Data Processing Addendum

The Processor processes Personal Data on behalf of the Controller for the sole purpose of providing the Delyst email marketing platform. Processing continues for the term of the Terms of Service plus any wind-down period described in section 9 below.

• Data subjects: the Controller's email subscribers and the Controller's team members that use the Service.
• Categories of data: email address, name, custom fields defined by the Controller (e.g. company, country, purchase history), IP address, device and email client metadata, opens / clicks / bounces / unsubscribes.
• Special categories: none processed by default. The Controller must not upload special-category data (health, religion, sexual orientation, etc.) without a separate written agreement.

• Process Personal Data only on documented instructions from the Controller.
• Ensure personnel authorised to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organisational measures (see section 6 and the Privacy Policy).
• Assist the Controller in responding to data-subject requests and in complying with the Controller's obligations under Articles 32–36 GDPR.
• Notify the Controller of a Personal Data Breach without undue delay, and in any case within 48 hours of becoming aware.

The Controller authorises the Processor to engage the sub-processors listed in the Privacy Policy. The Processor will notify the Controller of any intended additions or replacements at least 14 days in advance. The Controller may object in writing; if the objection cannot be resolved, the Controller may terminate the affected portion of the Service.

Where Personal Data is transferred outside the EEA, the Processor relies on the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), which are hereby incorporated by reference. A copy of the executed SCCs for a specific sub-processor is available on request at support@delyst.com.

• TLS 1.2+ for data in transit.
• AES-256-GCM encryption of stored secrets and keys.
• Bcrypt password hashing.
• Two-factor authentication available for all user accounts.
• Network segmentation, firewalling, least-privilege access to production.
• Automated dependency vulnerability scanning.
• Immutable audit logs for admin actions.
• Backups rotated and overwritten within 35 days.

The Processor will, within the technical limits of the Service, assist the Controller in responding to data-subject access, rectification, erasure, restriction, portability, and objection requests. Most of these are self-service from within the Delyst dashboard.

The Controller may audit the Processor's compliance with this DPA once per calendar year, on 30 days' written notice, during business hours, and subject to reasonable confidentiality obligations. On request the Processor provides independent audit reports (where available) in lieu of an on-site audit.

On termination of the Service, the Controller can export Personal Data in machine-readable format (CSV or JSON) for 30 days. After that the Processor permanently deletes Personal Data from live systems and from backups within the standard 35-day backup rotation cycle, except where retention is required by law.

Most customers do not need to sign a separate DPA — the terms of this document apply automatically as part of the Terms of Service. If your organisation's legal team requires a countersigned copy, email support@delyst.com and we will return a signed PDF within 5 business days.