Data Processing Agreement

1. Definitions

• "GDPR" means the EU General Data Protection Regulation 2016/679.
• "Personal Data" means any information processed under this DPA that relates to an identified or identifiable natural person, as defined by the GDPR.
• "Data Subject" means the natural person to whom the Personal Data relates (typically the Customer's end users and email recipients).
• "Sub-processor" means a third-party processor engaged by PostStack to process Personal Data on PostStack's behalf.

2. Scope and roles

Customer acts as the Data Controller for Personal Data processed by the Service. PostStack acts as a Data Processor and processes Personal Data strictly to provide the Service in accordance with the Customer's documented instructions, this DPA, the Terms of Service, and the Privacy Policy.

3. Nature and purpose of processing

The Service involves the processing of Personal Data for these purposes:

• Sending transactional and marketing emails to Customer's recipients
• Storing and managing Customer's contact lists
• Recording email events (delivered, opened, clicked, bounced)
• Hosting mailboxes for Customer's end users (if enabled)
• Receiving and forwarding inbound email
• Generating analytics and deliverability reports

4. Categories of Data Subjects and Personal Data

Data Subjects: Customer's employees, end users, customers, contacts, and email recipients.

Categories of Personal Data: names, email addresses, IP addresses (from tracking events), email content, email metadata (subject, timestamps, headers), file attachments, custom contact properties as configured by the Customer.

5. PostStack obligations

• Process Personal Data only on documented Customer instructions, including transfers, unless required by EU or Member State law.
• Ensure that personnel authorized to process Personal Data have committed themselves to confidentiality.
• Implement and maintain the technical and organizational measures described in Section 6 (Article 32).
• Assist Customer in responding to Data Subject requests under Articles 12–22 of the GDPR, as described in Section 8.
• Notify Customer of any Personal Data breach as described in Section 7 (Article 33).
• Delete or return all Personal Data after the end of the Service provision, unless EU or Member State law requires storage.
• Make available all information necessary to demonstrate compliance and allow for audits as required by Article 28(3)(h).

6. Technical and organizational measures (Article 32)

PostStack implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures are documented in full in our Security overview and the internal controls inventory (available under NDA on request). At a minimum, the following measures are in place:

• Encryption in transit: TLS 1.2 / 1.3 with modern AEAD ciphers and HSTS for HTTPS; implicit TLS for IMAP (993), POP3 (995), and SMTP submission (465 and 587); opportunistic STARTTLS on inbound port 25.
• Encryption at rest: daily PostgreSQL backups AES-256 GPG-encrypted and integrity-verified; Hetzner volume-level encryption for the application database and mailbox storage.
• Pseudonymisation and access control: passwords hashed with Argon2id; mailbox passwords hashed with bcrypt; API keys stored as cryptographic hashes; sessions scoped per team with cross-team access blocked at the service layer; 2FA via TOTP available to every user; SSH access to production via key only.
• Confidentiality, integrity, availability, and resilience: daily integrity-verified backups; redundant Postfix queueing with bounce / complaint / retry handling; per-tenant rate limiting; structured operational alerting with on-call notification.
• Regular testing and evaluation: continuous dependency updates with documented CVE-patching SLA (≤ 7 days high, ≤ 30 days moderate); automated test suite enforced on every change; security review on auth, OAuth, SMTP, and billing surfaces.
• Audit logging: append-only audit log of administrative mutations scoped per team; structured [security]-tagged application logs for authentication failures and rate-limit events.
• Procedural measures: personnel under written confidentiality obligations; access provisioned on least-privilege; documented incident-response runbook; published vulnerability disclosure policy with safe-harbour and acknowledgement SLA.

PostStack does not store payment card data; card details are tokenised by Stripe and never traverse PostStack systems.

7. Personal Data breach notification (Article 33)

PostStack will notify Customer of a Personal Data breach affecting Customer's Personal Data without undue delay and in any event within 48 hours of becoming aware of the breach. This is more stringent than the 72-hour Controller notification window in Article 33(1) GDPR, and is intended to give Customer time to discharge its own Article 33 obligations.

The notification will include, to the extent then known:

• The nature of the breach, the categories of Personal Data affected, the approximate number of Data Subjects and records concerned;
• The likely consequences of the breach;
• The measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects;
• The name and contact details of the PostStack security contact responsible for the response.

Where information cannot be provided at the same time, it will be provided in further communications without undue delay. PostStack will document every Personal Data breach internally including the facts, its effects, and the remedial action taken, and will make this documentation available to Customer on request.

Security incidents should be reported privately to security@poststack.dev.

8. Data Subject requests (Articles 12–22)

PostStack assists Customer in responding to Data Subject requests for access, rectification, restriction, portability, objection, or erasure of Personal Data. Standard mechanics:

• Self-service: the dashboard provides export (Article 20 portability), update (Article 16 rectification), and deletion (Article 17 erasure) for the Customer account and its associated data.
• Assisted requests: for Data Subject requests that the Customer cannot fulfil via the dashboard alone, PostStack will respond to a written request from the Customer at privacy@poststack.dev within 5 business days with acknowledgement and within 15 business days with the fulfilment data or the action taken. This is comfortably within the one-month statutory deadline in Article 12(3).
• Erasure verification: erasure requests are recorded in an erasure_requests ledger and confirmed back to the requester on completion.
• Retained data: data retained under Article 17(3) exceptions (legal obligation, e.g. tax records; or for the establishment, exercise, or defence of legal claims) is identified and minimised; everything else is deleted.

9. Sub-processors

Customer authorizes PostStack to use Sub-processors. PostStack maintains a current authoritative list at /sub-processors. The current Sub-processors are:

• Hetzner Online GmbH (Finland — Helsinki / hel1) — infrastructure hosting (servers, storage, network, backups). All customer email content and metadata is processed and stored exclusively on Hetzner.
• Stripe Payments Europe Ltd (Ireland) — payment processing for paid plans. Receives billing contact details and invoice metadata only; does not receive email content, recipient lists, or message metadata.
• GitHub, Inc. (United States) — optional OAuth sign-in provider, engaged only when an individual user explicitly chooses "Sign in with GitHub". Receives profile name, email, and avatar URL for that user. Transfer mechanism: Standard Contractual Clauses + EU-US Data Privacy Framework.

PostStack will notify Customer at least 30 days before adding or replacing a Sub-processor that processes Personal Data. If Customer reasonably objects, PostStack will work in good faith to find a mutually acceptable resolution; if none can be found, Customer may terminate the Service without penalty.

10. International data transfers

All Personal Data is processed and stored within the European Union (EU) using infrastructure located in Helsinki, Finland. PostStack does not transfer customer email content, recipient data, or message metadata outside the EEA. The only EEA-out transfer is the optional GitHub OAuth sign-in for individual users (transfer mechanism: SCCs + EU-US Data Privacy Framework), which is only engaged when an individual user opts in. Should the EEA-out scope change, PostStack will rely on Standard Contractual Clauses approved by the European Commission and will notify Customer in advance.

11. Audit rights

PostStack will make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. In practice:

• PostStack will respond to written security questionnaires within 15 business days.
• PostStack will provide its controls inventory and policy documentation under NDA on request.
• For Enterprise customers, an on-site or virtual audit may be conducted no more than once per 12-month period, with at least 30 days' notice, during normal business hours, and subject to a written confidentiality agreement. Reasonable audit costs are borne by the requesting party.

12. Term and termination

This DPA remains in effect for as long as PostStack processes Personal Data on behalf of Customer. Upon termination of the underlying agreement, PostStack will delete all Personal Data within 30 days, except as required by applicable law (e.g. tax records). Customer may, prior to deletion, request a final export of its data via the dashboard or via a written request to privacy@poststack.dev.

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the underlying Terms of Service.

14. Acceptance

By using the PostStack Service, Customer accepts this DPA. Enterprise customers requiring a counter-signed copy may request one from privacy@poststack.dev.