Data Processing Agreement
This Data Processing Agreement ("DPA") is entered into between the Customer and Kristiyan Tsvetanov, a UK-based sole trader trading as "Warmerly" ("Warmerly", "we", "us"). It supplements our Terms of Service and applies where Warmerly processes personal data on your behalf as a processor under UK GDPR and EU GDPR.
1. Definitions
Terms not defined here have the meaning set out in the UK GDPR and EU GDPR. "Customer" means the entity that has signed up to Warmerly. "Personal Data" means information relating to an identified or identifiable person. "Warmerly" means Kristiyan Tsvetanov, trading as Warmerly, a UK sole trader (not a limited company).
2. Subject matter and duration
The subject matter is Warmerly's processing of Customer's mailbox data for the purpose of providing email warmup. Duration is the term of the Customer's subscription, plus the 90-day retention period after termination.
3. Nature and purpose of processing
Authentication, storage (encrypted) of OAuth tokens, sending and receiving warmup mail through Customer's authorised mailboxes, computing health metrics, and providing the dashboard.
4. Categories of data and data subjects
- Customer account holders: name, email, hashed password, billing info, IP, user-agent.
- Mailbox data subjects (people in the From/To headers of warmup mail): only addresses participating in warmup, used solely for sending and receiving warmup messages.
5. Sub-processors
Warmerly uses the following sub-processors:
- Hetzner Online GmbH (EU hosting, Falkenstein and Helsinki)
- Cloudflare Inc. (DDoS protection and CDN, with EU-only data setting where applicable)
- Stripe Payments Europe Ltd. (billing)
- Postmark / SendGrid (transactional email for service notifications)
- Plausible Analytics (privacy-preserving analytics, EU-hosted)
We will provide 30 days' notice of any new sub-processor. You may object in writing; if your objection cannot be resolved, you may terminate the affected portion of the service.
6. International transfers
Personal data is stored and processed within the European Economic Area. Where any sub-processor processes data outside the EEA (e.g., for support purposes), we rely on the Standard Contractual Clauses (SCCs) and supplementary measures as set out by the European Commission.
7. Security
- OAuth tokens encrypted with AES-256-GCM at rest.
- Passwords hashed with Argon2id.
- All traffic encrypted with TLS 1.2+.
- Role-based access control, audit logged.
- Annual third-party penetration testing.
- Documented incident response plan.
8. Personal data breaches
We will notify the Customer without undue delay (and within 72 hours where feasible) of becoming aware of a personal data breach affecting Customer data, with sufficient detail to enable the Customer to meet its own notification obligations.
9. Data subject requests
Warmerly will assist the Customer in responding to data subject requests within statutory timeframes, either through self-service tooling or via support request to [email protected].
10. Audit
Customers on Agency or higher plans may request a remote audit of Warmerly's security posture once per calendar year, by giving 30 days' notice. We will provide reasonable evidence including SOC 2 reports (when available) and answer pre-agreed audit questionnaires.
11. Deletion
On termination, Warmerly will delete Customer data within 90 days, except where retention is required by law. A deletion certificate is available on request.
12. Contact
Warmerly is operated by Kristiyan Tsvetanov (sole trader), United Kingdom. For DPA questions or to request a signed copy, email [email protected].