What are DPA clauses that must exist between sender and ESP?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If you're sending email to EU residents, your relationship with your ESP isn't just commercial, it's also a data processing arrangement governed by GDPR. You're the data controller (you decide what data to collect and why). Your ESP is the data processor (they process it on your behalf). Article 28 of GDPR requires a written agreement between you, called a Data Processing Agreement, or DPA.
Most major ESPs (Mailchimp, Brevo, Klaviyo, etc.) have their DPA baked into their Terms of Service or available on request. But you should check what's actually in it. Here's what GDPR requires the DPA to cover:
Processing scope: What data is being processed, for what purpose, for how long, and which categories of people it involves (your subscribers).
Security obligations: What technical and organizational measures the ESP has in place to protect your data. Not vague language. You should see actual references to encryption, access controls, and incident response.
Sub-processor rules: Your ESP probably uses third-party services (CDNs, hosting providers, analytics tools). The DPA should require them to notify you before adding new sub-processors and to apply equivalent data protection standards.
Data subject rights: When a subscriber asks you for their data or requests deletion, you'll often need your ESP's help to fulfill that request. The DPA should obligate them to assist.
Return or deletion: What happens to your subscriber data when you leave the ESP. They should return it to you in a usable format and delete their copies.
If your ESP doesn't have a DPA available or hasn't signed one, that's a problem under GDPR. Our SOS line can help you navigate the conversation if you're unsure.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.