Data processing agreement (DPA)

What is a data processing agreement?

A data processing agreement (DPA) is a legally binding contract between a data controller (your organisation) and a data processor (EmailConnect). Under GDPR Article 28, a DPA is required whenever a third party processes personal data on your behalf.

For email automation, this matters because inbound emails frequently contain personal data — names, email addresses, and potentially sensitive content in the body or attachments.

What our DPA covers

EmailConnect's DPA addresses the following areas as required by GDPR Article 28(3):

Data processing scope

  • Types of personal data processed (email metadata, body content, attachments)
  • Categories of data subjects (your customers, partners, employees)
  • Purpose and duration of processing

EU data residency guarantee

  • All data processed and stored exclusively in EU data centres (France & Germany)
  • No data transfers outside the EU/EEA
  • No U.S.-based sub-processors or infrastructure
  • Explicit immunity from CLOUD Act, FISA Section 702, and Patriot Act jurisdiction

Sub-processor transparency

  • Complete list of sub-processors with their roles and locations
  • Advance notification of any sub-processor changes
  • All sub-processors are EU-based entities

Security measures

  • Technical and organisational measures (TOMs) in place
  • Encryption in transit (TLS)
  • Access controls and authentication requirements
  • Incident response procedures

Data subject rights

  • Procedures for handling data subject access requests (DSARs)
  • Support for data portability and erasure requests
  • Response timeframes and cooperation commitments

Data deletion

  • Procedures for data return or deletion upon contract termination
  • Confirmation of deletion upon request
  • Alignment with your configured data retention policies

Data Residency Mode addendum

If you have enabled Data Residency Mode (Platform plan), the DPA includes an addendum that reflects the reduced data scope:

  • Email content (body, attachments, headers) is not stored in EmailConnect's database — only routing metadata is retained
  • Content is delivered to your webhook and stored in your own S3 bucket, under your jurisdiction
  • The Processor's obligations under this DPA apply only to the routing metadata it retains
  • Responsibility for the storage, retention, and protection of email content transfers to you as the Controller

How to access the DPA

The DPA is available for download directly from your account settings:

  1. Go to Compliancy settings
  2. Download the pre-signed DPA document
  3. The DPA is available to all users, including those on the Free plan

No need to contact support — the DPA is ready for immediate download.

Why jurisdiction matters for your DPA

A DPA is only as strong as the legal jurisdiction it operates in. If your email processor is a U.S.-owned company — even with EU servers — the CLOUD Act can compel them to hand over data regardless of what the DPA says.

EmailConnect is an EU-owned and EU-operated company. Our DPA is enforceable under EU law without conflict from foreign legal frameworks. Read more in our guide on why server location isn't enough.