EarthMails
LEGAL

Data Processing Agreement

This agreement governs how EarthMails processes personal data on your behalf as a processor under GDPR, UK GDPR, CCPA, and other applicable data protection regulations.

Last updated:

TL;DR — The short version

  • • EarthMails processes data only on your documented instructions.
  • • We never read or store email body content beyond what delivery requires.
  • • All sub-processors are bound by equivalent data protection obligations.
  • • International transfers use EU Standard Contractual Clauses.
  • • Enterprise customers can request a countersigned DPA at any time.

You — Data Controller

You determine why and how personal data is processed. You set the instructions; we follow them.

EarthMails — Data Processor

We process personal data solely on your behalf and only to deliver the agreed Services.

Overview & Scope

Purpose of This Agreement

This Data Processing Agreement ("DPA") forms part of the contract between EarthMails ("Processor") and the customer ("Controller") and governs the processing of personal data by EarthMails on behalf of the customer in connection with the EarthMails services ("Services"). This DPA is incorporated into and subject to the EarthMails Terms of Service.

Applicability

This DPA applies where and to the extent that EarthMails processes personal data that is subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), or any other applicable data protection law, on behalf of the customer in the course of providing the Services.

Roles

The customer acts as the Data Controller — they determine the purposes and means of processing personal data. EarthMails acts as the Data Processor — it processes personal data only on behalf of, and under the documented instructions of, the Controller. In limited circumstances (e.g. for billing and account management), EarthMails may act as a Controller in its own right; this is governed by our Privacy Policy.

Data We Process on Your Behalf

Categories of Personal Data

In the course of providing the Services, EarthMails may process the following categories of personal data on behalf of the Controller: email addresses (sender and recipient), names associated with email accounts, email metadata (subject lines, timestamps, message IDs, SMTP headers), IP addresses associated with email transmission, and custom domain configuration data.

Special Category Data

EarthMails does not intentionally process special categories of personal data (such as health, race, religious beliefs, biometric data, or financial data) on behalf of Controllers. Customers must not use the Services to send or process such data without first contacting us to put in place appropriate safeguards.

Email Body Content

EarthMails does not read, analyse, or store the body content of emails transmitted through the Service for any purpose other than delivery, spam filtering, and malware detection, as required to provide the Service. Email content is not retained beyond what is necessary for transmission.

Data Subjects

The data subjects whose personal data may be processed include the Controller's employees, contractors, customers, suppliers, and any other individuals who send or receive email through the Controller's mailboxes hosted on EarthMails.

Processing Instructions

Processing Under Controller's Instructions

EarthMails will process personal data only on documented instructions from the Controller, including those set out in these Terms and the DPA, and as otherwise communicated in writing by the Controller. EarthMails will not process personal data for any other purpose.

Legal Obligation Exception

If EarthMails is required by applicable law to process personal data beyond the Controller's instructions, EarthMails will inform the Controller before such processing unless prohibited by law.

Conflict with Instructions

If EarthMails believes that an instruction from the Controller violates applicable data protection law, it will promptly notify the Controller. EarthMails may suspend processing of the relevant data pending clarification from the Controller.

Technical & Organisational Security Measures

Security Standard

EarthMails implements and maintains appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access ("Security Measures"). These measures are designed to ensure a level of security appropriate to the risk.

Encryption

All personal data in transit is encrypted using TLS 1.2 or higher. All personal data at rest is encrypted using AES-256. Encryption keys are managed via a dedicated key management system with role-based access controls.

Access Controls

Access to systems containing personal data is restricted to authorised personnel on a need-to-know basis. All access requires multi-factor authentication. Access logs are maintained, reviewed regularly, and retained for a minimum of 12 months.

Infrastructure Security

EarthMails infrastructure is hosted in SOC 2 Type II certified data centres. Physical security controls include 24/7 surveillance, biometric access, and redundant power and networking. Regular vulnerability assessments and penetration tests are conducted at least annually.

Incident Response

EarthMails maintains a documented incident response plan. In the event of a personal data breach, EarthMails will notify the Controller without undue delay, and no later than 48 hours after becoming aware of the breach, providing sufficient information for the Controller to meet its regulatory notification obligations.

Security Reviews

EarthMails reviews and updates its Security Measures at least annually and following any significant changes to the infrastructure or processing activities. Customers may request a summary of security measures by contacting info@earthmails.com.

Sub-Processors

Use of Sub-Processors

The Controller provides general authorisation for EarthMails to engage sub-processors to assist in providing the Services. EarthMails will ensure that each sub-processor is bound by data processing obligations equivalent to those in this DPA.

Current Sub-Processors

EarthMails uses a limited set of sub-processors, including cloud infrastructure providers (for hosting and storage), payment processors (Stripe, for billing), and transactional email service providers (for system notifications). A current list of sub-processors is available upon request at info@earthmails.com.

Changes to Sub-Processors

EarthMails will notify the Controller at least 14 days before adding or replacing a sub-processor by email or in-product notice. The Controller may object to the change within 14 days by notifying EarthMails in writing. If the parties cannot resolve the objection, the Controller may terminate the Services as set out in the Terms of Service.

Liability for Sub-Processors

EarthMails remains liable for the acts and omissions of its sub-processors to the same extent as if EarthMails had performed the processing itself.

International Data Transfers

Transfer Mechanisms

Where personal data is transferred outside the European Economic Area (EEA) or the UK, EarthMails ensures that an appropriate transfer mechanism is in place, such as the EU Standard Contractual Clauses (SCCs) approved by the European Commission or the UK International Data Transfer Agreement (IDTA), or that the recipient country has been granted an adequacy decision.

Standard Contractual Clauses

By entering into this DPA, the parties agree to be bound by the EU SCCs (Controller-to-Processor module) where applicable. Customers who require a signed copy of the SCCs may contact info@earthmails.com.

Data Residency

By default, customer data is stored in data centres within the European Union. Customers with specific data residency requirements should contact us at info@earthmails.com before onboarding to discuss available options.

Data Subject Rights

Assistance with Requests

EarthMails will assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable data protection law (including rights of access, rectification, erasure, restriction, portability, and objection).

Forwarding Requests

If EarthMails receives a data subject request relating to data for which the customer is the Controller, EarthMails will promptly forward the request to the Controller without acting on it directly (unless instructed to do so by the Controller).

Response Timeframe

EarthMails will provide the Controller with reasonable cooperation and assistance to respond to data subject requests within the timeframes required by applicable law (typically 30 days under GDPR).

Audits & Compliance

Audit Rights

EarthMails will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA and with applicable data protection law. Upon reasonable notice (at least 30 days), EarthMails will allow for and contribute to audits and inspections conducted by the Controller or a third-party auditor mandated by the Controller, subject to confidentiality obligations and reasonable restrictions to protect the security of other customers.

Third-Party Certifications

In lieu of a direct audit, EarthMails may provide relevant third-party audit reports, certifications (such as SOC 2 Type II), or security assessments as evidence of compliance. These will be provided under a non-disclosure agreement.

Data Protection Impact Assessments

Where required by applicable law, EarthMails will cooperate with the Controller in conducting Data Protection Impact Assessments (DPIAs) relating to the use of the Services, and will provide any information reasonably requested by the Controller for this purpose.

Regulatory Cooperation

EarthMails will cooperate with the Controller and with the relevant supervisory authority in the performance of their tasks where required by applicable law.

Retention & Deletion

Retention During Service

EarthMails retains personal data processed on behalf of the Controller only for as long as necessary to provide the Services and as instructed by the Controller.

Deletion Upon Termination

Upon termination of the Services or upon written request from the Controller, EarthMails will delete or return all personal data processed on behalf of the Controller, and will delete all existing copies, unless applicable law requires retention of the data. Deletion will be completed within 90 days of the request or termination.

Deletion Certification

Upon request, EarthMails will provide a written certification confirming the deletion of personal data within 30 days of completion.

Backup Retention

Encrypted backups may retain data for up to 30 days after deletion from primary systems before being permanently purged from backup storage.

Contact & DPA Execution

Data Protection Officer

For questions about data processing, to request a signed copy of this DPA or the Standard Contractual Clauses, or to exercise any rights under this agreement, please contact us at info@earthmails.com.

Executing a Formal DPA

For enterprise customers or those requiring a countersigned DPA for compliance purposes, please contact info@earthmails.com. We will provide a copy of our standard DPA for review and signature within 5 business days.

Updates to This Agreement

EarthMails may update this DPA from time to time to reflect changes in applicable law or our processing activities. We will provide at least 30 days' notice of material changes. Continued use of the Services after the effective date constitutes acceptance.

Need a countersigned DPA?

Enterprise customers can request a formal signed Data Processing Agreement at any time.

Request Signed DPA

© 2026 EarthMails. All rights reserved. Back to home · Privacy Policy · Terms of Service · Cookie Policy