Data processing agreement (DPA)

What is a data processing agreement?

A data processing agreement (DPA) is a legally binding contract between a data controller (your organisation) and a data processor (EmailConnect). Under GDPR Article 28, a DPA is required whenever a third party processes personal data on your behalf.

For email automation, this matters because inbound emails frequently contain personal data — names, email addresses, and potentially sensitive content in the body or attachments.

What our DPA covers

EmailConnect's DPA addresses the following areas as required by GDPR Article 28(3):

Data processing scope

  • Types of personal data processed (email metadata, body content, attachments)
  • Categories of data subjects (your customers, partners, employees)
  • Purpose and duration of processing

EU data residency guarantee

  • All data processed and stored exclusively in EU data centres (France & Germany)
  • No data transfers outside the EU/EEA
  • No U.S.-based sub-processors or infrastructure
  • Explicit immunity from CLOUD Act, FISA Section 702, and Patriot Act jurisdiction

Sub-processor transparency

  • Complete list of sub-processors with their roles and locations
  • Advance notification of any sub-processor changes
  • All sub-processors are EU-based entities

Security measures

  • Technical and organisational measures (TOMs) in place
  • Encryption in transit and at rest
  • Access controls and authentication requirements
  • Incident response procedures

Data subject rights

  • Procedures for handling data subject access requests (DSARs)
  • Support for data portability and erasure requests
  • Response timeframes and cooperation commitments

Data deletion

  • Procedures for data return or deletion upon contract termination
  • Confirmation of deletion upon request
  • Alignment with your configured data retention policies

How to request a DPA

DPAs are available for enterprise plan customers. To request one:

  1. Contact us at enterprise@emailconnect.eu
  2. We'll send you our standard DPA for review
  3. If your legal team requires modifications, we'll work with you to finalise terms
  4. Both parties sign, and the DPA takes effect alongside your service agreement

Why jurisdiction matters for your DPA

A DPA is only as strong as the legal jurisdiction it operates in. If your email processor is a U.S.-owned company — even with EU servers — the CLOUD Act can compel them to hand over data regardless of what the DPA says.

EmailConnect is an EU-owned and EU-operated company. Our DPA is enforceable under EU law without conflict from foreign legal frameworks. Read more in our guide on why server location isn't enough.