Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between rootmail and Customer and applies to the extent rootmail processes Personal Data on Customer's behalf in providing the Services. Terms not defined here have the meaning given in the Terms or in applicable Data Protection Laws (e.g. the EU/UK GDPR and the CCPA/CPRA).

1. Roles of the parties

For Personal Data contained in Customer Content (recipient data, message content, and related events), Customer is the controller and rootmail is the processor. Where Customer is itself a processor for its own customers (including via sub-tenants), rootmail acts as a sub-processor. rootmail processes such Personal Data only on Customer's documented instructions, which include the Terms and Customer's configuration and use of the Services.

2. Processing details (Annex I)

• Subject matter & duration: processing for the term of the Terms and until deletion under Section 8.
• Nature & purpose: hosting, rendering, sending, routing, tracking, auditing, and proving email the Customer instructs rootmail to send, and providing related dashboard and API functionality.
• Categories of data subjects: Customer's users, contacts, and email recipients (and, for sub-tenancy, those of Customer's customers).
• Categories of Personal Data: identifiers (name, email address), message content and metadata, contact attributes and tags, and technical data (IP address, delivery/engagement events).
• Special categories: not intended; Customer must not submit special-category data except as separately agreed.

3. Obligations of rootmail

• process Personal Data only on Customer's documented instructions, and inform Customer if an instruction infringes Data Protection Laws;
• ensure personnel authorized to process Personal Data are bound by confidentiality;
• implement and maintain the technical and organizational measures in Section 6 (Annex II);
• assist Customer, taking into account the nature of processing, with data-subject requests and with its obligations regarding security, breach notification, and data-protection impact assessments; and
• make available information reasonably necessary to demonstrate compliance with this DPA.

4. Sub-processors (Annex III)

Customer authorizes rootmail to engage the following sub-processors, each under a written contract imposing data-protection obligations no less protective than this DPA:

• Amazon Web Services, Inc. — hosting, storage (S3), email delivery (SES); United States.
• Stripe, Inc. — payment and subscription processing; United States.
• Anthropic, PBC — AI features where used by Customer; United States.

rootmail will give Customer prior notice of any intended addition or replacement of a sub-processor and an opportunity to object on reasonable data-protection grounds; if the parties cannot resolve the objection, Customer may terminate the affected Services.

5. International transfers

Where processing involves a transfer of Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (and the UK Addendum/Swiss amendments, as applicable), which are deemed entered into and completed with the details in this DPA.

6. Security measures (Annex II)

rootmail maintains measures appropriate to the risk, including:

• encryption of data in transit (TLS) and hashing of credentials and API keys;
• workspace- and tenant-scoped access controls and least-privilege internal access;
• signed, idempotent webhooks and SSRF protections;
• append-only audit logging of message lifecycle and privileged staff actions;
• network isolation for data stores and regular patching; and
• access review and incident-response procedures.

See the security overview. rootmail may update measures provided they do not materially reduce protection.

7. Data subject requests & breach notification

rootmail will, to the extent legally permitted, promptly notify Customer of a request received directly from a data subject and assist Customer in responding using the export and deletion tooling in the Services. rootmail will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data, with information reasonably available to assist Customer's own notification obligations.

8. Deletion & return

On termination or expiry, and at Customer's choice, rootmail will delete or return Customer's Personal Data and delete existing copies within a reasonable period (generally within 90 days), except where retention is required by law. Customer may export its data for 30 days after termination as described in the Terms.

9. Audits

rootmail will make available information necessary to demonstrate compliance and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable confidentiality, scheduling, and security requirements.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms.

11. Contact

Data-protection contact: privacy@rootmail.io.