one-email← Back to home← Back
DefinitionsScope of ProcessingData LocationSub-processorsSecurity MeasuresData Subject RightsData Breach NotificationTerm and Termination

Data Processing Agreement

Last updated: March 14, 2026

Summary: When you use One-Email, we process personal data (email addresses and content) on your behalf. This DPA outlines how we handle that data in compliance with GDPR.

1. Definitions

“Controller” refers to you, the customer. “Processor” refers to One-Email. “Personal Data” means any data relating to an identified or identifiable natural person processed through the Service.

2. Scope of Processing

One-Email processes personal data solely to provide the email delivery Service. This includes email addresses (sender and recipient), email content, delivery metadata, and engagement data (opens, clicks). Processing occurs only upon your instructions via API calls.

3. Data Location

All personal data is processed and stored within the European Economic Area. SMTP infrastructure is located in Falkenstein, Germany. Database infrastructure is hosted in the EU via Neon. No personal data is transferred outside the EEA.

4. Sub-processors

We use the following sub-processors:

  • Hetzner (Germany) — SMTP server hosting
  • Cloudflare (EU edge) — API gateway and queue processing
  • Neon (EU) — Database hosting
  • Polar — Billing processing
  • AWS SES (EU) — Fallback email delivery only

We will notify you at least 30 days before engaging a new sub-processor.

5. Security Measures

We implement appropriate technical and organizational measures including: encryption in transit (TLS 1.3), encryption at rest, access controls, audit logging, regular security reviews, and incident response procedures.

6. Data Subject Rights

We will assist you in responding to data subject requests (access, rectification, deletion, portability, restriction, objection) to the extent technically feasible. Requests should be directed to privacy@one-email.com.

7. Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay and no later than 48 hours after becoming aware. Notification will include the nature of the breach, data affected, and remedial actions taken.

8. Term and Termination

This DPA remains in effect for the duration of the Service agreement. Upon termination, we will delete all personal data within 30 days unless retention is required by law.

Other documents
Terms of ServicePrivacy PolicyAcceptable Use