Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Postkit ("Processor") for the processing of personal data through the Postkit email API.

Definitions

The following terms have the meanings set out in Article 4 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"):

  • Controller — the entity that determines the purposes and means of processing personal data (you, the Postkit customer).
  • Processor — the entity that processes personal data on behalf of the Controller (Postkit).
  • Personal Data — any information relating to an identified or identifiable natural person.
  • Processing — any operation performed on personal data, including collection, storage, transmission, and deletion.
  • Data Subject — an identified or identifiable natural person whose personal data is processed.
  • Sub-processor — a third party engaged by the Processor to process personal data on behalf of the Controller.

Scope of Processing

Postkit processes personal data on your behalf solely to deliver the email services described in the Terms of Service. The specifics are as follows:

  • Categories of personal data — email addresses, recipient names, email metadata (subject lines, timestamps, delivery status).
  • Categories of data subjects — your end users and recipients of transactional emails you send through Postkit.
  • Processing activities — sending emails, logging delivery events, processing bounces, delivering webhook notifications, and providing analytics.

Processor Obligations

Postkit, as Processor, shall:

  • Process personal data only on your documented instructions, unless required by EU or Austrian law.
  • Ensure that all personnel authorized to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures as described in this DPA.
  • Assist you in fulfilling your obligations to respond to data subject rights requests.
  • Delete all personal data upon termination of the service, unless retention is required by law.
  • Make available all information necessary to demonstrate compliance and allow for audits.

Security Measures

Postkit implements the following technical and organizational measures to protect personal data:

  • Encryption in transit — all data is encrypted using TLS 1.3 for API connections and SMTP transmission.
  • Encryption at rest — all stored data is encrypted using AES-256.
  • Access controls — role-based access control and multi-factor authentication for all infrastructure access.
  • Security assessments — regular vulnerability assessments and penetration testing.
  • Incident response — documented incident response procedures with defined escalation paths.
  • Network isolation — production systems are isolated in private networks with strict firewall rules.

Sub-processors

The current list of sub-processors is maintained on our Privacy Policy page. We will provide at least 14 days notice before engaging a new sub-processor. You may object to a new sub-processor by notifying us within that 14-day period. If we cannot reasonably accommodate your objection, either party may terminate the affected service.

Data Transfers

All processing of personal data takes place exclusively within the European Union. Postkit does not transfer personal data to third countries. If a transfer outside the EU becomes necessary in the future, we will ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as adopted by the European Commission.

Data Subject Rights

We will assist you in responding to requests from data subjects exercising their rights under the GDPR (access, rectification, erasure, portability, restriction, and objection). If we receive a request directly from a data subject, we will promptly notify you and will not respond to the request without your instructions, unless required by law.

Breach Notification

We will notify you without undue delay and in any event within 48 hours of becoming aware of a personal data breach. The notification will include:

  • The nature of the breach and the categories of data affected.
  • The approximate number of data subjects and data records concerned.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach and mitigate its effects.

Audit

You may audit our compliance with this DPA up to once per year, with at least 30 days prior written notice. We will provide relevant documentation and reasonable access to our facilities and systems for the purpose of verifying compliance. Audits shall be conducted during normal business hours and shall not unreasonably disrupt our operations.

Term & Deletion

This DPA is effective for the duration of the Terms of Service. Upon termination of the service, we will delete all personal data processed on your behalf within 30 days, unless retention is required by EU or Austrian law. We will provide written confirmation of deletion upon request.

Governing Law

This DPA is governed by the laws of Austria. Any disputes arising from this DPA shall be resolved in the courts of Vienna, Austria.

Start sending in under 5 minutes

Free plan. No credit card required.

Get Started Free