Legal

Data Processing Agreement

Last updated: 05 April 2026 · Between Badex and the Customer

Summary

This Data Processing Agreement ("DPA") describes how Badex processes personal data on behalf of its customers in compliance with GDPR (EU) 2016/679. By using Badex Signature, you agree to these terms.

1. Definitions

Controller: The Customer (you) who determines the purposes and means of processing personal data.

Processor: Badex, processing personal data on behalf of the Controller.

Personal Data: Names, email addresses, job titles, phone numbers, and other data of your Microsoft 365 users or manually created SMTP accounts (for Generic SMTP plans).

2. Nature and Purpose of Processing

Badex processes personal data solely for the purpose of:

Injecting personalized email signatures into outgoing emails
Syncing user information from Microsoft 365 (M365 plans) or managing SMTP account credentials (Generic SMTP plans)
Generating and managing signature templates
Tracking email engagement (opens, clicks) where enabled

3. Categories of Personal Data

We process the following categories of data:

Full name, first name, last name
Business email address
Job title and department
Business phone number
Office location

4. Data Storage and Security

All personal data is stored on servers located in the European Union (Germany). We implement appropriate technical and organizational measures including:

Encryption in transit (TLS 1.3)
Encrypted database connections
Access controls and authentication
Regular automated backups

5. Data Retention

Personal data is retained for the duration of the contract. Upon termination, all customer data is permanently deleted within 30 days upon written request.

6. Sub-processors

We use the following sub-processors:

Contabo GmbH — Server hosting (EU)
Stripe Inc. — Payment processing
Microsoft Corporation — Microsoft 365 integration (M365 plans only)

7. Data Subject Rights

The Customer is responsible for handling data subject requests. Badex will assist the Customer in fulfilling requests for:

Access to personal data
Rectification of inaccurate data
Erasure ("right to be forgotten")
Data portability

8. Data Breach Notification

In the event of a personal data breach, Badex will notify the Customer within 72 hours of becoming aware of the breach, in accordance with Article 33 of GDPR.

9. Contact

For any questions regarding this DPA or data protection:

Badex
Email: privacy@badex.app
BE0743.754.923