Data Processing Addendum

Processing of personal data on your behalf (Art. 28 GDPR).

Template. This document ships with the open-source project as a starting point. Replace the bracketed placeholders and have your counsel review it before publishing it for a commercial offering.

1. Roles

For customer content (messages, recipient data, templates, suppression lists) you are the controller and [COMPANY LEGAL NAME] is the processor.

2. Subject matter & duration

Processing of personal data as necessary to provide transactional email delivery, for the duration of the service agreement.

3. Nature and purpose

Receiving, storing, queueing, delivering and reporting on email messages; abuse and deliverability protection.

4. Instructions

We process customer content only on your documented instructions — the API calls and configuration you make are the instructions — unless EU or member-state law requires otherwise.

5. Confidentiality & security

Personnel are bound to confidentiality. Technical measures include encryption in transit, tenant isolation enforced at the database layer (row-level security), hashed credentials and audit logging. A detailed TOM annex is available on request.

6. Sub-processors

General authorization for the providers listed at sub-processors; changes are announced [30] days in advance with a right to object.

7. Assistance & deletion

We assist with data-subject requests and Art. 32–36 obligations, and delete or return customer content at contract end (retention windows permitting), then delete remaining copies.

8. Audits

We provide the information reasonably necessary to demonstrate Art. 28 compliance and permit audits — for a self-verifiable start, remember the processing software itself is open source.