Data Processing Agreement

1. Definitions

“Controller” means the customer who determines the purposes and means of processing personal data.

“Processor” means FlashPost, acting on behalf of the Controller.

“Personal Data” means any information relating to an identified or identifiable natural person processed by FlashPost in the course of providing the services.

“Subprocessor” means any third party engaged by FlashPost to process Personal Data on behalf of the Controller.

2. Processing Details

FlashPost processes Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by applicable law. The scope of processing is limited to providing the email infrastructure services described in the Terms of Service.

Categories of data processed include email recipient addresses, message metadata (sender, subject, timestamps), and delivery event data (bounces, opens, clicks).

3. Data Subject Rights

FlashPost will assist the Controller in responding to data subject requests for access, rectification, erasure, portability, and objection. Where FlashPost receives a request directly from a data subject, it will promptly redirect the request to the Controller unless prohibited by law.

4. Security Measures

FlashPost implements appropriate technical and organizational measures to protect Personal Data, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, regular security audits, and employee training. A detailed security overview is available on our Security page.

5. Subprocessors

FlashPost engages subprocessors for infrastructure hosting, payment processing, and error monitoring. A current list of subprocessors, including their locations and processing activities, is maintained at flashpost.io/legal/subprocessors. The Controller will be notified of any changes to subprocessors at least 30 days in advance.

6. Data Breach Notification

In the event of a personal data breach, FlashPost will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, and remedial measures taken.

7. Term and Termination

This DPA remains in effect for the duration of the Controller's use of the services. Upon termination, FlashPost will delete or return all Personal Data within 30 days, unless retention is required by applicable law. Certification of deletion will be provided upon request.