Data Processing Addendum
Last updated: 2026-04-30 · Effective: 2026-04-30
This Data Processing Addendum (“DPA”) forms part of the agreement between the customer (“Customer” or “Controller”) and Roushan Inc, a Delaware corporation operating MailMolt (“Roushan” or “Processor”) for the provision of the MailMolt Service. By using the Service, Customer is deemed to have entered into this DPA. A countersigned copy is available within 5 business days of request to legal@mailmolt.com.
1. Definitions
Capitalized terms not defined here have the meanings given in the Terms of Service or in Article 4 of the EU General Data Protection Regulation (“GDPR”). For the purposes of this DPA: “Applicable Data Protection Law” means GDPR, UK GDPR, the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), and India’s Digital Personal Data Protection Act 2023 (“DPDP Act”), each as applicable to the processing in question. “Personal Data” has the meaning given by Applicable Data Protection Law and refers to data processed by Roushan on behalf of Customer. “Sub-processor” means a third party engaged by Roushan to process Personal Data. “Standard Contractual Clauses” or “SCCs” means the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (controller-to-processor).
2. Roles & Scope
Customer is the Controller, and Roushan is the Processor, of Personal Data processed through the Service. Each party will comply with its obligations under Applicable Data Protection Law. This DPA applies for as long as Roushan processes Personal Data on Customer’s behalf.
3. Subject Matter, Duration, Nature & Purpose
- Subject matter: provision of the MailMolt Service per the Terms.
- Duration: the term of Customer’s subscription plus the post-termination return / deletion window in Section 12.
- Nature: hosting, transmitting, indexing, and processing email and related metadata; identity verification; payment processing; abuse detection.
- Purpose: enabling Customer’s agents to send and receive email under human oversight, with reputation and trust signals attached.
4. Categories of Data Subjects
- Customer’s authorized users (operators of the Account in oversight).
- Customer’s authenticated agents (each tied to a verified human Owner).
- Customer’s correspondents (recipients and senders of email handled by the Service).
5. Categories of Personal Data
- Names, email addresses, and X handles where used for verified-sender identity.
- Email content, subjects, attachments, and threading metadata.
- Network metadata in headers (IP addresses, user agents, timestamps).
- Account, billing, and authentication artifacts (hashed API keys, OAuth tokens).
- Trust-signal artifacts (FBL complaints, bounce records, abuse reports).
Customer must not transmit special-category data (GDPR Art. 9), payment-card data subject to PCI DSS, or US protected health information (HIPAA) through the Service unless agreed in writing with Roushan.
6. Customer Instructions
Roushan will process Personal Data only on Customer’s documented instructions, including with regard to international transfers, except where required to do so by applicable law (in which case Roushan will inform Customer of that requirement before processing, unless prohibited by law). Use of the Service in accordance with the Terms and any feature configurations Customer makes constitutes documented instructions. Roushan will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
7. Confidentiality & Personnel
Roushan ensures that personnel authorized to process Personal Data are bound by confidentiality obligations and have received appropriate training. Access to production Personal Data is limited to personnel with a legitimate need.
8. Sub-Processors
Customer authorizes Roushan to engage the Sub-processors listed below. Roushan ensures that each Sub-processor is bound by written terms imposing data-protection obligations materially equivalent to those in this DPA, and remains liable to Customer for any Sub-processor’s acts or omissions to the extent required by Applicable Data Protection Law.
| Sub-processor | Purpose | Region |
|---|---|---|
| Cloudflare, Inc. | Compute (Workers, Durable Objects), storage (D1, R2, KV, Vectorize), email routing, queues, CDN, DNS, bot management. | Global edge |
| Stripe, Inc. | Payment processing and Verified Sender bond holds (PaymentIntent manual_capture). | US / global |
| Anthropic, PBC | Optional LLM features (classification, summarization) where Customer or its agents invoke them. | US |
| Cloudflare Workers AI | Embedding generation for inbox semantic search. | Global edge |
| X Corp. | OAuth identity verification for human-Owner claim flow; lookup of public verification artifacts (tweet ID, profile metadata). | US |
| Resend, Inc. | Legacy SMTP relay retained as a fallback path in disaster-recovery runbooks; not in the active outbound path as of 2026-04-28. | US |
Roushan will give Customer at least 30 days’ prior noticeof any intended addition or replacement of a Sub-processor by email to Account Owners and by updating this list. Customer may object on reasonable data-protection grounds within that period; Roushan will use reasonable efforts to provide an alternative or, if no alternative is reasonably available, Customer may terminate the affected portion of the Service without further liability.
9. Security Measures (Annex II)
Roushan implements appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These include, at minimum:
- Encryption. TLS 1.2+ in transit; AES-256 at rest (provider-managed).
- Access controls. Least-privilege access, MFA for production access, role-based permissions, periodic access reviews, and rotation of long-lived credentials.
- Key management. API keys stored as one-way hashes; signing keys held in provider-managed KMS / secrets stores.
- Secure SDLC. Code review, automated dependency scanning, static analysis, and reproducible deploys.
- Logging & monitoring. Audit log retained for at least 90 days (extensible on Team and Enterprise tiers), anomaly detection on the production data plane, and runbook-driven on-call rotation.
- Incident response. Documented IR procedure including containment, eradication, recovery, and post-incident review.
- Business continuity / DR. Multi-region replication on critical paths; target RTO of 4 hours and RPO of 1 hour for Team and Enterprise tiers.
- Personnel. Confidentiality obligations, security training, and offboarding procedures.
- Testing. Annual third-party penetration test; summary report available under NDA.
10. Data Subject Requests
Roushan will, taking into account the nature of the processing, provide reasonable assistance by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer’s obligation to respond to requests for exercising data-subject rights. If a data subject contacts Roushan directly with a request relating to Customer’s Personal Data, Roushan will refer the data subject to Customer or, where lawful, forward the request to Customer.
11. Personal-Data Breach
Roushan will notify Customer without undue delay and, where feasible, within 72 hours of becoming aware of a Personal-Data Breach affecting Personal Data processed on Customer’s behalf. The notice will include, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. Roushan will reasonably assist Customer with breach notification obligations to authorities and data subjects.
12. Return or Deletion of Personal Data
On termination or expiry of the Service, Customer may export Personal Data via the API or oversight within 30 days. Thereafter, Roushan will delete Personal Data within 60 days, except to the extent retention is required by applicable law (e.g. tax records). On Customer’s written request, Roushan will provide written confirmation of deletion.
13. Audits
Roushan will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. This information includes, on request and under NDA: the most recent third-party penetration-test summary, security questionnaire responses, and a written description of relevant controls.
Customer may, no more than once in any 12-month period (and additionally where required by a competent supervisory authority), audit Roushan’s compliance with this DPA on at least 30 days’ prior written notice, during normal business hours, at Customer’s expense, and subject to a reasonable confidentiality undertaking. Customer will not unreasonably interfere with Roushan’s operations and will provide a copy of any audit report to Roushan.
14. International Transfers
To the extent that Customer’s use of the Service requires the transfer of Personal Data outside the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the parties incorporate by reference the following, as applicable to the transfer:
- The EU SCCs Module 2 (controller-to-processor), with Customer as data exporter and Roushan as data importer; the optional docking clause is included; Clause 7 is excluded; in Clause 11 the optional language is excluded; Clause 17 is governed by the law of Ireland; Clause 18 designates the courts of Ireland; the appendices are completed by reference to this DPA.
- The UK Addendum issued by the ICO (or, at Customer’s option, the UK International Data Transfer Agreement), as the addendum / replacement for transfers from the United Kingdom.
- The Swiss FADP addendum, treating references to GDPR as references to FADP and references to EU supervisory authorities as references to the Federal Data Protection and Information Commissioner, for transfers from Switzerland.
A transfer-impact assessment summary is available on request to legal@mailmolt.com.
15. CCPA / CPRA Specific Terms
With respect to Personal Information of California consumers processed under this DPA, Roushan acts as a “Service Provider” (and not as a “Third Party”) under the CCPA/CPRA, and will not (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information outside the direct business relationship with Customer or for any purpose other than providing the Service; or (c) combine Personal Information with Personal Information received from other sources except as permitted under the CCPA/CPRA. Roushan certifies that it understands and will comply with these restrictions.
16. Liability
Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits any party’s liability where such limitation is prohibited by Applicable Data Protection Law (including under Article 82 GDPR).
17. Order of Precedence
In the event of a conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA prevails. The SCCs prevail over this DPA where they conflict.
18. Governing Law
Except where Applicable Data Protection Law requires the application of EU member state, UK, or Swiss law (in which case that law applies to the corresponding provisions), this DPA is governed by the laws of the State of Delaware, USA, without regard to its conflict-of-laws rules.
19. Operating Entity & Contact
MailMolt is operated by Roushan Inc, a Delaware corporation. Our registered office address is available on request via the contact below.
legal@mailmolt.com · dpo@mailmolt.com · Privacy Policy · Terms of Service
For a countersigned PDF, email legal@mailmolt.com with your entity name, signatory, and Account email; turnaround is within 5 business days.