the dpa applies to all customers processing personal data of eu, uk, or swiss data subjects via ephemail. it is incorporated by reference into the master terms (see /legal).
download
- ephemail-dpa-2026-06-05.pdf — current version, countersigned on request.
- ephemail-dpa-2026-06-05.docx — editable.
- to countersign, email a signed copy to
legal@ephemail.iowith subject "dpa <workspace>". turnaround under 5 business days.
summary
- we are the processor; you are the controller.
- scope: any personal data contained in mail or metadata processed for your workspace.
- standard contractual clauses (eu 2021/914 module two) attached as annex iv.
- breach notification: 48h.
- audit rights: written soc 2 report annually; on-site audit with 30d notice, once per year.
- sub-processor changes notified 30d in advance via email + this page.
sub-processors
| vendor | purpose | location | added |
|---|---|---|---|
| cloudflare, inc. | edge compute, cdn, ddos | global | 2024-01-04 |
| supabase inc. (managed postgres) | primary datastore | us-east-1 / eu-frankfurt | 2024-01-04 |
| aws (s3, ses outbound) | object storage, outbound relay | us-east-1 / eu-frankfurt | 2024-02-12 |
| stripe, inc. | billing | us | 2024-03-01 |
| resend, inc. | transactional email to customers | us | 2024-04-10 |
| sentry (functional software, inc.) | error monitoring (no message bodies) | us | 2024-05-22 |
| plausible insights ou | anonymous web analytics | eu | 2024-06-01 |
notification
to be notified of sub-processor changes, subscribe at /status (we tag dpa-relevant notices) or email legal@ephemail.io to be added to the dpa list.
contact
legal@ephemail.io · privacy@ephemail.io