Data Processing Agreement
Disclaimer: This document should be reviewed by qualified legal counsel before publication. It is drafted based on GDPR Article 28 requirements and industry best practices but does not constitute legal advice. DPAs often require negotiation for enterprise customers.
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between:
- Customer ("Controller," "you") — the entity that has agreed to the RelayPost Terms of Service
- RelayPost, Inc. ("Processor," "we," "us") — the entity providing the RelayPost email delivery platform
This DPA applies when RelayPost processes Personal Data on your behalf in the course of providing the Service.
2. Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person (GDPR Art. 4(1)) |
| Processing | Any operation performed on Personal Data (GDPR Art. 4(2)) |
| Controller | The entity that determines purposes and means of Processing (you) |
| Processor | The entity that processes on behalf of the Controller (RelayPost) |
| Sub-Processor | A third party engaged by RelayPost to process Personal Data on your behalf |
| Data Subject | The individual whose Personal Data is processed (your email recipients) |
| SCCs | Standard Contractual Clauses approved by the European Commission |
| Personal Data Breach | A breach of security leading to unauthorized access to or loss of Personal Data |
3. Scope of Processing
3.1 Subject Matter
| Element | Details |
|---|---|
| Subject matter | Processing of Personal Data to provide the RelayPost email delivery service |
| Duration | For the term of the Agreement, plus any retention period in Section 11 |
| Nature | Collection, storage, transmission, deletion of email-related Personal Data |
| Purpose | Email delivery, tracking, bounce/complaint management, analytics, webhooks |
3.2 Types of Personal Data Processed
| Category | Data Elements | Purpose |
|---|---|---|
| Recipient identifiers | Email addresses (to, cc, bcc) | Email delivery and routing |
| Sender identifiers | From address, reply-to address | Email delivery and authentication |
| Email content | Subject, HTML body, text body, headers | Email delivery |
| Delivery metadata | Message ID, timestamps, status, SMTP codes | Delivery tracking |
| Suppression data | Email address, reason, source | Preventing delivery to invalid addresses |
4. Controller Obligations
As the Controller, you are responsible for:
- Lawful basis — Ensuring you have a lawful basis for sending emails and providing recipient data to RelayPost
- Data subject rights — Responding to requests from your recipients
- Privacy notices — Disclosing the use of RelayPost as a processor
- Data accuracy — Ensuring data you provide is accurate and current
- Compliance — Complying with all applicable data protection laws
5. Processor Obligations
5.1 Processing Instructions
RelayPost will process Personal Data only on your documented instructions. Your use of the Service constitutes your instructions for processing.
5.2 Security (Article 32)
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS for all connections (HTTPS, SMTP STARTTLS/implicit TLS) |
| Encryption at rest | AWS RDS encryption (AES-256), S3 server-side encryption |
| Access control | Role-based per organization; all queries scoped to organization ID |
| Authentication | Session-based with httpOnly cookies; API keys stored as SHA-256 hashes |
| Network security | AWS VPC isolation, Cloudflare DDoS protection |
| Audit logging | All organization-level actions logged with user ID, IP, timestamp |
| Secure development | Parameterized queries (Drizzle ORM) to prevent SQL injection |
6. Sub-Processors
6.1 Current Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Infrastructure hosting (EKS, RDS, ElastiCache, S3) | United States |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, WAF | Global (US HQ) |
6.2 Sub-Processor Changes
We will notify you at least 30 days in advance of engaging a new sub-processor. You may object within 14 days by emailing [email protected]. If no alternative is feasible, either party may terminate the affected portion of the Service with 30 days' notice.
7. Personal Data Breach Notification
| Action | Timeline |
|---|---|
| Initial notification to you | Within 48 hours of becoming aware |
| Your notification to supervisory authority | Within 72 hours (GDPR Art. 33) |
| Detailed follow-up | As soon as reasonably practicable |
Notification will include: nature of the breach, data affected, likely consequences, measures taken, and contact point. Security incidents: [email protected]
8. Data Subject Rights
As Controller, you are responsible for responding to Data Subject requests. RelayPost will assist by:
| Request Type | How We Help |
|---|---|
| Access | Providing Personal Data we process for the relevant Data Subject |
| Rectification | Updating data as instructed by you |
| Erasure | Deleting data as instructed (subject to retention requirements) |
| Portability | Providing data in machine-readable format via API export |
Response time: within 10 business days.
9. Data Protection Impact Assessments
RelayPost will provide reasonable information about our processing activities to assist you in conducting DPIAs where required by GDPR Article 35.
10. International Data Transfers
RelayPost processes Personal Data in the United States (AWS US regions).
| Mechanism | Applicability |
|---|---|
| Standard Contractual Clauses (SCCs) | EU Commission Decision 2021/914 — Module 2 (Controller to Processor) |
| UK IDTA | For transfers from the UK |
| Swiss DPA | SCCs as recognized by Swiss FDPIC |
Supplementary measures include encryption in transit and at rest, access controls, data minimization, and transparency regarding government access requests.
11. Data Retention and Deletion
11.1 During the Agreement
| Data Type | Free | Starter | Pro |
|---|---|---|---|
| Email metadata & events | 30 days | 60 days | 180 days |
| Email content | 30 days | 60 days | 180 days |
| Suppression lists | Duration of Agreement | ||
11.2 On Termination
| Action | Timeline |
|---|---|
| Cease processing | Immediately |
| Data export window | 30 days via API |
| Delete email content & metadata | Within 30 days after export window |
| Delete from backups | Within 90 days (backup rotation) |
| Certification of deletion | Available upon written request |
12. Audits and Inspections
You have the right to audit RelayPost's compliance with this DPA with at least 30 days' written notice, once per 12-month period. As an alternative, RelayPost may provide SOC 2 Type II reports, third-party security assessments, or relevant certifications.
13. Liability
Liability under this DPA is subject to the limitations in the Terms of Service, except that liability for data protection breaches caused by RelayPost's failure to comply with this DPA or GDPR is not subject to the general limitation.
14. Term and Termination
This DPA takes effect on the Effective Date and remains in effect for the duration of the Agreement. Sections on Confidentiality, Breach Notification, Retention/Deletion, Audits, and Liability survive termination.
15. Contact
| Purpose | Contact |
|---|---|
| Legal & DPA inquiries | [email protected] |
| Security incidents & abuse | [email protected] |