GDPR Compliance

Last updated: January 26, 2025

Data Protection Commitment

MSG25 is committed to protecting personal data in compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Our Role

Data Controller: For account information, billing data, and usage analytics, MSG25 acts as the Data Controller.

Data Processor: For email content and recipient data processed on behalf of our customers, MSG25 acts as a Data Processor.

2. Legal Basis for Processing

  • Contract: Processing necessary for service delivery
  • Legitimate Interest: Security, fraud prevention, service improvement
  • Legal Obligation: Tax records, law enforcement requests
  • Consent: Marketing communications (opt-in required)

3. Your GDPR Rights

Right to Access

Request a copy of your personal data

Right to Rectification

Correct inaccurate personal data

Right to Erasure

Request deletion of your data ("right to be forgotten")

Right to Portability

Receive data in a machine-readable format

Right to Restrict

Limit how we process your data

Right to Object

Object to processing based on legitimate interest

4. Data Processing Agreement (DPA)

We provide a Data Processing Agreement to all customers who require one. The DPA outlines our obligations as a Data Processor including:

  • Processing data only on documented instructions
  • Ensuring staff confidentiality
  • Implementing appropriate security measures
  • Assisting with data subject requests
  • Deleting data upon contract termination
  • Providing audit access

Contact privacy@msg25.com to request a DPA.

5. International Data Transfers

Data may be processed in servers located outside the EU. We ensure appropriate safeguards through:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable
  • Encryption in transit and at rest

6. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify affected customers within 72 hours of becoming aware
  • Provide details of the breach and affected data
  • Outline remedial measures taken
  • Assist with regulatory notifications if required

7. Sub-Processors

We use the following sub-processors:

  • Cloud Infrastructure: Server hosting
  • Stripe: Payment processing
  • Analytics Providers: Service monitoring

We will notify customers of any sub-processor changes with reasonable notice.

8. Data Protection Officer

For GDPR-related inquiries, contact our Data Protection team at: dpo@msg25.com

9. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority in your EU member state if you believe we have violated your data protection rights.