Data Processing Agreement

1. Definitions

• "GDPR" means the EU General Data Protection Regulation 2016/679.
• "Personal Data" means any information processed under this DPA that relates to an identified or identifiable natural person, as defined by the GDPR.
• "Data Subject" means the natural person to whom the Personal Data relates (typically the Customer's end users and email recipients).
• "Sub-processor" means a third-party processor engaged by PostStack to process Personal Data on PostStack's behalf.

2. Scope and roles

Customer acts as the Data Controller for Personal Data processed by the Service. PostStack acts as a Data Processor and processes Personal Data strictly to provide the Service in accordance with the Customer's documented instructions, this DPA, the Terms of Service, and the Privacy Policy.

3. Nature and purpose of processing

The Service involves the processing of Personal Data for these purposes:

• Sending transactional and marketing emails to Customer's recipients
• Storing and managing Customer's contact lists
• Recording email events (delivered, opened, clicked, bounced)
• Hosting mailboxes for Customer's end users (if enabled)
• Receiving and forwarding inbound email
• Generating analytics and deliverability reports

4. Categories of Data Subjects and Personal Data

Data Subjects: Customer's employees, end users, customers, contacts, and email recipients.

Categories of Personal Data: names, email addresses, IP addresses (from tracking events), email content, email metadata (subject, timestamps, headers), file attachments, custom contact properties as configured by the Customer.

5. PostStack obligations

• Process Personal Data only on documented Customer instructions, including transfers, unless required by EU or Member State law.
• Ensure that personnel authorized to process Personal Data have committed themselves to confidentiality.
• Implement appropriate technical and organizational measures (see Security) to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
• Assist Customer in responding to Data Subject requests under Articles 12–22 of the GDPR.
• Notify Customer without undue delay (and within 72 hours) of becoming aware of a Personal Data breach.
• Delete or return all Personal Data after the end of the Service provision, unless EU or Member State law requires storage.
• Make available all information necessary to demonstrate compliance and allow for audits as required by Article 28(3)(h).

6. Sub-processors

Customer authorizes PostStack to use Sub-processors. PostStack maintains a current list of Sub-processors and the categories of data they process. Current Sub-processors:

• Hetzner Online GmbH (Germany) — infrastructure hosting (servers, storage, network)
• Stripe Payments Europe Ltd (Ireland) — payment processing for paid plans

PostStack will notify Customer at least 30 days before adding or replacing a Sub-processor. If Customer reasonably objects, PostStack will work in good faith to find a mutually acceptable resolution; if none can be found, Customer may terminate the Service without penalty.

7. International data transfers

All Personal Data is processed and stored within the European Union (EU) using infrastructure located in EU data centers. PostStack does not transfer Personal Data outside the EEA. Should this change, PostStack will rely on Standard Contractual Clauses approved by the European Commission and notify Customer in advance.

8. Term and termination

This DPA remains in effect for as long as PostStack processes Personal Data on behalf of Customer. Upon termination of the underlying agreement, PostStack will delete all Personal Data within 30 days, except as required by applicable law (e.g. tax records).

9. Liability

Each party's liability under this DPA is subject to the limitations set out in the underlying Terms of Service.

10. Acceptance

By using the PostStack Service, Customer accepts this DPA. Enterprise customers requiring a counter-signed copy may request one from privacy@poststack.dev.