Legal · Updated 2026-04-01
Data Processing Agreement.
Pre-signed DPA, current sub-processor list, and security overview. Enterprise customers can request a counter-signed version with custom terms.
Sub-processors
| Vendor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Primary hosting (EU/US) | eu-west-1, us-east-1 |
| Stripe | Billing and payments | EU/US |
| Postmark | Transactional email | US |
| Sentry | Error monitoring | EU |
| Plausible Analytics | Privacy-friendly web analytics | EU |
| Cloudflare | CDN, WAF, DDoS protection | Global |
Security overview
- SOC 2 Type II audited annually.
- ISO 27001 certified.
- Data encrypted in transit (TLS 1.3) and at rest (AES-256).
- Mandatory SSO and 2FA for all employees with production access.
- Quarterly penetration tests by independent firms.
- Incident response: customers notified within 72 hours per GDPR Art. 33.
Sub-processor changes
We will notify customers at least 30 days before adding or replacing a sub-processor. You may object during that window.
Contact
Reach our Data Protection Officer through the contact page — choose “Customer support” and we'll route to the DPO.
Email signatures, finally treated as the brand asset they are.
Start 14-day free trial