Maylee
Sign inRequest Access

Data Processing Agreement (DPA) — Maylee

Version : 7 mai 2026 / In force as of May 7, 2026

Édité par / Published by BRIDGERS SAS — RCS Paris B 882 679 749 — 149 avenue du Maine, 75014 Paris

Contact unique / Single contact : contact@maylee.app (Niels Cohen, Président de Bridgers SAS)

1. Preamble

This Data Processing Agreement (the “DPA”) supplements the contract entered into between BRIDGERS (the “Processor”) and the Customer (the “Controller”) relating to the use of the Maylee Service (the “Main Contract”). It defines the conditions under which the Processor processes personal data on behalf of the Controller, in accordance with Article 28 of Regulation (EU) 2016/679 (“GDPR”). In case of conflict, this DPA prevails over the Main Contract on data-protection matters only.

2. Description of processing

Subject matter: Processing necessary to provide the Maylee Service.

Duration: Term of the Main Contract plus retention periods.

Nature: Hosting, caching, indexing, search, transmission, processing by AI features enabled by the User.

Purpose: Provide, secure, maintain and improve the Service.

Categories of data: Identification data, connection data, email content and metadata, contacts, attachments, calendar events, preferences.

Categories of data subjects: Users of the Controller and third parties communicating by email.

3. Processor obligations

The Processor undertakes to:

  • process personal data only on documented instructions from the Controller, including for transfers outside the EU; the Main Contract and DPA constitute such instructions;

  • ensure that authorised persons commit to confidentiality;

  • implement appropriate technical and organisational measures (Art. 32 GDPR), as described in Annex 1;

  • comply with the conditions for engaging sub-processors (Section 4 below);

  • assist the Controller, to the extent possible, in responding to data-subject requests;

  • assist the Controller in complying with Articles 32-36 GDPR;

  • at the Controller's choice, delete or return the data at the end of the contract (standard formats: MBOX, EML, CSV, vCard, JSON) within 30 days, and destroy existing copies (unless legally required otherwise);

  • make available the information necessary to demonstrate compliance and allow audits.

4. Sub-processors

The Controller generally authorises the Processor to engage the sub-processors listed in Annex 2. The Processor will inform the Controller of any change at least 30 days before it takes effect, by email or via the Service. The Controller may object on reasonable grounds related to data protection within 30 days, by email to contact@maylee.app. Failing agreement, the Controller may terminate the affected part of the Contract free of charge, with pro-rata refund. The Processor imposes equivalent obligations on its sub-processors and remains fully liable for their performance.

5. International transfers

Any transfer outside the EU/EEA is governed by: (i) an adequacy decision, (ii) the Standard Contractual Clauses (SCCs) — Module 2 (Controller-Processor) or Module 3 (Processor-Processor), or (iii) another mechanism compliant with Article 46 GDPR. The SCCs are incorporated by reference where the Controller is itself subject to GDPR and transfers data to the Processor or sub-processors located outside the EU.

6. Personal data breach notification

The Processor will notify the Controller of any personal data breach within a reasonable time, and at the latest 72 hours after becoming aware of it, by email. The notification will specify: nature of the breach, categories and approximate number of data subjects, likely consequences, measures taken or proposed.

7. Assistance with data-subject requests

The Processor will assist the Controller, by appropriate technical and organisational measures, to the extent possible, in responding to data-subject requests. If a data subject contacts the Processor directly, the Processor will inform the data subject to contact the Controller and notify the Controller.

8. Audits

Upon reasonable request, the Processor makes available SOC 2 Type II reports or equivalent and applicable certifications. On 30 days' notice and no more than once per year, the Controller may request a targeted audit limited to GDPR requirements, subject to a confidentiality agreement, at its expense, in a manner not disrupting the Processor's activity. In case of a confirmed breach by the Processor, audit costs are borne by the Processor.

9. Confidentiality

The Processor warrants that all persons authorised to process the data are bound by contractual or legal confidentiality obligations.

10. Limitation of liability

Save where mandatory law provides otherwise, the Processor's liability under this DPA is subject to the limitations of the Main Contract, in particular the cap at the total amount paid by the Customer to the Processor during the 12 months preceding the event. This clause does not apply to damages to a data subject which the law does not permit to be limited.

11. Governing law and jurisdiction

This DPA is governed by French law. Any dispute shall fall within the exclusive jurisdiction of the Paris Commercial Court.

Annex 1 — Technical and organisational measures

Physical security

  • Hosting in certified data centres (ISO 27001, SOC 2, PCI-DSS).

  • Strict access control to physical facilities.

Logical security

  • TLS 1.3 in transit, AES-256 at rest.

  • Secrets via dedicated solution (Vault, KMS).

  • MFA on all administrative access.

  • RBAC, least privilege.

  • Centralised logging and alerting.

Secure development

  • Mandatory code review, automated SAST/DAST.

  • Annual independent penetration tests.

  • Vulnerability management policy.

Continuity

  • Daily encrypted backups, retained 30 days.

  • Documented and annually tested DRP.

Organisation

  • Documented information-security policy.

  • Annual staff training.

  • Contractual confidentiality undertakings.

Annex 2 — List of sub-processors

Up-to-date list: maylee.app/legal/subprocessors. Indicatively:

  • Amazon Web Services EMEA SARL — EU — Hosting.

  • Stripe Payments Europe Ltd — Ireland — Payments.

  • OpenAI Ireland Ltd — Ireland / United States (SCCs + EU-US DPF) — AI.

  • Anthropic PBC — United States (SCCs + EU-US DPF) — AI.

  • Google Cloud EMEA Ltd — EU — Vertex AI.

  • Mistral AI — France — AI.

  • Postmark / SendGrid — United States (SCCs) — Transactional email.

  • Intercom — Ireland — Support.

  • HubSpot — Ireland — CRM.

  • Datadog — United States (SCCs + EU-US DPF) — Observability.

  • Sentry — United States (SCCs) — Error tracking.

Ready to get started?

Maylee

It thinks inside the box

Resources

BlogHub

Legal

Legal NoticeTerms of UsePrivacy PolicyCookie Policy

Social

XLinkedIn

Contact

Email

© 2026 Maylee. All rights reserved.