MailFlow

Legal

Terms of ServicePrivacy PolicyData Processing AddendumAcceptable Use Policy

Data Processing Addendum

Last updated: April 1, 2026

This Data Processing Addendum ("DPA") forms part of the MailFlow Terms of Service between MailFlow Labs Inc. ("Processor") and the customer ("Controller"). It applies whenever MailFlow processes Personal Data on behalf of the Controller in connection with the Service.

1. Definitions

Terms not defined here have the meaning set forth in the GDPR (Regulation (EU) 2016/679), UK GDPR, CCPA/CPRA, KVKK, LGPD or other applicable data protection law, as relevant.

2. Subject matter and duration

Subject matter: provision of the MailFlow cold email outreach platform. Duration: for the term of the Controller's subscription, plus 30 days post-cancellation for deletion.

3. Nature and purpose of processing

Sending and receiving email on behalf of the Controller through credentials supplied by the Controller, plus analytics, warmup, deliverability tooling and unified inbox features as described in the Service.

4. Categories of data subjects and personal data

  • End users of the Controller (recipients of the Controller's outreach campaigns)
  • The Controller's own employees and team members
  • Personal data: name, email address, job title, company, phone, custom fields supplied by the Controller; metadata about email engagement (opens, clicks, replies, bounces).

5. Processor obligations

  • Process Personal Data only on the Controller's documented instructions.
  • Ensure persons authorized to process Personal Data are bound by confidentiality.
  • Implement technical and organizational measures appropriate to the risk (Annex A).
  • Engage Subprocessors only with prior general written authorization (Annex B).
  • Assist the Controller with data subject requests within reasonable timelines.
  • Notify the Controller of a personal data breach without undue delay.

6. Subprocessors

The Controller authorizes the use of the Subprocessors listed in Annex B. MailFlow will notify the Controller of intended additions or replacements at least 30 days in advance.

7. International transfers

For transfers to jurisdictions not covered by an adequacy decision, the parties incorporate the Standard Contractual Clauses (Module 2 — Controller to Processor) by reference.

8. Audit

On reasonable notice and not more than once per year, the Controller may audit MailFlow's compliance with this DPA. MailFlow may satisfy this obligation by providing relevant third-party audit reports (e.g., SOC 2 once available).

9. Deletion or return of data

On termination of the Service, MailFlow will delete or return all Personal Data within 30 days, unless retention is required by law.

Annex A — Technical and organizational measures

  • AES-256-GCM encryption at rest for SMTP/IMAP credentials and OAuth tokens.
  • TLS 1.2+ in transit; HSTS preload; strict CSP.
  • Bcrypt password hashing (cost 12); JWT sessions with httpOnly cookies.
  • Role-based access control with audit logging.
  • Daily backups with 30-day point-in-time recovery, encrypted at rest.
  • Annual penetration testing; bug bounty in development.

Annex B — Authorized subprocessors

  • Stripe, Inc. — billing and payment processing (US/EU)
  • Postmark or Resend — transactional email delivery (US)
  • Cloudflare, Inc. — CDN, DNS, DDoS protection (Global)
  • AWS or GCP — compute, storage, queues (US/EU)
  • Sentry — error monitoring (US, with EU data residency option)
  • PostHog — product analytics (US/EU)

For an executable copy of this DPA contact legal@mailflow.dev.