HighConvertingEmails
TemplatesToolsPricingBlog
Sign inTry free
HighConvertingEmails

AI email copywriter and optimizer. Rewrite, score, and ship higher-converting emails in seconds.

Product
  • Pricing
  • Try free
  • Tools
  • Templates
Resources
  • Blog
  • Email examples
  • Subject lines
  • API docs
Company
  • About
  • Contact
Legal
  • Privacy
  • Terms
  • DPA
  • Acceptable use
© 2026 HighConvertingEmails.com
This is a working draft template. For execution, request a counter-signed copy by emailing legal@highconvertingemails.com. Have your counsel review before relying on it.

Data Processing Agreement

Last updated: 2026-05-27.

1. Definitions

"Controller," "Processor," "Personal Data," "Data Subject," and "Processing" have the meanings given in the GDPR (Regulation (EU) 2016/679). The Controller is the Customer; the Processor is HighConvertingEmails.

2. Subject matter and duration

The subject of the Processing is the Personal Data submitted by the Customer to the Service. The duration of the Processing is the term of the Customer's subscription, plus a 30-day retention window after termination.

3. Nature and purpose of processing

We Process Personal Data solely to provide the Service to the Customer — including generation, scoring, and storage of email content; account management; and billing operations. We do not Process Personal Data for our own marketing or to train AI models.

4. Categories of data and data subjects

Categories of Personal Data: identifiers (name, email), professional details (role, company), usage data, and any Personal Data contained in email content the Customer submits.
Categories of Data Subjects: Customer's employees, contractors, and Customer's own email recipients (where Customer-submitted emails contain such data).

5. Sub-processors

The Customer authorizes us to engage the sub-processors listed on our Privacy Policy, including Anthropic (AI), Stripe (payments), Resend (transactional email), PostHog (analytics), and Sentry (error tracking). We will give 30 days' notice before engaging new sub-processors; the Customer may terminate this DPA without penalty if they object to a new sub-processor.

6. International data transfers

Where Personal Data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) as the transfer mechanism, supplemented by appropriate technical and organizational measures.

7. Security measures

We implement appropriate technical and organizational measures, including encryption in transit (TLS 1.3), encryption at rest (AES-256), access controls, regular backups, and audit logging.

8. Data subject rights and breach notification

We will assist the Customer in responding to Data Subject requests as required by Articles 12–22 of the GDPR. We will notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting Customer data.

9. Return or deletion of data

On termination of the underlying agreement, at the Customer's choice, we will return or delete all Personal Data unless retention is required by applicable law. The Customer may export data via the account export functionality at any time during the agreement.

10. Audit and compliance

We will make available all information necessary to demonstrate compliance with this DPA, and will allow for audits (including inspections) conducted by the Customer or an auditor mandated by the Customer. For practical reasons, we ask that audits be coordinated in advance, conducted no more than once per year except in case of a documented compliance concern, and conducted under reasonable confidentiality arrangements.