[{"data":1,"prerenderedAt":11},["ShallowReactive",2],{"$fKRqUWt9gabRDhkgjRj3Imqfr7VT50I6-9bx9LM_zlBU":3},{"title":4,"description":5,"category":6,"order":7,"updated":8,"html":9,"slug":10},"Data processing agreement (DPA)","How to download our signed DPA from your account settings, what it covers, and why it matters for GDPR compliance under Article 28.","enterprise",2,"2026-02-26T00:00:00.000Z","\u003Ch2>What is a data processing agreement?\u003C\u002Fh2>\n\u003Cp>A data processing agreement (DPA) is a legally binding contract between a data controller (your organisation) and a data processor (EmailConnect). Under GDPR Article 28, a DPA is required whenever a third party processes personal data on your behalf.\u003C\u002Fp>\n\u003Cp>For email automation, this matters because inbound emails frequently contain personal data — names, email addresses, and potentially sensitive content in the body or attachments.\u003C\u002Fp>\n\u003Ch2>What our DPA covers\u003C\u002Fh2>\n\u003Cp>EmailConnect's DPA addresses the following areas as required by GDPR Article 28(3):\u003C\u002Fp>\n\u003Ch3>Data processing scope\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Types of personal data processed (email metadata, body content, attachments)\u003C\u002Fli>\n\u003Cli>Categories of data subjects (your customers, partners, employees)\u003C\u002Fli>\n\u003Cli>Purpose and duration of processing\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>EU data residency guarantee\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>All data processed and stored exclusively in EU data centres (France & Germany)\u003C\u002Fli>\n\u003Cli>No data transfers outside the EU\u002FEEA\u003C\u002Fli>\n\u003Cli>No U.S.-based sub-processors or infrastructure\u003C\u002Fli>\n\u003Cli>Explicit immunity from CLOUD Act, FISA Section 702, and Patriot Act jurisdiction\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Sub-processor transparency\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Complete list of sub-processors with their roles and locations\u003C\u002Fli>\n\u003Cli>Advance notification of any sub-processor changes\u003C\u002Fli>\n\u003Cli>All sub-processors are EU-based entities\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security measures\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Technical and organisational measures (TOMs) in place\u003C\u002Fli>\n\u003Cli>Encryption in transit (TLS)\u003C\u002Fli>\n\u003Cli>Access controls and authentication requirements\u003C\u002Fli>\n\u003Cli>Incident response procedures\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Data subject rights\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Procedures for handling data subject access requests (DSARs)\u003C\u002Fli>\n\u003Cli>Support for data portability and erasure requests\u003C\u002Fli>\n\u003Cli>Response timeframes and cooperation commitments\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Data deletion\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Procedures for data return or deletion upon contract termination\u003C\u002Fli>\n\u003Cli>Confirmation of deletion upon request\u003C\u002Fli>\n\u003Cli>Alignment with your configured data retention policies\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Data Residency Mode addendum\u003C\u002Fh3>\n\u003Cp>If you have enabled Data Residency Mode (Platform plan), the DPA includes an addendum that reflects the reduced data scope:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Email content (body, attachments, headers) is \u003Cstrong>not stored\u003C\u002Fstrong> in EmailConnect's database — only routing metadata is retained\u003C\u002Fli>\n\u003Cli>Content is delivered to your webhook and stored in your own S3 bucket, under your jurisdiction\u003C\u002Fli>\n\u003Cli>The Processor's obligations under this DPA apply only to the routing metadata it retains\u003C\u002Fli>\n\u003Cli>Responsibility for the storage, retention, and protection of email content transfers to you as the Controller\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch2>How to access the DPA\u003C\u002Fh2>\n\u003Cp>The DPA is available for download directly from your account settings:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Go to \u003Ca href=\"https:\u002F\u002Fapp.emailconnect.eu\u002Fsettings\u002Fcompliancy\">Compliancy settings\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Download the pre-signed DPA document\u003C\u002Fli>\n\u003Cli>The DPA is available to all users, including those on the Free plan\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>No need to contact support — the DPA is ready for immediate download.\u003C\u002Fp>\n\u003Ch2>Why jurisdiction matters for your DPA\u003C\u002Fh2>\n\u003Cp>A DPA is only as strong as the legal jurisdiction it operates in. If your email processor is a U.S.-owned company — even with EU servers — the CLOUD Act can compel them to hand over data regardless of what the DPA says.\u003C\u002Fp>\n\u003Cp>EmailConnect is an EU-owned and EU-operated company. Our DPA is enforceable under EU law without conflict from foreign legal frameworks. Read more in our guide on \u003Ca href=\"\u002Fhelp\u002Fgdpr-trap-server-location\u002F\">why server location isn't enough\u003C\u002Fa>.\u003C\u002Fp>\n","data-processing-agreement",1781207682154]