Skip to main content
MailHook
Dashboard

Data Processing Addendum

Last updated

Draft. This DPA describes MailHook's intended data processing terms. Review with qualified counsel before executing.

This Data Processing Addendum ("DPA") forms part of the Terms of Service between MailHook ("Processor") and the customer ("Controller") when Controller uses MailHook to process personal data governed by the EU General Data Protection Regulation (GDPR), the UK GDPR, or similar regimes.

1. Scope and roles

Controller determines the purposes and means of the processing of personal data. Processor processes personal data on Controller's behalf solely to provide the MailHook service described in the Terms.

2. Subject matter and duration

The subject matter is the operation of the MailHook service. Processing continues for the duration of the subscription plus any retention period defined in the Privacy Policy.

3. Nature and purpose

Processing includes receiving, parsing, storing, transforming, and routing inbound email to destinations Controller configures.

4. Categories of data

Email headers, envelope, body, attachments, and associated metadata, plus any personal data Controller's routing rules or integrations transmit.

5. Data subject categories

Individuals who send email to or are addressed in emails received by Controller's MailHook inboxes, and Controller's users.

6. Sub-processors

Controller authorizes MailHook to use the sub-processors below. MailHook will notify Controller in advance of adding a new sub-processor and allow a reasonable period to object.

| Sub-processor | Purpose | Primary region | Transfer mechanism | |---------------|---------|----------------|--------------------| | Cloudflare | Email ingest, Workers, KV, R2, Queues, Send Email, Turnstile | Global edge | SCCs + UK IDTA | | Supabase | Postgres database + authentication | US / EU (per project) | SCCs | | Lemon Squeezy | Payments (Merchant of Record), invoicing, tax | US | SCCs | | Twilio | WhatsApp Business delivery (Scale only) | US | SCCs | | OneSignal | Push delivery (optional) | US | SCCs | | Trello (Atlassian) | Task creation (optional) | US | SCCs | | Notion | Notes integration (optional) | US | SCCs | | DeepL | AI translation transform (optional, Scale) | EU (Germany) | N/A (EEA) | | OpenAI | AI summarization transform (optional, Scale) | US | SCCs |

7. Security

MailHook implements appropriate technical and organizational measures, including:

  • AES-GCM (256-bit) encryption of integration credentials at rest using INTEGRATION_ENC_KEY, held separately from the ciphertext.
  • TLS 1.2+ in transit between all production components.
  • Row-level security on every multi-tenant Supabase table, scoped through account_users membership.
  • HMAC-SHA256 signed webhook deliveries with timestamp replay protection (5-minute window).
  • Transient delivery failures are retried through Cloudflare Queues — up to 40 attempts across a 48-hour window on the Scale plan; unresolved messages are moved to a dead-letter queue.
  • Access controls and audit logging for production systems.

8. International transfers

Where MailHook transfers personal data outside the EEA or UK, it relies on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other recognized safeguards.

9. Data subject rights

MailHook will assist Controller in responding to data subject rights requests to the extent required by applicable law.

10. Breach notification

MailHook will notify Controller without undue delay after becoming aware of a personal data breach affecting Controller's data.

11. Deletion and return

On termination and at Controller's election, MailHook will delete or return personal data within a reasonable period, subject to legal retention obligations.

12. Contact

DPA questions: support@mailhook.in