For business customers — how SafeToOpen processes personal data on your behalf, with GDPR and CCPA/CPRA commitments.
This Data Processing Agreement (“DPA”) forms part of the agreement between SafeToOpen Limited and its subsidiaries (“SafeToOpen,” “we,” “us,” or “our”) and the customer (“Controller” or “Customer”) that subscribes to the Services (the “Agreement”), and governs the processing of Customer Personal Data. Where there is a conflict, this DPA governs in respect of data protection. This DPA is a template for business customers and should be reviewed alongside your signed Agreement.
Controller/Business: the entity that determines the purposes and means of processing Customer Personal Data. Processor/Service Provider: SafeToOpen, which processes Customer Personal Data on the Customer’s behalf. Customer Personal Data: personal data processed by SafeToOpen on behalf of the Customer under the Agreement. Terms such as “processing,” “data subject,” and “personal data breach” have the meanings given under applicable data-protection law (including GDPR and CCPA/CPRA).
2.1 The Customer is the Controller/Business and SafeToOpen is the Processor/Service Provider. 2.2 SafeToOpen processes Customer Personal Data only on the Customer’s documented instructions (including as set out in the Agreement and this DPA), and as required by law. 2.3 SafeToOpen will inform the Customer if, in its opinion, an instruction infringes applicable data-protection law.
3.1 Taking into account the nature of the processing, SafeToOpen will, to the extent legally permitted, assist the Customer in responding to data-subject requests (access, correction, deletion, objection, portability). 3.2 If SafeToOpen receives a request directly, it will, where lawful, direct the data subject to the Customer.
4.1 SafeToOpen implements and maintains appropriate technical and organisational measures designed to protect Customer Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage, having regard to the state of the art and the risks involved. 4.2 SafeToOpen maintains an information-security programme aligned to ISO/IEC 27001:2022. 4.3 The Customer is responsible for assessing whether those measures meet its requirements and for its own configuration and use of the Services.
5.1 The Customer authorises SafeToOpen to engage sub-processors to deliver the Services. 5.2 SafeToOpen maintains a list of sub-processors and will give the Customer a reasonable opportunity to object to changes. 5.3 SafeToOpen remains responsible for its sub-processors’ performance of the obligations in this DPA.
SafeToOpen will transfer Customer Personal Data across borders only where an appropriate transfer mechanism is in place (such as EU Standard Contractual Clauses or the UK IDTA) or another lawful basis applies.
If SafeToOpen becomes aware of a personal data breach affecting Customer Personal Data, it will notify the Customer without undue delay and provide information reasonably available to assist the Customer in meeting its own notification obligations. A notification is not an acknowledgement of fault or liability.
Where the Customer is subject to CCPA/CPRA, SafeToOpen acts as a Service Provider and will not sell or share Customer Personal Data, nor retain, use, or disclose it for any purpose other than performing the Services or as permitted by law.
On termination of the Agreement, SafeToOpen will, at the Customer’s request, return or permanently delete Customer Personal Data, unless retention is required by law.
SafeToOpen will make available information reasonably necessary to demonstrate compliance with this DPA. On reasonable notice and subject to confidentiality, the Customer may audit compliance no more than once a year (unless required by a supervisory authority), in a manner that does not unduly disrupt SafeToOpen’s operations.
This DPA remains in effect for as long as SafeToOpen processes Customer Personal Data on the Customer’s behalf.
Questions about this DPA? Email [email protected].
Subject matter: processing of Customer Personal Data in connection with the Services. Duration: the term of the Agreement and until deletion or return of data. Nature and purpose: providing, maintaining, and improving the Services, including phishing and threat detection and related security functions. Types of data: as determined by the Customer’s configuration and use (which may include contact details, account identifiers, and technical data such as hashed domain names). Categories of data subjects: the Customer’s authorised users and other individuals whose data the Customer submits.
© 2026 SafeToOpen Limited and its subsidiaries. All rights reserved. SafeToOpen is ISO/IEC 27001:2022 certified.