarterly restore drills.

Data centre

Hetzner Nuremberg + Falkenstein, ISO 27001 certified, EU-only physical perimeter, biometric access controls, 24/7 monitoring.

Incident response

Documented incident-response runbook. On-call rotation. Breach notification within 72 hours. Post-mortem published to affected Controllers.

Pseudonymisation

IP addresses truncated at ingest; suppression list stored as salted hash; engagement events linked to pseudonymous IDs where possible.

8. International transfers

The default flow processes Recipient data exclusively within the European Union. Transfers to the United States occur only when the Controller opts in to mobile or desktop push notifications, in which case the Processor relies on:

  • The EU-US Data Privacy Framework for sub-processors that are DPF-certified;
  • The Standard Contractual Clauses (Module 3 — processor to sub-processor) where DPF coverage is unavailable or for redundancy;
  • Supplementary technical measures as described in Annex 2, including encryption in transit and minimisation of payload.

The Controller is informed of the transfer basis for each sub-processor in Annex 1.

9. Liability

The parties acknowledge the joint and several liability provisions of Art. 82 GDPR for damages caused to data subjects. Each party is liable for damages arising from non-compliance with its own obligations under this DPA. The Processor's liability under this DPA is, where legally permitted, capped at the limits set out in Section 8 of the Terms of Service; mandatory statutory liability remains unaffected.

10. Term & termination

This DPA enters into force on the start date of the Principal Agreement and remains in force for the duration of the Principal Agreement. Upon termination of the Principal Agreement, the Processor shall, at the Controller's choice expressed within 30 days of termination:

  • (i) Return all Recipient personal data to the Controller in CSV / JSON form via the dashboard export tool, and thereafter delete; or
  • (ii) Delete all Recipient personal data, with deletion confirmation provided in writing.

The suppression list (hashed unsubscribes / complaints / hard bounces) is retained indefinitely as part of the Processor's anti-abuse compliance, even after Controller account deletion. This retention is in the Processor's legitimate interest (Art. 6(1)(f)) and the data subjects' interest in suppression remaining honoured across the open email ecosystem; it is technically infeasible to opt back in to spam.

11. Governing law

This DPA is governed by Austrian law, excluding its conflict-of-law provisions. For B2B disputes, the exclusive place of jurisdiction is Eisenstadt, Austria, where legally permitted. Mandatory consumer-protection rights of the Controller's habitual residence within the EU remain unaffected. Where this DPA conflicts with the Principal Agreement, this DPA prevails on matters of data protection.

Signatures

By accepting the pulsemail Terms of Service and using the Service to process Recipient personal data, the Controller is deemed to have accepted this DPA. A counter-signed paper copy is available on request.

For the Controller
Name & role
Signature & date
Place
For the Processor
Mayk Biletti
Name & role · Sole proprietor, BLUN
/s/ Mayk Biletti — 2026-05-04
Signature & date
Leithaprodersdorf, Austria
Place
Auto-acceptance. Per Section 13.6 of our Terms of Service, this DPA is auto-accepted by the Controller upon acceptance of those Terms and is deemed an integral part of the Principal Agreement under Art. 28(3) GDPR. No separate signature is required for the DPA to take effect.

Request signed PDF copy

Operator contact for DPA matters: BLUN — Mayk Biletti, Sportplatzgasse 32b, 2443 Leithaprodersdorf, Austria · blun.ai.app@gmail.com