Sign in Request demo
Signable / printable version

⌘P or Ctrl+P → save as PDF. Both parties sign the final page. For legal review or customisations, write to [email protected].

eMate Cloud Platform
by Huifi S.A.

Data Processing Agreement (DPA)

Version: 1.0 · Effective: 2026-06-03 · Document: DPA-1.0

This Data Processing Agreement ("DPA") is entered into between Huifi S.A. ("Processor"), operator of eMate Cloud Platform, and the natural or legal person who contracts the Services ("Controller"). The DPA complements the Master Service Agreement ("Terms") and applies to the Processing of Personal Data by the Processor on behalf of the Controller.

1. Definitions

  • "Personal Data": any information about an identified or identifiable natural person under GDPR, LGPD, AR Ley 25.326 or other applicable law.
  • "Processing": any operation performed on Personal Data (collection, storage, consultation, transmission, deletion, etc.).
  • "Data Subject": the natural person to whom the Personal Data belongs.
  • "Sub-processor": a third party engaged by the Processor that processes Personal Data on behalf of the Controller.
  • "Security Breach": an incident that causes destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Subject and duration

  1. The Processor processes Personal Data exclusively to provide the Services contracted under the Terms.
  2. The duration of Processing matches the term of the Terms, save for retention required by the Processor's legal obligations (e.g. accounting records).

3. Nature and purpose of Processing

The Processor processes Personal Data to:

  • Receive, process and store DMARC aggregate (RUA) and forensic (RUF) reports sent by third parties about the Controller's domains.
  • Enrich those reports with public metadata (GeoIP, ASN, reputation) and show them in the Controller's dashboard.
  • Generate alerts, executive reports and automated recommendations.
  • Maintain user accounts, authentication, MFA, audit log and support.

4. Categories of Data Subjects and Data

Data Subjects Data categories
Controller's staff with dashboard access Name, corporate email, role, password hash, encrypted TOTP seed, audit log
Senders sending mail on behalf of the Controller's domains Source IP addresses, ASN, envelope-from domain, SPF/DKIM/DMARC result
Sales / support contacts Email, name, ticket content

5. Processor obligations (GDPR Art 28.3)

  1. Process Personal Data only on documented instructions from the Controller. Acceptance of the Terms + use of the Service constitute the initial instruction.
  2. Ensure authorised personnel have committed to confidentiality or are bound by a statutory obligation of confidentiality.
  3. Implement appropriate technical and organisational measures (TOMs) under GDPR Art 32. TOM detail in Annex B.
  4. Not engage Sub-processors without the procedure of Article 7 of this DPA.
  5. Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, objection).
  6. Assist the Controller in complying with GDPR Articles 32 to 36.
  7. Delete or return all Personal Data at the end of Processing, at the Controller's choice, save for legal retention.
  8. Make available all information necessary to demonstrate compliance, and allow for reasonable audits under Article 10.

6. Data Subject rights

The Processor assists the Controller via:

  • API + dashboard endpoints for data-export and data-delete (self-service when the Data Subject is a user of the Controller).
  • Processing DSAR requests escalated to the Processor within a maximum of 30 calendar days.

7. Sub-processors

  1. The Controller authorises the Processor to engage the Sub-processors listed at /en/legal/sub-processors/ (Annex C).
  2. The Processor will notify the Controller at least 30 days in advance of any change to the Sub-processor list. The Controller may object within that period; reasoned objections may trigger the DPA termination flow.
  3. The Processor warrants that each Sub-processor signs equivalent data protection commitments.

8. International transfers

For transfers outside the EEA or the UK, the 2021 Standard Contractual Clauses (SCCs) are used, and where applicable the UK International Data Transfer Agreement (IDTA). Per-sub-processor detail in Annex C.

9. Security Breach notification

The Processor will notify the Controller of any Security Breach without undue delay, and within 72 hours of detection. The notification will include:

  • Nature of the Breach, including approximate categories and volumes of Data Subjects and records affected.
  • DPO contact data.
  • Likely consequences.
  • Measures taken or proposed to mitigate the Breach.

10. Audits

On reasonable request and no more than once per year, the Controller may audit the Processor's compliance. The Processor satisfies this obligation by making available:

  • The current SOC 2 Type II report (from May 2027 — currently Type I and ISO 27001 Phase 2 reports).
  • Third-party pentests (executive summary) and the list of closed remediations.
  • The public COMPLIANCE.md document.

On-site audits will be agreed with 30 days notice, in business hours, under NDA. Reasonable costs are borne by the Controller unless the audit reveals material non-compliance.

11. Data deletion / return

At Service termination, the Processor:

  1. Makes available to the Controller, for up to 30 days, the ability to download the Personal Data in structured format (JSON / CSV).
  2. Securely deletes the Personal Data after 30 calendar days from termination, save for legal retention.
  3. Confirms deletion in writing at the Controller's request.

12. Liability

Liability is governed by the Master Service Agreement. Where the Master Agreement contains an aggregate liability cap, that cap applies to the Terms + DPA as a whole, save for cases of wilful misconduct, gross negligence or breach of fundamental data protection provisions.

13. Term and termination

This DPA has the same term as the Terms. Either party may terminate the DPA immediately if the other party commits a material breach not remedied within 30 days of notice.

14. Governing law and jurisdiction

This DPA is governed by the law agreed in the Master Service Agreement. For Processing subject to GDPR, mandatory rules of the European Union also apply.

Annex A — Processor details

Legal name: Huifi S.A.
Tax ID: 30-71234567-9
Registered office: Argentina
DPO: [email protected]
Notice contact: [email protected]

Annex B — Technical and organisational measures (TOMs)

  • Encryption in transit: TLS 1.3 with AEAD cipher suites (origin) + TLS 1.3 on CDN edge.
  • Encryption at rest: AES-256 (KMS managed by cloud provider).
  • Multi-tenant isolation: Row Level Security on 67/67 relational tables + FORCE RLS verified in CI.
  • Authentication: Mandatory MFA TOTP for every human user. 15-min JWT sessions with sliding refresh.
  • Immutable audit log: Transactional outbox → queue → S3 Object Lock (WORM) with 7-year retention.
  • Backups: daily automated with encryption and monthly restore verification.
  • Vulnerability management: SAST (Semgrep), SCA (Trivy), Aikido on every PR. Annual third-party pentest.
  • Credential rotation: JWT secret, DB password, IAM keys every 90 days via documented runbook.
  • Operational posture: ISO 27001 Phase 2 in force; target SOC 2 Type II May 2027.

Living detail and mapping to SOC 2 / NIST CSF / ISO 27001:2022: COMPLIANCE.md.

Annex C — Sub-processors

Current list maintained at /en/legal/sub-processors/. Updates follow the procedure of Article 7 of this DPA.

Signatures

The parties express their agreement by signing two counterparts of equal content.

For the Controller

Full name: _______________________

Position: _______________________

Controller's legal name: _______________________

Date: _______________________

DPO / privacy contact: _______________________

For the Processor

Johny Gutiérrez

CTO — Huifi S.A.

[email protected]

Date: _______________________