This DPA governs how NuMail processes personal data on your behalf when you use the platform to run cold-email infrastructure. It forms part of, and is incorporated into, the NuMail Terms of Service.
You decide which contacts to email, what data to upload, and why. That makes you the controller of the personal data in your workspace. NuMail processes that data only to deliver the service to you — sending through your connected mailboxes, detecting replies, drafting responses, and reporting analytics — which makes us your processor.
Determine the purposes and means of processing. Responsible for having a lawful basis to contact each recipient and for honoring opt-outs.
Processes personal data solely on your documented instructions to operate the platform, and never for our own marketing or to build cross-customer profiles.
For agencies on the Agency tier, you act as processor toward your own end-clients, and NuMail acts as your sub-processor. The same obligations in this DPA flow down to those sub-workspaces.
Your documented instructions are: (a) this DPA, (b) the Terms of Service, and (c) the configuration and actions you take inside the product or via the REST API and MCP server — connecting a mailbox, launching a campaign, generating an AI draft, exporting a report. We process personal data only to provide, secure, and support those functions.
If a law we're subject to requires us to process beyond your instructions, we'll tell you before doing so unless that law forbids the notice. If we believe an instruction infringes data-protection law, we'll inform you and may pause the relevant processing.
You give general authorization for NuMail to engage sub-processors to deliver the service. Each is bound by data-protection terms no less protective than this DPA. The categories and current providers are below; this is representative, not exhaustive.
Connected mailbox providers (Gmail, Microsoft, your own SMTP) are sub-processors only to the extent NuMail routes data through them on your behalf — your underlying mailbox relationship is your own. Customers can request the live, dated sub-processor list at any time by emailing the address in §11, and can subscribe to change notices.
We'll give at least 30 days' notice before adding or replacing a sub-processor that handles personal data. If you reasonably object on data-protection grounds, you may raise it within that window; if we can't address it, you may terminate the affected service without penalty for the remaining prepaid term.
We maintain measures appropriate to the risk (GDPR Art. 32), reviewed as the platform evolves. At a minimum:
TLS 1.2+ on every connection — browser, API, webhooks, and provider calls. HSTS enforced.
Databases and backups encrypted with AES-256. OAuth tokens stored in an isolated, envelope-encrypted vault.
Least-privilege, role-based access; SSO + MFA for staff; workspace-scoped API keys you can rotate anytime.
Row-level scoping per workspace. AI drafting and warmup are isolated so data never crosses tenants.
Audit logs on sensitive actions, anomaly alerts, and retained access records for incident review.
Point-in-time database recovery, regular backups, and a tested restore procedure.
Personnel with access are bound by confidentiality obligations that survive the end of their engagement. Security changes only ever raise the bar — we will not materially weaken these measures during your term.
Because you're the controller, requests from data subjects — access, rectification, erasure, restriction, portability, objection — come to you. NuMail provides the tooling and assistance to honor them.
DELETE /v1/leads/:id, which removes the record and its message history.If a data subject contacts NuMail directly about your data, we'll forward the request to you and won't respond on the substance ourselves unless legally required.
On becoming aware of a personal-data breach affecting data we process for you, NuMail will notify you without undue delay. Our target is notice within 72 hours of confirmation, giving you the runway to meet your own regulator deadlines.
The notice will include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, the measures we've taken or propose to take, and a point of contact. Where details emerge over time, we'll send them in phases rather than wait for a complete picture.
We'll cooperate reasonably with your breach assessment and any required notifications to authorities or data subjects. Our notice is not, by itself, an admission of fault.
NuMail and several sub-processors operate from the United States. Where we transfer personal data out of the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses (SCCs), incorporated by reference into this DPA, plus the UK International Data Transfer Addendum for UK data.
EEA / UK customers who need data residency can request EU-region hosting; tell us before onboarding so we provision the right region.
On reasonable written request (no more than once per year, unless a regulator or a breach requires otherwise), NuMail will make available the information needed to demonstrate compliance with this DPA — our security documentation, sub-processor list, and, when available, third-party reports or certifications.
Where documentation isn't enough to address a specific, well-founded concern, we'll cooperate on a focused audit during business hours, on reasonable notice, under confidentiality, and in a way that doesn't disrupt the service or compromise other customers' data. Each party bears its own audit costs.
At the end of your subscription you can export your data — leads, campaigns, replies, analytics — via the dashboard or API for as long as your workspace stays accessible.
We may retain the minimum data required by law (e.g. invoices for tax records) and aggregated, non-identifying statistics that can't be tied back to a data subject.
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the Terms of Service, and any reference to a party's liability there applies to the combined liability of that party under the Terms and this DPA.
This does not limit any liability that cannot be limited under applicable data-protection law, including a data subject's rights to compensation. Where both parties are responsible for damage caused by processing, each is liable to a claimant in line with Art. 82 GDPR, with the right to seek contribution from the other party in proportion to its responsibility.
For anything on this DPA — the live sub-processor list, an SCC counter-signature, a breach or audit inquiry, or to have us review your own DPA — reach our data-protection team:
We respond to DPA and privacy requests within five business days. Enterprise and Agency customers can request a counter-signed DPA before go-live.
✉ dpa@numail.aiLooking for the rest? See our Privacy Policy, Terms of Service, and Security overview.
SCCs, sub-processor transparency, breach notice without undue delay, and one-line GDPR deletion — built into the platform, not bolted on.