Legal

Data Processing Agreement

Last updated: 26 May 2026 · Between Badex and the Customer

Summary

This Data Processing Agreement ("DPA") describes how Badex processes personal data on behalf of its customers in compliance with GDPR (EU) 2016/679. By using Badex Signature, you agree to these terms.

1. Definitions

Controller: The Customer (you) who determines the purposes and means of processing personal data.

Processor: Badex, processing personal data on behalf of the Controller.

Personal Data: Names, email addresses, job titles, phone numbers, and other data of your Microsoft 365 users or manually created SMTP accounts (for Generic SMTP plans).

2. Nature and Purpose of Processing

Badex processes personal data solely for the purpose of:

Injecting personalized email signatures into outgoing emails
Syncing user information from Microsoft 365 (M365 plans) or managing SMTP account credentials (Generic SMTP plans)
Generating and managing signature templates
Tracking email engagement (opens, clicks) where enabled
AI-powered email reply suggestions and semantic matching (opt-in only — AI Inbox feature)

3. Categories of Personal Data

We process the following categories of data:

Full name, first name, last name
Business email address
Job title and department
Business phone number
Office location

4. Data Storage and Security

All personal data is stored on servers located in the European Union (Germany). We implement appropriate technical and organizational measures including:

Encryption in transit (TLS 1.2/1.3)
Encryption at rest (AES-256 for database and cloud storage)
Wazuh SIEM security monitoring and intrusion detection
Network segmentation and firewall controls (UFW, Cloudflare WAF)
VPN with MFA for all administrative access
ClamAV anti-malware on all servers
Daily automated backups (local + Azure Blob Storage)

5. Data Retention

Personal data is retained for the duration of the contract. Upon termination, all customer data is permanently deleted within 30 days upon written request.

6. Sub-processors

We use the following sub-processors:

Contabo GmbH — Server hosting (Germany, EU)
Microsoft Azure — Cloud infrastructure, storage, monitoring (EU — Belgium Central / West Europe)
Microsoft Graph API — Microsoft 365 email integration (M365 plans only)
Stripe Inc. — Payment processing (USA, SCCs, PCI DSS)
Cloudflare — DNS, WAF, DDoS protection (EU / Global, SCCs)
Groq Cloud — AI inference for AI Inbox (USA, opt-in only, data not retained, SCCs)
Google Gemini — AI fallback inference (USA, opt-in only, data not retained, SCCs)
Voyage AI — Email embedding for AI semantic search (USA, opt-in only, data not retained, SCCs)
Jina AI — Fallback embedding provider (Germany EU, opt-in only, data not retained)

7. Data Subject Rights

The Customer is responsible for handling data subject requests. Badex will assist the Customer in fulfilling requests for:

Access to personal data
Rectification of inaccurate data
Erasure ("right to be forgotten")
Data portability

8. Data Breach Notification

In the event of a personal data breach, Badex will notify the Customer within 72 hours of becoming aware of the breach, in accordance with Article 33 of GDPR.

9. Contact

For any questions regarding this DPA or data protection:

Badex
Email: admin@badex.app
BE0743.754.923