This Data Processing Agreement ("DPA") is part of the agreement between Lewsnetter ("Processor," "we") and you ("Controller," "Customer") governing your use of Lewsnetter. It describes how we process subscriber personal data on your behalf in compliance with GDPR, the UK GDPR, and equivalent regimes.
By using Lewsnetter, you accept this DPA. If your organization requires a signed copy, email [email protected] — we'll counter-sign your template or provide ours.
1. Roles
- Controller: you. You determine the purpose + means of processing your subscriber data.
- Processor: us. We process the data solely on your instructions, as configured through the Service.
2. Subject matter + duration
We process your subscriber data for the purpose of providing the email-marketing Service: storing audience records, rendering campaigns, dispatching email through your own AWS SES account, and tracking delivery + engagement metrics. Processing lasts for the duration of your account.
3. Nature + categories of data
- Data subjects: the end recipients of your campaigns (your subscribers).
- Categories of personal data: email address (encrypted at rest), name (encrypted at rest), external ID, custom attributes you choose to push, subscription state, opt-in/opt-out timestamps, bounce/complaint timestamps, send + engagement counters.
- Special categories: none, unless you choose to push them via custom_attributes — which you should not do without explicit consent + a lawful basis.
4. Our obligations as Processor
We will:
- Process personal data only on your documented instructions, including transfers outside your jurisdiction.
- Ensure personnel authorized to process the data are under confidentiality obligations.
- Maintain the security measures listed in Section 7.
- Engage sub-processors only with general authorization; notify you at least 14 days before adding a new sub-processor (you can object via email).
- Assist you in responding to data-subject requests (access, deletion, etc.).
- Notify you of any personal-data breach without undue delay (target: 72 hours).
- Return or delete all personal data after termination of the Service, except as required by law.
- Make available all information necessary to demonstrate compliance + allow audits (see Section 9).
5. Your obligations as Controller
- You have a lawful basis (consent, contract, legitimate interest) for every subscriber record you upload.
- You provide subscribers with a privacy notice that covers Lewsnetter's role.
- You respond to data-subject requests directed at you; we will assist for requests directed at us.
- You configure data-deletion + retention through the API as your obligations require.
6. Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Application hosting + primary database | USA (Ashburn, VA) |
| Cloudflare, Inc. | DNS, CDN, TLS termination, R2 backup storage | Global edge |
| GitHub, Inc. | Container registry for deployment images | USA |
When you connect your own Amazon SES credentials, AWS becomes your sub-processor for the outbound email leg — not ours. We have no contractual relationship with AWS in that flow; you do.
7. Security measures
- Encryption in transit: TLS 1.2+ on all connections, end-to-end via Cloudflare Full Strict mode.
- Encryption at rest: subscriber email + name encrypted with AES-GCM (Rails ActiveRecord Encryption); customer SES credentials encrypted with the same scheme; backups encrypted at rest in Cloudflare R2.
- Access control: production access limited to maintainers; SSH key-based; multi-factor on the cloud control planes.
- Logging: request logs retained 30 days; access logs for incident investigation.
- Vulnerability monitoring: GitHub Dependabot scans for known CVEs in dependencies.
- Backup integrity: Litestream streams the SQLite WAL to R2 continuously; on cold start the app restores from R2.
8. International transfers
Primary processing happens in the USA. For Customers in the EU/UK, transfer to the USA relies on Standard Contractual Clauses, which we will execute on request.
9. Audits
On reasonable notice + during business hours, you may audit our compliance with this DPA. We will respond to reasonable questionnaire requests in lieu of an on-site audit. The Customer covers audit costs unless material non-compliance is found.
10. Breach notification
If we become aware of a personal-data breach affecting your data, we will notify you without undue delay (target: 72 hours) at the account holder's email. The notification will include: the nature of the breach, categories + approximate number of records affected, likely consequences, and measures taken or proposed to mitigate.
11. Liability + indemnity
Liability under this DPA is governed by the Terms of Service. Nothing here creates additional liability beyond what's required by applicable data-protection law.
12. Term
This DPA enters into force when you begin using the Service and continues until your account is terminated and your data is deleted in accordance with Section 4.
13. Contact
Data Protection inquiries: [email protected].