What are DPA clauses that must exist between sender and ESP?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If you're sending email to EU residents, your relationship with your ESP isn't just commercial, it's also a data processing arrangement governed by GDPR. You're the data controller (you decide what data to collect and why). Your ESP is the data processor (they process it on your behalf). Article 28 of GDPR requires a written agreement between you, called a Data Processing Agreement, or DPA.

Most major ESPs (Mailchimp, Brevo, Klaviyo, etc.) have their DPA baked into their Terms of Service or available on request. But you should check what's actually in it. Here's what GDPR requires the DPA to cover:

Processing scope: What data is being processed, for what purpose, for how long, and which categories of people it involves (your subscribers).

Security obligations: What technical and organizational measures the ESP has in place to protect your data. Not vague language. You should see actual references to encryption, access controls, and incident response.

Sub-processor rules: Your ESP probably uses third-party services (CDNs, hosting providers, analytics tools). The DPA should require them to notify you before adding new sub-processors and to apply equivalent data protection standards.

Data subject rights: When a subscriber asks you for their data or requests deletion, you'll often need your ESP's help to fulfill that request. The DPA should obligate them to assist.

Return or deletion: What happens to your subscriber data when you leave the ESP. They should return it to you in a usable format and delete their copies.

If your ESP doesn't have a DPA available or hasn't signed one, that's a problem under GDPR. Our SOS line can help you navigate the conversation if you're unsure.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a personalized explanation for your specific email setup.

I need to review my DPA with my ESP for GDPR compliance. My setup: [describe your ESP, your business location, audience location, and any specific concerns like sub-processors or data breach response]. Which clauses am I most likely to be missing, and are there any red flags I should look for in standard ESP DPAs?

Edit the yellow boxes, then send to the AI of your choice.