GDPR Compliance and EU Data Protection
Learn more about how the GDPR applies to your use of Mailgun and what we've done to ensure compliance and give you more control over your data.
GDPR | Mailgun's Role | Legal Basis for Data Collection | Mailgun and Personal Data | Mailgun & GDPR Compliance | Sub-processors? | Data Subject Rights | Data Processing Agreement | Transfer of Data Outside the EEA | FAQs
Mailgun is a strong advocate for privacy. We care about our users' rights. Leading up to the implementation of the GDPR (the new EU privacy law since 25 May 2018), we have been hard at work building numerous features that give customers more control of the data that is stored on our platform. We have designed and enabled these features for all our customers, regardless of whether the GDPR specifically impacts them.
We built this document to present you how the GDPR will apply to your use of Mailgun and what we have done to ensure we are compliant with the new rules.
We recommend that you review this document carefully and present it to your privacy team.
Note: EU data protection laws, including the GDPR, are complex. This guide should not be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your business.
What is the General Data Protection Regulation (GDPR)?
The GDPR is a regulation designed to harmonize data privacy laws throughout the European Union (EU). This new regulation offers individuals in the EU greater transparency and control over how their personal data is used and make companies handling personal data accountable for their choices. Even businesses that are not based in the EU must comply with the GDPR if they are collecting and processing personal data of individuals located in the EU.
Is Mailgun a controller or a processor?
If your data processing activities fall under the scope of the GDPR, one of the first question you should ask yourself is “Am I a data controller or a data processor?". The answer to this question will help you determining what are your compliance obligations under the GDPR.
The controller is the organization that determines the purposes and means of processing. As a customer of Mailgun, you operate as the controller when using our products and services. You have the responsibility for ensuring that the personal data you are collecting is being processed lawfully and that you are using processors, such as Mailgun, that provide sufficient guarantees to meet key requirements of the GDPR.
Mailgun is considered a processor. We act on the instructions of the controller (you), which come in the form of API or SMTP requests. Similar to controllers, processors are expected to comply with the GDPR.
On which legal basis can you collect and process personal data?
As a processor, we rely on our customers to ensure that personal data are collected on the basis of one of the GDPR lawful grounds for processing. You, as a controller, can collect personal data based on one of the following legal basis: (i) consent; (ii) processing is the necessary for the performance of a contract you have with the data subject; (iii) processing is necessary for compliance with a legal obligation; (iv) you need to protect the vital interest of the data subject or of another person; (vi) you (or another third party) have a legitimate interest to process personal data and this is not overridden by the interests, rights and freedoms of the data subject.
What personal data does Mailgun collect and how is it used?
We are committed to be transparent in how we handle and process personal data. As one of our customers, you should be aware of how we handle personal data on your behalf.
We keep data only as long as it is necessary to provide our services. Where possible, we employ mechanisms that allow us to automatically remove data after it is no longer needed to offer our services.
Mailgun stores the bodies of messages for up to 72 hours for both incoming and outgoing messages. For outgoing messages, temporary storage allows our systems to attempt to re-deliver messages that could not be delivered on the first attempt. Customers relying on our parsing features use this to be able to retrieve messages that have been received as inbound messages.
For some customers, the message retention period may be selectively adjusted based on written instructions between the customer and Mailgun. Additionally, we offer features that prevent the retrieval of messages programmatically or allows the messages to be securely deleted after delivery.
Finally, our staff may access message bodies to assist customers in troubleshooting delivery issues or in response to a potential AUP violation. Employee access is routinely audited and all of those employees or staff in contact with personal data are subject to our confidentiality provisions.
The metadata of a message, which includes the sender, recipient(s), subject line, originating IP address and other routing data is indexed and maintained for 30 days.
As messages are processed by Mailgun, we generate discrete events from each service that handles message processing. This data is useful in troubleshooting processing and delivery issues that periodically occur when messaging users through Mailgun. This data is available in its entirety via our logs and Events API.
Finally, our staff may use this event data to assist in customer support requests or in response to a potential AUP violation.
Suppressions are permanently stored email addresses that are created as a result of a hard bounce, complaint, or unsubscribe. We store suppressions until you remove them or your account has been deleted.
When suppressions are removed, they are permanently deleted from the system. Suppressions may be stored in a backup system for disaster recovery purposes for up to 30 days after removal.
Mailgun stores recipient email addresses activity information in a hashed (pseudonymization) format. This data allows us to more accurately pre-validate email addresses, detect potential risky senders who may damage IP reputation, and help customers optimize their delivery processes.
This recipient data is only used as part of the delivery of Mailgun services.
How have we engaged in complying with the GDPR?
As a processor, we have specific obligations under the GDPR. In this section, we highlight how we handle personal data and what efforts we are making to ensure you, as one of our customers, can trust us.
In our efforts to comply with the GDPR, we have conducted a detailed risk analysis of all applications that may process personal data of individuals located in the EU. Based on the result of such analysis, we have put in place appropriate measures that allow us to comply with the new requirements.
First of all, we have gathered a dedicated team of data protection and security specialists who review Mailgun processing of personal data and ensure we have always privacy in mind.
Thanks to our team, we have taken many proactive steps towards compliance with the GDPR:
- We have implemented or are working on new policies and procedures to be able to detect personal data breaches and notify our customers without undue delay to ensure they meet the breach notification requirements of the GDPR.
- We have developed procedures to be able to deal with the requests we receive from data subjects and inform you of such requests.
- We have reviewed and updated the security policies and controls we have in place. These are continually tested and evolve in line with changing regulations and governance requirements.
- We have appointed a Data Protection Officer, who will be in charge of compliance with the GDPR across our business.
- We carry out regular data protection training for our employees and staff.
- We created and maintain a record of pour data processing activities.
The above are only some of the steps we have taken in our path towards GDPR compliance, which is an ongoing exercise that we are engaged in.
What about Mailgun’s sub-processors?
Processors may leverage other third-parties in the processing of personal data. These entities are commonly referred to as “sub-processors". We, at Mailgun, use cloud infrastructure providers like Amazon Web Services, Rackspace, and Softlayer to host Mailgun. As required under the GDPR, we have put in place appropriate measures with our sub-processors that will allow us to secure the personal data we process on your behalf. If you are one of our customers, we will provide you with an exhaustive list of the sub-processors we use.
How do we support you in dealing with data subject rights?
As part of the GDPR, EU data subjects can access their personal data, correct, remove or export them. They also have the right to restrict the processing of their personal data.
We have designed our platform with several self-service features that our customers can leverage to assist in reviewing the personal data stored on our platform to respond to data requests.
In particular, these features are designed to support the right to data portability, right to access, and right to be forgotten.
When we, as a processor, receive directly a request from a data subject, we will engage the respective customer within seven days to respond to the data subject request (unless otherwise required by law).
What is a Data Processing Agreement and do we need one?
If you are a data controller, the GDPR requires that you enter into an agreement with your data processors. This agreement is referred to as “Data Processing Agreement" and sets out how a controller and a processor meet the requirements of the GDPR.
To make your life easier, we have drafted a DPA that our customers can sign. Our DPA is designed to address the requirements of Article 28 of the GDPR. It includes the respective obligations of Mailgun, as a data controller, and our customers, as data processors.
How do we ensure personal data are legally transferred outside of the EEA?
The GDPR does not require that data processing activities are limited to the EU, but regulates the transfer of personal data outside of the European Economic Area (EEA). In order to do that, the GDPR provides for different transfer mechanisms.
The EU-US Privacy Shield is one of the lawful mechanisms to transfer data between the EU and the US. Mailgun is self-certified to the EU-US Privacy Shield Framework maintained by the US Department of Commerce (Privacy Shield). You can inspect our certification in the Privacy Shield list of the US Department of commerce by searching for “Mailgun" here https://www.privacyshield.gov/list.
In addition to the Privacy Shield, our DPA includes the EU Standard Contractual Clauses, which are another a valid mechanism for the transfer of data outside of the EEA. The Standard Contractual Clauses are model clauses published by the EU commission and designed to facilitate transfers of personal data from a data exporter located in the EEA and a data importer located outside of the EEA.
In many cases, yes. Even businesses that are not based in the EU are considered to be in scope of the GDPR if they are collecting personal data on EU residents.
The GDPR does not require that data processing be limited to the EU. The EU-US Privacy Shield is one of several valid lawful mechanisms to transfer data between the EU and the US. In addition to Privacy Shield, Mailgun’s Data Processing Agreement includes the EU Model Clauses, which is also a valid mechanism for the lawful transfer of data between the EU and US.
Can I use a suppression list when a user withdraws consent to receive communication from my business?
Yes, this is a valid use of personal data as long as the email address is not being used for processing. For many users, suppression lists act as a method of last resort to ensure that you are not inadvertently communicating with users that withdraw consent to receive communication from you.
The GDPR applies to all personal data, even if it was collected before May 25, 2018. As your business is preparing for the implementation of the GDPR, you should make sure you can properly audit the consent records for your email list.
Explore Beyond GDPR
Mailgun has a variety of features for companies needing to comply with GDPR.