Data Processing Agreement
Last updated 1 June 2026 · Hola Money Sociedad Limitada (trading as Buzzmark)
This Data Processing Agreement (“DPA”) forms part of the Terms & Conditions between you (the “Customer” or “Controller”) and Hola Money Sociedad Limitada (“Hola Money S.L.”, “Buzzmark”, the “Processor”) and reflects the parties’ agreement on the processing of personal data in connection with the Service, in accordance with Article 28 of the GDPR. It applies to the extent Buzzmark processes Customer Personal Data on the Customer’s behalf.
For a counter-signed copy of this DPA, contact legal@buzzmarkapp.com.
1. Definitions
Capitalised terms not defined here have the meaning in the Terms. “GDPR”, “Controller”, “Processor”, “Sub-processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach” and “Supervisory Authority” have the meanings given in the GDPR. “Customer Personal Data” means Personal Data contained in Customer Data that Buzzmark processes on the Customer’s behalf.
2. Roles & scope
The Customer is the Controller and Buzzmark is the Processor of Customer Personal Data. Buzzmark will process Customer Personal Data only to provide the Service and only on the Customer’s documented instructions (including those given through the dashboard and API), unless required to act otherwise by EU or Member State law (in which case Buzzmark will inform the Customer, unless legally prohibited). The subject matter, duration, nature and purpose of the processing, and the categories of data and Data Subjects, are set out in Annex 1.
3. Processor obligations
Buzzmark will:
- process Customer Personal Data only on documented instructions and not for its own purposes;
- ensure persons authorised to process the data are bound by confidentiality;
- implement and maintain the technical and organisational measures in Annex 2 (Art. 32);
- respect the conditions in §4 for engaging Sub-processors;
- taking into account the nature of the processing, assist the Customer by appropriate measures to respond to Data Subject requests under Chapter III of the GDPR;
- assist the Customer in ensuring compliance with its obligations under Articles 32–36 (security, breach notification, data protection impact assessments and prior consultation);
- at the Customer’s choice, delete or return all Customer Personal Data at the end of the Service and delete existing copies, unless storage is required by law (see §8);
- make available information necessary to demonstrate compliance and allow for and contribute to audits (see §6); and
- inform the Customer if, in its opinion, an instruction infringes the GDPR or other data protection law.
4. Sub-processors
The Customer grants Buzzmark general authorisation to engage the Sub-processors listed in Annex 3. Buzzmark will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable for its Sub-processors’ performance. We will give the Customer reasonable prior notice of any intended addition or replacement of a Sub-processor (for example via the dashboard or email), and the Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected Service.
5. Data residency & international transfers
Buzzmark hosts and processes Customer Personal Data within the EU (Frankfurt (Germany) and Paris (France)) and does not transfer it outside the EEA in providing the Service, except that email is, by its nature, transmitted to the recipient’s mail server, which the Customer determines by its choice of recipients. Where any transfer of Customer Personal Data to a third country would otherwise occur, it will be made under an adequacy decision or the European Commission’s Standard Contractual Clauses with appropriate supplementary measures. See the EU Data Residency page.
6. Personal data breaches & audits
Buzzmark will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably required for the Customer to meet its own notification obligations. The Customer may audit Buzzmark’s compliance with this DPA once per year (and after a breach) on reasonable prior notice; Buzzmark may satisfy audit requests by providing relevant documentation or a completed security questionnaire.
7. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms.
8. Term, deletion & return
This DPA takes effect when you accept the Terms and continues while Buzzmark processes Customer Personal Data. On termination, and at the Customer’s choice, Buzzmark will return or delete Customer Personal Data within a commercially reasonable period (and routinely deletes or anonymises message logs in line with the plan’s retention window), except where retention is required by law.
Annex 1 - Details of processing
- Subject matter: provision of the Buzzmark transactional email Service.
- Duration: the term of the Terms, plus any retention period required by law.
- Nature & purpose: receiving, queuing, sending, relaying, tracking, logging and (where enabled) parsing inbound email on the Customer’s behalf.
- Categories of Data Subjects: the Customer’s message recipients and senders, and any individuals referenced in message content or metadata.
- Categories of Personal Data: email addresses; names and display names; message subject, body and attachments; headers and metadata; engagement events (delivery, open, click, bounce, complaint); IP addresses; and any other personal data the Customer chooses to include in its messages.
- Special categories: not intended; the Customer should not submit special-category data unless separately agreed and lawfully processed.
Annex 2 - Technical & organisational measures
- Encryption: TLS for data in transit and encryption of data at rest; opportunistic/forced TLS for SMTP where supported by the receiving server.
- Secrets: credentials and API tokens stored hashed; DKIM private keys and other secrets stored encrypted.
- Access control: role-based access, least-privilege, per-account isolation, and authentication on all administrative access.
- Network & infrastructure: EU-located infrastructure, network segregation, firewalling and hardened images.
- Resilience: backups, monitoring and logging, and documented incident response.
- Organisational: confidentiality obligations for staff, change management and least-data retention.
Annex 3 - Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner | Application hosting, database and storage | EU (Germany) |
| Cloudi Nextgen SL | Incoming SMTP and outgoing SMTP delivery and sending-IP pool | EU (Spain) |
| bunny.net | Content delivery & edge security (static assets) | EU edge |
| Mollie | Subscription billing and payments | EU / EEA |
| Buzzmarkapp | Transactional & support communications to you | EU / EEA |
The up-to-date list of Sub-processors is available on request from dpo@buzzmarkapp.com.