Mail 4 AI
Sign in

Data Processing Agreement

v1.0-alphaLast updated:

title: Data Processing Agreement version: "1.0-alpha" lastUpdated: "2026-05-22"

This Data Processing Agreement ("DPA") is concluded between the User of Mail 4 AI ("Controller") and Castelis SAS ("Processor"), in accordance with Article 28 GDPR. It governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with Mail 4 AI.

This DPA forms an integral part of the Terms of Service.

1. Definitions

Terms in this DPA have the meaning given in Article 4 GDPR. "Processing", "Personal Data", "Data Subject", "Sub-processor", "Supervisory Authority" are used as in the Regulation.

2. Subject matter and duration

The Processor processes Personal Data exclusively to operate Mail 4 AI for the Controller, for the duration of the Terms of Service.

3. Controller's instructions

The Processor will process Personal Data only on documented instructions from the Controller, including for transfers, unless required to do so by Union or Member State law. The configuration set by the Controller in the console (allowlists, agents, retention tier) constitutes documented instructions.

4. Annex 1 — Description of processing

  • Nature of processing: routing, storage, classification, antivirus/anti-spam scanning, MCP exposure of inbound and outbound email.
  • Purpose: enabling the Controller's AI agent to send and receive email under controlled conditions.
  • Categories of Data Subjects: email correspondents of the Controller and its agents.
  • Categories of Personal Data: email addresses, message content, attachments, technical headers, MIME metadata.
  • Retention: 30 days (FREE tier), 365 days (PRO tier, when introduced).

5. Obligations of the Processor (GDPR art. 28.3)

The Processor undertakes to:

  1. Process Personal Data only on the Controller's documented instructions.
  2. Ensure that persons authorised to process Personal Data are bound by confidentiality.
  3. Implement the technical and organisational measures set out in Annex 2.
  4. Use sub-processors only as listed in Annex 3; notify the Controller of any intended changes with reasonable prior notice and a right to object on reasonable grounds.
  5. Assist the Controller in fulfilling Data Subject rights requests (art. 15-22).
  6. Notify the Controller of a Personal Data breach without undue delay and within 72 hours of becoming aware of it.
  7. Assist with data protection impact assessments and prior consultations where reasonably required.
  8. Upon termination, delete or return all Personal Data to the Controller (Controller's choice), unless retention is required by law.
  9. Make available all information necessary to demonstrate compliance and allow audits (see clause 6).

6. Audits

The Controller may audit the Processor's compliance once per year, with at least 30 days' written notice, during business hours, in a manner that does not disrupt the Service. The Processor may rely on independent third-party audit reports to satisfy this obligation.

7. Annex 2 — Technical and organisational measures

  • Encryption: TLS 1.2+ for all data in transit; encrypted volumes for data at rest (PostgreSQL, MinIO object storage).
  • Tenant isolation: every record carries tenant_id; deny-by-default allowlists on send and receive.
  • Attachment safety: ClamAV scanning before any MCP exposure (status=clean required).
  • Trust boundary: every MCP response that surfaces external content carries an explicit trust_boundary marker.
  • Audit log: immutable, retained for 12 months.
  • Access control: MFA for privileged personnel, least-privilege role model, periodic access reviews.
  • Backups: encrypted, with documented recovery procedures.
  • Security testing: regular dependency scanning, periodic security review.

8. Annex 3 — Sub-processors

| Sub-processor | Service | Location | |---|---|---| | OVH SAS | Hosting infrastructure (compute, storage, network) | France, EU |

No other sub-processor is used during the alpha preview. Any future change will be notified to the Controller in advance with a right to object.

9. Annex 4 — International transfers

No transfer of Personal Data outside the European Union occurs during the alpha preview. All processing infrastructure is hosted within the EU at OVH. Should this change, the Processor will rely on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or another safeguard under art. 46 GDPR, and will notify the Controller in advance.

10. Liability and final provisions

The liability of the Processor under this DPA is governed by the Terms of Service. This DPA is governed by French law; disputes are subject to the courts of Créteil, France.