Last updated: April 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Melly Labs ("Processor", "we", "us") and the customer ("Controller", "you") for the use of MellySend services. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the MellySend file transfer and collaboration services. The categories of data processed include:
This DPA remains in effect for the duration of the Controller's use of MellySend services. Upon termination, the Processor will delete all Personal Data within 30 days, unless retention is required by law.
The Processor shall:
The Processor implements the following security measures:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.3 on all connections |
| Encryption at rest | OVHcloud SSE (server-side encryption) for all stored objects |
| End-to-end encryption | Optional AES-256 client-side encryption per transfer |
| Access control | Role-based access, 2FA for admin accounts |
| Authentication | Passwordless magic links, TOTP-based 2FA |
| Infrastructure | EU-only hosting (Hetzner DE, OVHcloud FR, self-hosted NL) |
| Monitoring | Admin audit logging of all privileged actions |
| Data minimization | Anonymous transfers auto-deleted after 48h, free after 7 days |
The Controller authorizes the use of the following sub-processors. The Processor will notify the Controller before adding or replacing sub-processors, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Compute infrastructure (Kubernetes) | Germany |
| OVHcloud | Object storage (S3-compatible, SSE encrypted) | France |
| Brevo (Sendinblue) | Transactional and marketing email delivery | France |
| Mollie B.V. | Payment processing | Netherlands |
| TransIP B.V. | Domain name and DNS services | Netherlands |
All sub-processors are EU-based companies. No Personal Data is transferred outside the European Economic Area.
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach (Article 33). The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
The Processor shall assist the Controller in fulfilling its obligation to respond to data subject requests under Articles 15-22 GDPR, including the right of access, rectification, erasure, restriction, portability, and the right to object. Users can export their data via the vault download feature and delete their account through the settings page.
The Processor does not transfer Personal Data outside the European Economic Area. All infrastructure, sub-processors, and data storage are located within the EU (Germany, France, Netherlands). This eliminates the need for Standard Contractual Clauses or other transfer mechanisms under Chapter V GDPR.
The Controller has the right to audit the Processor's compliance with this DPA. Audits shall be conducted with reasonable notice and during normal business hours. The Processor shall cooperate with the audit and provide access to relevant documentation, systems, and personnel.
This DPA shall be governed by and construed in accordance with the laws of the Netherlands. Any disputes arising from this DPA shall be submitted to the competent court in Rotterdam, the Netherlands.
For questions about this DPA or to exercise your rights, contact us at: