GDPR Compliance

1. Our Commitment to GDPR

BejaFly is committed to full compliance with the General Data Protection Regulation (GDPR). We provide the tools, documentation, and contractual frameworks you need to use our transactional email service in compliance with EU and EEA data protection laws.

2. BejaFly as Data Processor

When you use BejaFly to send transactional emails, you are the Data Controller and BejaFly acts as a Data Processor. We process personal data (email addresses, names, email content) solely on your instructions and for the purpose of delivering emails on your behalf.

3. Data Processing Agreement (DPA)

We offer a GDPR-compliant Data Processing Agreement (DPA) that covers the scope of processing, security measures, sub-processor obligations, data breach notification, and data subject rights assistance. Enterprise customers receive a signed DPA as part of their agreement. All other customers may request a DPA at gdpr@bejafly.com.

4. Your Rights as a Data Subject

If you are an EU/EEA resident, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your personal data
• Right to Restriction: Request restriction of processing
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time

To exercise any of these rights, email gdpr@bejafly.com. We will respond within 30 days.

5. Data Security

We implement appropriate technical and organizational measures to protect personal data, including TLS encryption for data in transit, AES-256 encryption for data at rest, regular penetration testing and vulnerability assessments, access controls with role-based permissions, employee security training, and incident response procedures.

6. International Data Transfers

Where personal data is transferred outside the EU/EEA, we ensure adequate protection through Standard Contractual Clauses (SCCs) approved by the European Commission. Enterprise customers may opt for EU-only data residency.

7. Sub-Processors

We maintain a list of sub-processors that may process personal data on our behalf. We will notify you of any changes to sub-processors and provide you with the right to object. A current list is available upon request.

8. Data Breach Notification

In the event of a personal data breach, we will notify affected controllers without undue delay and within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.

9. Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at:

Email: dpo@bejafly.com
Subject Line: GDPR Inquiry

10. Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data protection rights have been violated.