Data Processing Agreement

1. Parties and scope

This Data Processing Agreement ("DPA") is entered into between FaxSeal ("Processor") and the customer entity accessing FaxSeal services ("Controller"). It supplements the Terms of Service and governs all processing of personal data by FaxSeal on behalf of the Controller in connection with the FaxSeal fax transmission service.

2. Definitions

• Personal data: Any information relating to an identified or identifiable natural person transmitted through or stored by the FaxSeal service, including email addresses of account holders and fax recipient numbers.
• Processing: Any operation performed on personal data, including collection, storage, transmission, retrieval, and deletion.
• Sub-processor: Any third party engaged by FaxSeal to process personal data in connection with providing the service.

3. Nature and purpose of processing

FaxSeal processes the following categories of data on behalf of the Controller:

• •Account holder email addresses — for authentication and delivery confirmations
• •Fax recipient telephone numbers — for transmission to the PSTN
• •PDF documents submitted for faxing — held for up to 24 hours then deleted
• •Fax job metadata (status, timestamps, page count) — retained 90 days then deleted
• •Sender IP addresses — logged for security and fraud prevention, retained 30 days

Processing is performed solely for the purpose of providing fax transmission services as instructed by the Controller. FaxSeal does not process personal data for its own commercial purposes or share it with third parties for marketing.

4. Controller instructions

FaxSeal processes personal data only on documented instructions from the Controller — primarily as specified in this DPA and the Terms of Service. FaxSeal will promptly notify the Controller if it believes an instruction infringes applicable data protection law.

5. Security measures

FaxSeal implements appropriate technical and organizational measures to protect personal data, including:

• •TLS 1.2+ encryption for all data in transit
• •Server-side encryption for all data at rest (Cloudflare R2)
• •Access controls limiting data access to authorized personnel only
• •Automatic deletion schedules enforced by cron jobs (documents: 24h, signed PDFs: 1h, job records: 90d)
• •HMAC signature verification on all inbound webhooks
• •Rate limiting and replay-attack prevention on public endpoints

Full security documentation is available at faxseal.com/security.

6. Sub-processors

FaxSeal engages the following sub-processors. The Controller authorizes use of these sub-processors by accepting this DPA. FaxSeal will notify Controllers of any changes to this list with at least 14 days notice.

7. Data subject rights

FaxSeal will assist the Controller in responding to data subject requests (access, correction, deletion, portability) to the extent technically feasible. Account holders may request deletion of their account and associated data at any time by contacting [email protected]. Requests will be fulfilled within 30 days.

8. Data breach notification

In the event of a personal data breach, FaxSeal will notify the Controller without undue delay — and in any event within 72 hours of becoming aware — providing details of the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.

9. Deletion on termination

Upon termination of the service relationship, FaxSeal will delete or return all personal data within 30 days, and certify deletion upon request. Automated retention schedules will continue to apply during any wind-down period.

10. Governing law

This DPA is governed by the laws of the United States. Where the Controller is a government agency, applicable federal and state data protection statutes take precedence.

11. Contact & signed DPA

For a countersigned DPA for your organization, vendor security questionnaires, or compliance inquiries, contact: