Data Processing Agreement
Last Updated: July 9, 2026 | Version 1.0
1. Parties
This Data Processing Agreement ("DPA") forms part of the RacterMX Terms of Service between:
- Data Controller: The organization subscribing to RacterMX services ("Customer")
- Data Processor: RacterHoldings LLC, operating the RacterMX platform ("Processor")
2. Scope and Purpose
The Processor processes personal data on behalf of the Controller solely for the purpose of providing the RacterMX email forwarding, DNS hosting, and domain security management services as described in the service agreement.
2.1 Categories of Data Subjects
- Customer employees and authorized users of the platform
- Email senders whose messages are forwarded through the service
- Email recipients of outbound messages sent via SMTP credentials
2.2 Types of Personal Data Processed
- Email addresses (sender, recipient, forwarding destinations)
- Email metadata (subject lines, timestamps, message sizes, message IDs)
- IP addresses (hashed for privacy; not stored in plaintext)
- User account information (name, email, authentication data)
- DNS zone records (which may contain personal domain information)
- Audit log entries (user actions, timestamps)
2.3 Duration
Processing continues for the duration of the service agreement. Upon termination, data is handled per Section 9.
3. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller
- Ensure persons authorized to process data have committed to confidentiality
- Implement appropriate technical and organizational security measures (Section 5)
- Not engage sub-processors without prior written authorization (Section 7)
- Assist the Controller in responding to data subject rights requests
- Assist the Controller in ensuring compliance with GDPR Articles 32-36
- Delete or return all personal data upon termination (Section 9)
- Make available information necessary to demonstrate compliance
4. Controller Obligations
The Controller shall:
- Ensure lawful basis for processing (legitimate interest, consent, or contractual necessity)
- Provide clear instructions to the Processor regarding data processing
- Ensure data subjects are informed about processing activities
- Comply with applicable data protection laws in their jurisdiction
5. Technical and Organizational Measures
The Processor implements the following security measures:
5.1 Encryption
- TLS 1.2+ encryption for all data in transit (web, API, SMTP)
- DKIM private keys encrypted at rest with dedicated encryption keys
- Anonymous reply proxy addresses encrypted (AES-256-CBC)
- API keys stored as irreversible SHA-256 hashes
- Passwords hashed with bcrypt (cost factor 12)
5.2 Access Control
- Role-based access control (RBAC) with domain-level permissions
- Multi-factor authentication (TOTP) with tenant-level enforcement
- Per-tenant database isolation (separate MySQL databases)
- API key scoping with 21 granular permission scopes
- IP allowlisting for API and dashboard access
5.3 Audit and Monitoring
- Tamper-proof audit logs with cryptographic hash chains
- Daily checksum verification of audit log integrity
- Per-request API logging with request IDs
- Automated mutation auditing for all write operations
5.4 Data Minimization
- IP addresses are hashed before storage (not stored in plaintext)
- Session IP addresses are nullified after authentication
- Configurable data retention periods (7-2,555 days)
- Automated deletion of expired data per retention policy
6. Data Location
All personal data is processed and stored in Iceland (EEA member via EFTA). Iceland provides an adequate level of data protection recognized by the European Commission. No personal data is transferred outside the EEA for processing purposes.
Third-party services that may receive limited data:
- Stripe (US) — Billing data only (name, email, payment method). Covered by Stripe's own SCCs and EU-US Data Privacy Framework certification.
6.1 Transfer Impact Assessment
This section documents the legal basis and safeguards for any personal data that leaves the EEA, as required by GDPR Chapter V (Articles 44-49).
EEA-Internal Processing (No Transfer Mechanism Required)
Iceland is a member of the European Economic Area (EEA) via the EFTA Agreement. Under GDPR Article 1(3) and the EEA Agreement, data flows between EU/EEA Member States do not constitute "transfers to third countries" and require no additional safeguards. All primary data processing — including storage, computation, email routing decisions, DNS hosting, and audit logging — occurs exclusively on infrastructure located in Reykjavík, Iceland.
Transfers to Third Countries
| Recipient | Country | Data | Legal Basis | Safeguard |
|---|---|---|---|---|
| Stripe, Inc. | United States | Billing name, email, payment method | Art. 45 (Adequacy) | EU-US Data Privacy Framework (DPF). Stripe certified. Supplemented by Stripe's own SCCs. |
| Let's Encrypt (ISRG) | United States | Domain names only (for certificate issuance) | Art. 49(1)(b) (Contractual necessity) | Domain names are not personal data. No personal data transferred. |
Email Forwarding — Controller-Instructed Transfers
When the Processor forwards email messages to destinations specified by the Controller (e.g., forwarding aliases to Gmail, Outlook, or other mailbox providers), these transmissions are performed on the Controller's documented instruction per GDPR Article 28(3)(a). The Controller determines the forwarding destinations; the Processor executes the instruction.
This is equivalent to a Controller directly sending an email to a recipient — the mail transport protocol (SMTP) inherently routes messages across jurisdictions. The Processor does not select, control, or influence the destination. No additional transfer mechanism (SCCs, BCRs) is required for Controller-instructed forwarding, consistent with industry practice for all email service providers.
Supplementary Measures
- All data in transit is encrypted via TLS 1.2+ (SMTP STARTTLS, HTTPS)
- MTA-STS enforcement prevents TLS downgrade attacks during email transit
- No personal data is stored outside the EEA — only transited during forwarding
- IP addresses are hashed before any logging (not exposed to sub-processors)
- The Processor has received no government access requests and maintains a Warrant Canary
UK Transfers
For UK-based Controllers: Iceland is covered by the UK's post-Brexit adequacy regulations (The Data Protection (Adequacy) (EEA) Regulations 2019). No International Data Transfer Agreement (IDTA) or UK Addendum to SCCs is required for UK→Iceland transfers.
7. Sub-Processors
The Processor uses the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and billing | United States (DPF certified) |
| 1984 Hosting (Hringdu ehf.) | Infrastructure hosting (VPS) | Iceland (EEA) |
| Let's Encrypt (ISRG) | TLS certificate issuance | United States (public CA) |
The Controller will be notified at least 30 days before any new sub-processor is engaged. The Controller may object to a new sub-processor within 14 days of notification.
8. Data Subject Rights
The Processor will assist the Controller in fulfilling data subject requests including:
- Access (Art. 15) — Compliance export provides full data portability
- Rectification (Art. 16) — User and alias data can be updated via dashboard or API
- Erasure (Art. 17) — Account deletion service with cascading cleanup
- Portability (Art. 20) — JSON export, CSV alias export, Terraform DNS export
- Restriction (Art. 18) — Domains and aliases can be deactivated without deletion
Requests will be actioned within 72 hours of receipt.
9. Data Return and Deletion
Upon termination of the service agreement:
- The Controller may export all data via the Compliance Export (ZIP) or API within 30 days
- After 30 days, all personal data in the tenant database will be permanently deleted
- Backup copies will be purged within 90 days of termination
- Audit logs may be retained for up to 365 days for legal compliance purposes
10. Breach Notification
In the event of a personal data breach, the Processor shall:
- Notify the Controller without undue delay and within 72 hours of becoming aware
- Provide details of the nature of the breach, categories of data affected, and approximate number of data subjects
- Describe measures taken or proposed to address the breach
- Assist the Controller in notifying the supervisory authority and affected data subjects where required
11. Governing Law
This DPA is governed by the laws of Iceland and the General Data Protection Regulation (EU) 2016/679. The competent supervisory authority is the Icelandic Data Protection Authority (Persónuvernd).
12. Contact
For DPA inquiries, data subject requests, or breach notifications:
RacterHoldings LLC
Data Protection Contact: privacy@ractermx.com