For Business Customers: This DPA applies automatically to all Organisation plan customers and any business customer who requests it. It governs how BakersGuild Limited processes personal data on your behalf as a data processor.
1. Background and Definitions
This Data Processing Agreement ("DPA") forms part of the agreement between BakersGuild Limited ("Processor", "we") and the Customer ("Controller", "you") for use of the Mail-Organiser service.
This DPA is entered into pursuant to Article 28 of UK GDPR and the Data Protection Act 2018. It governs the processing of personal data by BakersGuild Limited on behalf of the Customer in connection with the provision of the Mail-Organiser service.
1.1 Definitions
- "Personal Data" has the meaning given in UK GDPR Article 4(1)
- "Processing" has the meaning given in UK GDPR Article 4(2)
- "Data Subject" means the individuals whose personal data is processed (primarily the Customer's employees or the Customer themselves)
- "Sub-processor" means any processor engaged by BakersGuild Limited to process personal data under this DPA
- "UK GDPR" means Regulation (EU) 2016/679 as retained in UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019
2. Details of Processing
| Element | Detail |
|---|
| Subject matter | Email metadata classification and inbox organisation for Microsoft Outlook |
| Duration | For the term of the service agreement and as required for legal compliance thereafter |
| Nature of processing | Collection, storage, analysis, classification, and deletion of email metadata |
| Purpose of processing | Providing the Mail-Organiser email classification and organisation service |
| Types of personal data | Email addresses, display names, subject lines, message IDs, timestamps, folder locations |
| Categories of data subjects | Employees and contacts of the Controller who send or receive emails via connected accounts |
3. Obligations of the Processor
BakersGuild Limited shall, in its capacity as data processor:
- Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by applicable law (in which case BakersGuild Limited shall inform the Controller before processing, unless prohibited from doing so)
- Ensure that all persons authorised to process personal data have committed themselves to appropriate confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures in accordance with Article 32 UK GDPR, as described in Schedule 1 of this DPA
- Not engage any sub-processor without the prior general written authorisation of the Controller. The Controller hereby grants general authorisation for the sub-processors listed in Schedule 2. BakersGuild Limited shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors with at least 30 days' notice
- Assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III of UK GDPR
- Assist the Controller in ensuring compliance with Articles 32–36 of UK GDPR (security, breach notification, DPIA, prior consultation)
- At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of UK GDPR, and allow for and contribute to audits and inspections conducted by the Controller or its authorised auditor (subject to reasonable advance notice and confidentiality obligations)
4. Obligations of the Controller
The Controller shall:
- Ensure it has a valid legal basis for processing the personal data it provides to BakersGuild Limited for processing
- Provide BakersGuild Limited with documented instructions regarding the processing of personal data
- Ensure that data subjects have been informed of the processing in accordance with their rights under UK GDPR
- Comply with all applicable data protection laws and regulations
- Ensure that the scope of data processing required under the service is lawful and does not exceed what is necessary for the stated purposes
5. International Data Transfers
Some sub-processors process personal data outside the UK/EEA. BakersGuild Limited shall ensure that all transfers to third countries are made subject to appropriate safeguards, including International Data Transfer Agreements (IDTAs) approved by the UK ICO or equivalent Standard Contractual Clauses. Details of transfers and applicable safeguards are set out in Schedule 2.
6. Security Measures
BakersGuild Limited implements the following technical and organisational measures:
- Encryption of personal data in transit (TLS 1.3 minimum) and at rest
- Pseudonymisation of personal data where technically feasible
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
- Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
- Process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures
- Role-based access controls limiting staff access to personal data to what is necessary
- Audit logging of access to personal data systems
7. Data Breach Notification
BakersGuild Limited shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach involving data processed on the Controller's behalf. Such notification shall include, to the extent available:
- Description of the nature of the breach including categories and approximate number of data subjects and records
- Name and contact details of the Data Protection contact
- Description of the likely consequences
- Description of the measures taken or proposed to address the breach
8. Sub-processors
BakersGuild Limited currently engages the following approved sub-processors for processing of Customer personal data:
| Sub-processor | Purpose | Location | Safeguard |
|---|
| Cloudflare, Inc. | Infrastructure, compute, database | EU/UK edge | Cloudflare DPA / SCCs |
| Microsoft Corporation | Outlook Graph API integration | EU data boundary | Microsoft DPA / EU Data Boundary |
| Anthropic, PBC | AI classification (metadata only) | USA | IDTA / SCCs |
| Stripe, Inc. | Payment processing | EU/UK | Stripe DPA / SCCs |
| Resend, Inc. | Transactional email | USA | IDTA / SCCs |
Full details available at mail-organiser.com/sub-processors.
9. Term and Termination
This DPA shall remain in force for the duration of the service agreement between the parties. On termination of the service agreement, BakersGuild Limited shall, unless prohibited by applicable law, delete or return all personal data to the Controller within 30 days of the effective date of termination.
10. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
11. Requesting This DPA
Individual consumers using the Mail-Organiser service in a personal capacity are subject to the Privacy Policy rather than this DPA. Business customers requiring a signed version of this DPA for their own compliance records should contact legal@mail-organiser.com.