Data Processing Addendum
Processing of personal data on your behalf (Art. 28 GDPR).
1. Roles
For customer content (messages, recipient data, templates, suppression lists) you are the controller and [COMPANY LEGAL NAME] is the processor.
2. Subject matter & duration
Processing of personal data as necessary to provide transactional email delivery, for the duration of the service agreement.
3. Nature and purpose
Receiving, storing, queueing, delivering and reporting on email messages; abuse and deliverability protection.
4. Instructions
We process customer content only on your documented instructions — the API calls and configuration you make are the instructions — unless EU or member-state law requires otherwise.
5. Confidentiality & security
Personnel are bound to confidentiality. Technical measures include encryption in transit, tenant isolation enforced at the database layer (row-level security), hashed credentials and audit logging. A detailed TOM annex is available on request.
6. Sub-processors
General authorization for the providers listed at sub-processors; changes are announced [30] days in advance with a right to object.
7. Assistance & deletion
We assist with data-subject requests and Art. 32–36 obligations, and delete or return customer content at contract end (retention windows permitting), then delete remaining copies.
8. Audits
We provide the information reasonably necessary to demonstrate Art. 28 compliance and permit audits — for a self-verifiable start, remember the processing software itself is open source.