IXmailer
Log in Start free
Innovatex Digital FZCO · License No. 49371

Data Processing Agreement

Service
IXmail (ixmailer.com)
Effective
16 May 2026
Version
1.0

Between

Processor
Innovatex Digital FZCO — License No. 49371, IFZA Business Park, Dubai Silicon Oasis, UAE
Controller
Customer — the legal entity that has agreed to the Terms of Service of the IXmail Service

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Service ("Agreement") between Innovatex and Customer. It applies where Innovatex processes Personal Data on behalf of Customer in connection with the IXmail service.

1. Definitions

Terms used in this DPA and not otherwise defined have the meaning given in the GDPR, UK GDPR, or UAE PDPL as applicable.

Applicable Data Protection Law
The GDPR, UK GDPR, UAE PDPL, and any other applicable data protection laws to which Customer is subject.
Personal Data
Any information relating to an identified or identifiable natural person processed by Innovatex on behalf of Customer through the Service.
Sub-processor
Any third party engaged by Innovatex to process Personal Data on its behalf.
SCCs
The Standard Contractual Clauses approved by the European Commission for transfers of Personal Data to third countries.

2. Scope and Roles

2.1 Customer is the Controller and Innovatex is the Processor of Personal Data processed in connection with the Service.

2.2 The subject matter, duration, nature, and purpose of processing, categories of Personal Data, and categories of data subjects are described in Annex 1.

2.3 Innovatex will process Personal Data only on documented instructions from Customer, including with regard to transfers to a third country, unless required to do so by law. Where Innovatex is required to process for legal reasons, it will notify Customer where lawful to do so.

3. Processor Obligations

Innovatex will:

  1. Process Personal Data only as set out in this DPA and Customer's documented instructions
  2. Ensure persons authorized to process Personal Data are bound by confidentiality
  3. Implement and maintain appropriate technical and organizational measures, as set out in Annex 2
  4. Assist Customer, taking into account the nature of processing and information available, in fulfilling its obligations to respond to data-subject rights requests
  5. Assist Customer in ensuring compliance with security, breach-notification, data protection impact assessment, and prior-consultation obligations
  6. Notify Customer without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data Breach affecting Customer Data
  7. Make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR (or equivalent)
  8. On termination of the Agreement, at Customer's choice, delete or return all Personal Data, subject to applicable legal retention requirements

4. Controller Obligations

Customer will:

  1. Comply with its obligations under Applicable Data Protection Law as a Controller
  2. Provide lawful instructions to Innovatex
  3. Ensure that the processing instructed (including data transfers and the use of Sub-processors) is lawful
  4. Obtain and maintain valid consents or other lawful bases for processing Personal Data of its recipients and other data subjects
  5. Promptly address data-subject rights requests, with Innovatex's reasonable assistance

Customer is responsible for the legal basis of recipient data uploaded to the Service.

5. Sub-processors

5.1 Customer grants Innovatex general authorization to engage Sub-processors to provide the Service, subject to this Section.

5.2 The current list of Sub-processors is published at ixmailer.com/sub-processors.

5.3 Innovatex will:

  • Impose data protection obligations on each Sub-processor that are no less protective than those in this DPA
  • Remain liable to Customer for the acts and omissions of Sub-processors with respect to Personal Data, subject to the liability limitations in the Agreement

5.4 Innovatex will notify Customer of intended changes to Sub-processors with at least 30 days' notice via email or in-product. Customer may object on reasonable grounds within 15 days. If the objection cannot be resolved, Customer's exclusive remedy is to terminate the affected portion of the Service.

6. International Data Transfers

6.1 Where Innovatex transfers Personal Data of EU/EEA, UK, or Swiss data subjects outside the EEA/UK/Switzerland, the Standard Contractual Clauses (and, where applicable, the UK International Data Transfer Addendum or Swiss adaptations) are deemed incorporated into this DPA. The relevant Modules apply based on the parties' roles (typically Module Two — controller-to-processor).

6.2 For UAE PDPL transfers outside the UAE, Innovatex applies the safeguards required under Article 22 PDPL.

6.3 Customer authorizes the transfers described in Annex 1 and to the Sub-processors listed at ixmailer.com/sub-processors.

7. Data Subject Rights

7.1 Where reasonably possible, Innovatex will assist Customer through appropriate technical and organizational measures in responding to data-subject requests under Articles 15–22 GDPR (or equivalent).

7.2 Customer is responsible for evaluating each request and providing the response.

7.3 If Innovatex receives a request directly from a data subject relating to Customer Data, Innovatex will forward it to Customer without responding directly (unless directed otherwise by Customer).

8. Personal Data Breach

8.1 Innovatex will notify Customer without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data Breach affecting Customer Data.

8.2 The notification will include, to the extent then known:

  • Nature of the breach and categories and approximate numbers of data subjects and records affected
  • Likely consequences
  • Measures taken or proposed to address the breach and mitigate adverse effects

8.3 Innovatex will cooperate with Customer's reasonable investigations.

9. Audits

9.1 Innovatex will make available to Customer, on reasonable written request no more than once per 12-month period, summary information about its security and privacy practices sufficient to demonstrate compliance with this DPA.

9.2 In lieu of on-site audits, Customer accepts the following as adequate evidence of Innovatex's compliance:

  • SOC 2 reports (when available)
  • ISO 27001 certifications (when available)
  • Documented results of independent third-party audits
  • Innovatex's written responses to Customer's reasonable inquiries

9.3 If Customer has a reasonable basis to require an on-site audit and the standard evidence is insufficient, Innovatex will permit such an audit subject to:

  • 30 days' prior written notice
  • A mutually agreed scope, schedule, and confidentiality agreement
  • Conduct during normal business hours, in a manner not unreasonably disruptive
  • Customer bearing all costs of the audit
  • Conduct of the audit by Customer or an independent third-party auditor (not a competitor of Innovatex), bound by confidentiality

9.4 Customer's audit rights are exercisable not more than once per 12-month period, except in the event of a confirmed Personal Data Breach.

10. Liability

10.1 The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

10.2 To the maximum extent permitted by Applicable Data Protection Law, the total aggregate liability of each party arising out of or related to this DPA is included within and not in addition to the liability cap in the Agreement.

11. Term

This DPA enters into force on the Effective Date and continues for as long as Innovatex processes Personal Data on behalf of Customer.

12. Modifications

Innovatex may amend this DPA to reflect changes in Applicable Data Protection Law or operational improvements. Material changes will be notified with at least 30 days' notice. Continued use of the Service constitutes acceptance.

13. Governing Law

This DPA is governed by the law specified in the Agreement.

14. Order of Precedence

In the event of conflict between this DPA, the Agreement, and any SCCs, the order of precedence is:

  1. The applicable SCCs
  2. This DPA
  3. The Agreement

Annex 1 — Description of Processing

Subject matter and duration

Processing of Personal Data to provide the IXmail email infrastructure service, for the duration of the Agreement.

Nature and purpose

Sending email on behalf of Customer to recipients identified by Customer, including transmission, queueing, delivery attempts, bounce and complaint handling, suppression management, logging, analytics, and storage.

Categories of Personal Data

  • Recipient identifiers (email address, name, custom fields supplied by Customer)
  • Message content and metadata (subject, body, attachments, headers, send time)
  • Engagement events (delivery, bounce, open, click, complaint, unsubscribe)
  • Authentication and security data related to Customer's sending domains

Categories of Data Subjects

Recipients of email sent by Customer, contacts on Customer's mailing lists, end users of Customer's products receiving transactional mail.

Frequency of processing

Continuous for the duration of the Agreement.

Retention

Personal Data is retained as set out in the Privacy Policy and per Customer instruction. On termination, Personal Data is deleted or returned within 90 days, subject to applicable legal retention.

Recipients of Personal Data

Innovatex personnel bound by confidentiality and authorized Sub-processors listed at ixmailer.com/sub-processors.

Transfers to third countries

As described in Section 6 and at ixmailer.com/sub-processors.

Annex 2 — Technical and Organizational Measures

Innovatex implements the following measures (subject to ongoing improvement):

1. Encryption

  • TLS 1.2+ in transit for all customer-facing endpoints
  • MTA-STS + TLS-RPT published for receiving domains (RFC 8461 / 8460)
  • AES-256 encryption at rest for sensitive data stores
  • HMAC-signed tracking links and webhook signatures

2. Access Control

  • Role-based access control (RBAC) with least privilege
  • Multi-factor authentication enforced for administrative access (TOTP)
  • Audit logging of administrative actions (hash-chained, append-only)

3. Network Security

  • Firewalls and network segmentation
  • IP-pool isolation (transactional vs. campaign pools)
  • DDoS mitigation via Cloudflare
  • Regular vulnerability scanning
  • DNSBL self-monitoring (Spamhaus, SpamCop, Barracuda, SORBS) every 30 minutes with alerts on first listing

4. Application Security

  • Secure development lifecycle
  • Code review for changes affecting personal data
  • Dependency scanning
  • Pre-send content scoring (12-rule heuristic) to prevent abuse

5. Operational Security

  • Daily encrypted database backups with 14-day retention (Cloudflare R2, WEUR)
  • WAL streaming for continuous point-in-time recovery
  • Multi-check health monitoring (Postgres, NATS, API, bounce-handler, inbound-receiver, UDP overlay)
  • Documented incident-response procedures
  • Per-workspace + per-campaign abuse circuit breakers (auto-pause on 0.3% complaint or 5% bounce rate)

6. Personnel

  • Confidentiality agreements
  • Security training
  • Background checks for senior engineering and operations staff (where lawful)

7. Sub-processor management

  • Documented Sub-processor list maintained publicly
  • Sub-processor obligations flowed down by contract
  • Periodic review of Sub-processor security posture

8. Data Subject Rights Support

  • Tools and procedures to support deletion, export, and rectification
  • Designated privacy contact (privacy@innovatex.ae)

9. Breach Response

  • 24/7 monitoring and on-call rotation (Telegram alerting)
  • Documented breach response procedure
  • 72-hour notification commitment to Customers