Data Protection Agreement, Section 1 — The Fastmail Service

DATED: 1 Aug 2025

This Data Protection Addendum Policy came into effect on 1 Aug 2025. It was updated in line with the latest recommendations from the European Data Protection Board (EDPB) after the Schrems II ruling.

We maintain copies of our previous policies online for archive purposes:

• September 27th, 2021 until July 31st, 2025
• Incorrectly formatted, live from December 12th, 2022 until October 6th, 2023
• May 25th, 2020 until September 26th, 2021
• July 20th, 2018 until May 24th, 2020

Section 1: The Fastmail Service

1.1 Introduction

The protection of Personal Data is of critical importance to Fastmail Pty Limited (ABN 31 142 646 580) (“Fastmail”).

This Data Protection Addendum Policy (“DPA”) sets out the minimum requirements of Fastmail with respect to all of its customers in relation to the processing of EU/UK individual Personal Data and compliance with other applicable data protection laws (“Data Protection Laws”).

This DPA comes/came into effect on August 1, 2025.

This DPA continues to use the Standard Contractual Clauses published by the European Commission on June 4, 2021, under EDPB EDPS Joint Option 2/2021 [1](“Clauses”). We have restructured the agreement to append these as separate documents for useability purposes.

• Section 1 deals with introductory matters and matters specific to the Fastmail Service.
• Section 2 sets out the Clauses where the Customer is a Controller (Exporter) and Fastmail is a Controller (Importer).
• Section 3 sets out the Clauses where the Customer is the Controller (Exporter) and Fastmail is a Processor (Importer).
• Section 4 sets out the Clauses where the Customer is the Processor (Exporter) and Fastmail is a Processor (Importer).
• Section 5 sets out the Clauses where Customer is a Processor (Exporter) and Fastmail is a Controller (Importer).

The Appendix contains the Annexes referred to in the Sections.

• Annex 1
• Annex 2
• Annex 3

This DPA sets out the Clauses as binding terms, without including the commentary and footnotes from EDPB EDPS Joint Option 2/2021. The parties agree to be bound by the Clauses that apply to their roles as Controller or Processor, as required by EDPB EDPS Joint Option 2/2021. Any guidance or footnotes that help interpret the Clauses are treated as included.

1.2 Terminology

Defined terms in this DPA have meanings as set in Section 1.10. Capitalized terms not defined here follow the meaning in your Agreement. References to your Agreement include amendments by this DPA.

1.3 Processing of Customer Personal Data

1. Each Party will comply with heir respective obligations under Data Protection Laws in providing and receiving Services under this DPA.
2. In the provision of the Services:
   1. Fastmail is a Controller for Account Information that is EU/UK individual personal data:
   2. If Customer is a Controller and Fastmail receives Account Information, Section 2 applies (Controller-to-Controller Clauses).
   3. If Customer is a Processor and Fastmail receives Account Information, Section 5 applies (Processor-to-Controller Clauses).
   4. Fastmail is a Processor for EU/UK individual personal data:
   5. Account Information managed by a Customer administrator (e.g., corporate accounts, resellers).
   6. Communications Data:
   7. If Customer is a Controller and Fastmail receives this Account Information and Communications data, Section 3 applies (Controller-to-Processor Clauses).
   8. If Customer is a Processor and Fastmail receives this Account Information and Communications data, Section 4 applies (Processor-to-Processor Clauses).
3. Customer:
   1. Authorizes Fastmail (and subprocessors) to process and transfer Customer Personal Data to any country or territory, as reasonably necessary for Services.
   2. Is authorised to issue such instructions on behalf of any third party as set out in Clause 3(a) of the applicable SCC.

1.4 Fastmail Personnel

Fastmail ensures its employees, agents, and subprocessors handling Customer Personal Data are bound by confidentiality obligations.

1.5 Personal Data Breach

Fastmail will, as soon as practicable, notify the Customer of any Personal Data Breach and provide information to support compliance with reporting obligations and to ensure customers can take any necessary actions. Fastmail will cooperate in investigating, mitigating, and remediating breaches.

1.6 Deletion or return of Customer Personal Data

1. Subject to 1.6.4, if a Customer closes their account, Fastmail deletes all Customer Personal Data within 14 days.
2. Subject to 1.6.4, in the event of non-payment, data is deleted within 30 days to 1 year, depending on account duration.
3. Subject to 1.6.4, accounts that are active and within good standing can at any time request:
   • Fastmail provide a complete copy of Customer Personal Data via secure transfer.
   • Fastmail delete all other Customer Personal Data.
4. Fastmail may only retain Customer Personal Data when required to meet our legal obligations and to ensure the integrity and security of our platform, as per the purposes agreed to within this DPA.

1.7 Data Subject Verification

Individuals exercising their data rights must provide necessary information to verify their identity and relation to the requested data.

1.8 Restricted Transfers

1. Subject to 1.8.2, The Customer (Data Exporter) and Fastmail/Subprocessors (Data Importer) agree to all applicable SCC’s in respect to any restricted transfer from the customer to Fastmail and all it’s approved subprocessors.
2. The SCC’s will come in to effect upon commencement of a restricted transfer.
3. Section 1.8.1 will not apply to a restricted transfer that occurs without reasonably practicable compliance steps that allow the restricted transfer to take place without breach of applicable Data Protection Laws.

1.9 General Terms

1.9.1 Order of Precedence

1. In case of conflict, the Clauses prevail over this DPA, which prevails over other agreements.
2. Subject to clause 1.9.1, in the event of inconsistencies between this DPA and any other agreements, including your Agreement, this DPA prevails.

1.9.2 Changes in Law

1. Fastmail may update this DPA as required by changes in Data Protection Laws.

1.9.3 Severability

1. If any provision is invalid, the rest remains in force. Invalid provisions will be revised or treated as if never included in this DPA.

1.10 Definitions

“Agreement” – Fastmail Customer Terms of Service.

“Account Information” – Customer-provided data to maintain an account, including technical details like logs (IP, email metadata).

“Applicable Laws” – EU laws and other relevant privacy laws.

“Fastmail and/or its Subprocessor” – Fastmail or its appointed subprocessors.

“Clauses” – EU Standard Contractual Clauses (Sections 2-5).

“Communications Data” – Email content, attachments, and related metadata.

“Customer” / “you” – Entity acquiring Fastmail Services, including entities with a controlling stake of that customer.

“Customer Personal Data” – Account and Communication Data containing Personal Data.

“Data Protection Laws” – GDPR and applicable data privacy laws.

“Restricted Transfer” – A transfer of Customer Personal Data requiring safeguards under Data Protection Laws.

“Services” – Activities Fastmail provides under the Agreement.

“Subprocessor” – Third parties processing data on Fastmail’s behalf.

GDPR-defined terms (e.g., Controller, Processor, Data Subject, Personal Data Breach) retain their GDPR meanings. “Include” means without limitation.

Clauses

Section 2: Controller to Controller

Section 3: Controller to Processor

Section 4: Processor to Processor

Section 5: Processor to Controller

Annexes

Annex 1 - List of Parties, Description of Transfer and competent supervisory authority

Annex 2 - Organisational and technical controls

Annex 3 - Co-controllers and subprocessors