Postify
Get started
Legal

Data Processing Agreement

Effective May 1, 2026

This DPA forms part of the Postify Terms of Service when Postify processes Personal Data on behalf of a Customer (acting as Controller). If you'd like a counter-signed copy for your records, request one from dpa@postify.to.

1. Definitions

"Personal Data", "Controller", "Processor", "Data Subject", and "Processing" have the meanings given in the GDPR. "Customer Data" means data that the Customer or its end users submit to the Postify service. "Sub-processor" means any third party engaged by Postify to process Customer Data.

2. Roles and scope

The Customer is the Controller of Customer Data. Postify is a Processor that processes Customer Data only on the Customer's documented instructions, which include the use of the service per the Terms.

3. Postify obligations

  • Process Customer Data only on documented Customer instructions.
  • Ensure persons with access are subject to confidentiality obligations.
  • Implement technical and organizational measures listed in Annex II.
  • Assist the Customer with Data Subject requests, DPIAs, and breach notifications.
  • Delete or return Customer Data at end of services per the Customer's choice.

4. Sub-processors

The Customer authorizes Postify to use the sub-processors listed in the latest register, available on request at security@postify.to. Postify will give 30 days advance notice before adding a new sub-processor; the Customer may object on reasonable grounds.

5. International transfers

Where Customer Data is transferred outside the EEA/UK to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and, where applicable, the UK International Data Transfer Addendum.

6. Security measures

  • Encryption at rest (AES-256) and in transit (TLS 1.3).
  • Role-based access control with MFA enforced for all Postify staff.
  • SOC 2 Type II audit, annual penetration testing, internal SAST/DAST.
  • 24/7 incident response with median MTTR under 30 minutes for P1.
  • Personnel training on data protection and confidentiality.

7. Personal Data breach

Postify will notify the Customer without undue delay (and in any case within 48 hours) of becoming aware of a Personal Data Breach affecting Customer Data, with the information needed for the Customer to meet its own notification obligations.

8. Audits

Postify makes its SOC 2 report and security questionnaire (CAIQ) available on request under NDA. For audits beyond that, Customers on Scale may, with reasonable notice, conduct or commission an audit at their own cost, subject to confidentiality.

9. Data deletion

At the end of services, the Customer can export all Customer Data within 90 days. After 90 days, Postify deletes Customer Data from primary systems within 30 days and from backups within 90 days, except where retention is required by law.

10. Contact

Email dpa@postify.to for DPA execution, sub-processor questions, or audit requests.