MailStream

Legal

Data Processing Addendum

Last updated: May 12, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer") and Sponge Labs LLC ("MailStream," "Processor") for the MailStream Service when MailStream processes personal data on behalf of Customer under applicable data protection laws (including the GDPR and UK GDPR). If you are a consumer mailing only on your own behalf, this DPA may not apply; our Privacy Policy governs instead.

1. Definitions

"Controller," "Processor," "Data Subject," "Personal Data," "Processing," and "Supervisory Authority" have the meanings given in applicable law. "Agreement" means the Terms of Service, order form, or other contract governing use of the Service.

2. Roles

The parties acknowledge that for the Processing described in this DPA, Customer is the Controller and MailStream is the Processor. Where Customer acts as a Processor on behalf of another Controller, Customer warrants it has authority to bind that Controller and remains responsible for Customer's instructions.

3. Details of processing

  • Subject matter: provision of programmatic and self-serve physical mail fulfillment, including address verification, production, postage, and delivery.
  • Duration: for the term of the Agreement and thereafter as required by law or the Privacy Policy.
  • Nature and purpose: Processing Personal Data solely to perform the Service in accordance with Customer's documented instructions (including the Agreement and job configuration).
  • Categories of Data Subjects: recipients identified in Customer mailing lists; Customer personnel who administer accounts; other individuals Customer includes in mail pieces or support correspondence.
  • Categories of Personal Data: contact and postal details (name, address, company, title), identifiers Customer provides, message content in creative assets, and technical metadata necessary to process jobs.
  • Special categories: Customer must not submit special categories of personal data (for example health data) unless strictly necessary and lawful; MailStream does not intend to process such data and may reject jobs that include it.

4. Customer instructions

MailStream will process Personal Data only on documented instructions from Customer, including with regard to transfers to third countries, unless required to process by applicable law (in which case MailStream will inform Customer of that legal requirement before processing, unless prohibited from informing Customer on important grounds of public interest).

5. Processor obligations

MailStream will:

  • Ensure persons authorized to process Personal Data are bound by confidentiality;
  • Implement appropriate technical and organizational measures taking into account the state of the art, costs, and risks;
  • Assist Customer, considering the nature of processing, with appropriate technical and organizational measures for fulfillment of Customer's obligation to respond to requests from Data Subjects, and with Customer's data protection impact assessments and prior consultations with Supervisory Authorities where applicable;
  • Notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer data;
  • At the end of the provision of the Service, delete or return Personal Data as described in the Agreement and Privacy Policy, unless storage is required by law.

6. Sub-processors

Customer authorizes MailStream to engage sub-processors to support the Service (for example cloud hosting, print and mail partners, address verification, payment, and support tools). MailStream will impose data protection terms on sub-processors that materially meet the requirements of this DPA. A current list of sub-processors is available upon request and may be updated; where required by law, MailStream will give notice of changes and a reasonable opportunity to object to new sub-processors that materially increase risk.

7. Audits

On reasonable written request, MailStream will make available information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to confidentiality, no more than once per year except following a substantiated concern, and during business hours without disrupting operations.

8. International transfers

Where Personal Data originating in the EEA, UK, or Switzerland is transferred to countries not recognized as adequate, MailStream will implement appropriate safeguards (for example standard contractual clauses) and supplementary measures where required.

9. Conflict

In the event of conflict between this DPA and the Agreement, the terms that provide stronger protection for Personal Data will prevail, except where the Agreement explicitly states otherwise for a specific topic.

Data protection contact: hello@mailstream.app.