# Data processing agreement

> Email Fast's DPA: processor obligations, the subprocessor list, security measures, breach notification, and audit support — GDPR Article 28 in plain structure.

Canonical: https://emailfast.dev/legal/dpa

**Roles.** You are the controller of the personal data you send through the
platform; Email Fast is your processor. We process it only to provide the service,
on your documented instructions.

## What the DPA covers

- **Scope & instructions** — processing limited to delivering the service; no secondary use, no model training, no advertising.
- **Confidentiality** — operator access is restricted and recorded in a tamper-evident transparency log.
- **Security measures** — as published on the [security page](/security), incorporated by reference with a change-notification duty.
- **Subprocessors** — the current list is at [subprocessors](/legal/subprocessors); we notify before adding one, with a right to object.
- **Breach notification** — without undue delay and within 72 hours of awareness, with what we know, what's affected, and what we're doing.
- **Data subject requests** — we assist; where you've enabled it, crypto-shred erasure gives you deletion that is provable rather than promised.
- **International transfers** — data is processed in the EU (Germany); no transfers outside the EEA in the standard service.
- **Return & deletion** — full export on exit, then deletion per the retention schedule.

## Getting a signed copy

Email **hello@emailfast.dev** with subject `DPA` — we return a signable copy.
Redlines: we read them; reasonable asks get accepted, and unreasonable ones get a
plain-language explanation of why not.
