Legal
Data Processing Addendum
Last updated July 1, 2026
Effective date: July 1, 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Alexander Duggleby, a sole proprietor operating as SimpleNewsletter365 (“SimpleNewsletter365,” “Processor”) and the customer (“Controller”). It governs the processing of personal data that the Controller submits to the Service.
1. Roles
The Controller determines the purposes and means of processing its audience data. The Processor processes that data only on the Controller’s documented instructions, which include the Terms, this DPA, and the Controller’s use of the Service’s features.
2. Subject matter and details of processing
- Subject matter: provision of the SimpleNewsletter365 newsletter service.
- Duration: for the term of the agreement, plus the deletion windows below.
- Nature and purpose: storing contacts and audience data, hosting signup forms, composing newsletters, sending them through the Controller’s own Microsoft 365 mailbox, and generating delivery and engagement reports.
- Types of personal data: contact and recipient email addresses, names, organization, custom fields, subscription status, segment membership, signup form submissions (with hashed email and hashed client IP), newsletter content, and delivery outcomes.
- Categories of data subjects: the Controller’s contacts, subscribers, and newsletter recipients.
3. Processor obligations
The Processor will:
- Process personal data only on documented instructions, including for international transfers, unless required by law.
- Ensure personnel authorized to process data are bound by confidentiality.
- Implement appropriate technical and organizational measures (Section 6).
- Assist the Controller, taking into account the nature of processing, with data subject requests and with security, breach notification, and impact assessments.
- Make available information needed to demonstrate compliance.
4. Subprocessors
The Controller authorizes the Processor to engage subprocessors listed at Subprocessors. The core infrastructure subprocessor is Microsoft Azure. Newsletters are transmitted through the Controller’s own Microsoft 365 mailbox using Microsoft Graph, so Microsoft also acts in the sending path. The Processor imposes data protection obligations on subprocessors that are no less protective than this DPA, and remains responsible for their performance. The Processor will give notice of intended changes to subprocessors and a chance to object.
5. Data subject rights and instructions
Because audience data belongs to the Controller, the Processor will, where feasible, provide self-service tools that let the Controller export and delete account data and honor unsubscribe requests. If the Processor receives a request directly from a data subject, it will refer the request to the Controller.
6. Security measures
The Processor maintains measures including:
- Encryption in transit and at rest.
- Tenant and account isolation: every account-owned record carries tenant and account identifiers and is queried through enforced account scope.
- Microsoft tokens held server-side only; delegated refresh tokens encrypted with ASP.NET Core Data Protection and, in production, wrapped by an Azure Key Vault key accessed through managed identity.
- Logging that uses identifiers, hashes, statuses, counts, and durations rather than email content, recipient lists, tokens, or payloads.
- Public signup endpoints protected by hashing, challenge (ALTCHA), optional double opt-in, origin allowlisting, and rate limiting.
- Least-privilege access controls and audit logging of administrative actions.
7. Personal data breach
The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, and will provide information reasonably available to help the Controller meet its notification obligations.
8. International transfers
Where the Processor transfers personal data across borders, it relies on appropriate safeguards such as the Standard Contractual Clauses, which are incorporated by reference where applicable.
9. Return and deletion
On termination, or on the Controller’s request, the Processor will delete account-scoped personal data and stored image assets. Subscriber history is retained as append-only audit evidence with email and actor email fields anonymized. Encrypted mailbox token material is revoked and deleted and is never exported. Hashed signup-form audit and rate-limit rows are purged on a short cycle (currently seven days). Unsubscribe state is retained as needed to honor opt-outs. The Processor will delete or anonymize remaining data except where retention is required by law.
10. Audits
The Processor will make available information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, subject to reasonable confidentiality and security conditions.
11. Liability and precedence
Liability under this DPA is subject to the limitations in the Terms. If this DPA conflicts with the Terms on the processing of personal data, this DPA controls.
Contact
Data protection contact: [email protected].