Legal
Data processing agreement
For customers who need Article 28 terms: this page summarizes the DPA; the signable copy is available on request.
Facts verified 2026-07-17 — corrections: hello@emailfast.dev
Roles. You are the controller of the personal data you send through the platform; Email Fast is your processor. We process it only to provide the service, on your documented instructions.
What the DPA covers
- Scope & instructions — processing limited to delivering the service; no secondary use, no model training, no advertising.
- Confidentiality — operator access is restricted and recorded in a tamper-evident transparency log.
- Security measures — as published on the security page, incorporated by reference with a change-notification duty.
- Subprocessors — the current list is at subprocessors; we notify before adding one, with a right to object.
- Breach notification — without undue delay and within 72 hours of awareness, with what we know, what's affected, and what we're doing.
- Data subject requests — we assist; where you've enabled it, crypto-shred erasure gives you deletion that is provable rather than promised.
- International transfers — data is processed in the EU (Germany); no transfers outside the EEA in the standard service.
- Return & deletion — full export on exit, then deletion per the retention schedule.
Getting a signed copy
Email hello@emailfast.dev with subject DPA — we return a signable copy. Redlines: we read them; reasonable asks get accepted, and unreasonable ones get a plain-language explanation of why not.