Data Processing Addendum
1. Definitions
"Controller", "Processor", "Personal Data", and "Processing" have the meanings in GDPR Article 4. The Customer is the Controller; Relayly is the Processor.
2. Subject matter
Relayly processes Personal Data on the Customer's instructions to deliver the Service.
3. Duration
For as long as the Customer's account is active, plus the retention windows in our Privacy Policy.
4. Nature and purpose
Receiving, queueing, signing, transmitting, and recording delivery events for emails the Customer submits.
5. Categories of data
- Email envelope (From, To, Cc, Bcc, Reply-To).
- Headers (Subject, custom headers).
- Message body (HTML + plaintext).
- Recipient open/click events.
- Optional contact list / segment data the Customer uploads.
6. Data subjects
The Customer's recipients (employees, customers, prospects per the Customer's lawful basis).
7. Sub-processors
Listed at /sub-processors. We provide 30 days' notice of new sub-processors. The Customer may object in writing.
8. International transfers
Standard Contractual Clauses (EU 2021/914), UK IDTA addendum, and Swiss DPA mechanism are incorporated by reference. Module 2 (controller-to-processor) applies between the Customer and Relayly.
9. Security measures
See Annex II in the downloadable PDF version. Highlights: Argon2id passwords, AES-256 at rest, TLS 1.2+ in transit, MFA available, audit logging, principle-of-least-privilege RBAC, 24h breach notification.
10. Audits
We make our SOC 2 Type II report (when issued) and ISO 27001 certificate available under NDA via relayly.io/trust-center.
11. Termination
On termination, the Customer may export data within 30 days; thereafter we delete all Personal Data and certify deletion in writing on request.
12. Liability
Liability under this DPA is subject to the limitation in the Terms of Service.