When you use our services you entrust us with your valuable information. We have made it a priority to protect your data and to provide you with choices about controlling it. We understand that there are particular concerns from companies in the EU about how we use and protect your data, so we put this page together as a guide to answer some of the most common questions you may have.
Postmark's primary data and servers are hosted at ServerCentral's data center (located outside of Chicago). We currently don't have plans to add servers in the EU (GDPR does not require physical servers in the EU).
A DuPont Fabros facility, the ServerCenter data center is Type 2 SSAE 16 SOC 1 accredited and includes keycard protocols, biometric scanning protocols and round-the-clock surveillance. Our environment is colocated, meaning we have full control of the physical environment and only our policies affect the access and use of the hardware, network and software. We provide multiple levels of backups and redundancy to ensure uptime and peace of mind. Data transferred from our customers to our servers is encrypted via SSL that is configured to meet or exceed all industry standards. Cold data at rest is encrypted with 2048-bit RSA.
Even though Postmark itself has not undergone a SOC audit, our data center has. We can provide a copy of the SOC report for the data center after completing an NDA.
We use technical and physical controls designed to prevent unauthorized access to your personal data. We restrict access to personal data only to our employees, contractors and agents who need to know this information in order to operate, develop or improve our service. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.
All access to the Postmark interface is secured over SSL (HTTPS), ensuring the information is encrypted. Our SSL configurations are regularly and automatically scanned to ensure we can quickly remediate any vulnerabilities discovered, such as Heartbleed. Additionally, we provide both TLS and HTTPS connections to the Postmark SMTP and API services, ensuring emails sent to the service are encrypted. Account passwords are encrypted in the Postmark database, preventing even our own staff from viewing them. We offer a method to recycle API keys at anytime in the Postmark interface.
For even more detailed information about our security practices, you can review this help doc.
As described on our feature pages, Postmark collects and retains content and metadata for all emails for 45 days to give customers the ability to access their full message history during that time.
After 45 days, original email content and metadata are removed from our system. For bounce reports the original email content is also removed after 45 days, but metadata and the content of the actual bounce message are retained for up to 1 year to enable troubleshooting.
After this time the bounce message content and some metadata are removed, but we retain certain fields like Recipient, Subject, Sender, Date, and Bounce details indefinitely for compliance purposes. This is essential data for accurate spam and delivery monitoring, and to have a record in circumstances where end users ask about why/how they are getting emails from certain companies.
We comply with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework with respect to the transfer of personal data from the EEA or Switzerland, to our servers which are located In the US.
These frameworks were designed to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EEA and Switzerland to the United States.
Using the EU US Privacy Shield Framework for data transfers from the EU to the US was approved on July 12, 2016 for the EU and on July 8, 2017 for the EEA. It was approved for transfer from Switzerland to the US on January 12, 2017. You can view our current certification here: https://www.privacyshield.gov/...
In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR is a significant change in data protection regulation in the EU and replaces the existing legal framework (the Data Protection Directive and the various member state laws). It came into effect on May 25, 2018.
GDPR adds some new requirements regarding how companies should protect individuals' data that they process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breaches.
Our compliance, data protection, and information security teams have been working to prepare our services for GDPR. In our role as the Data Processor of your customer and end user information, we have provided a Data Processing Agreement, meeting with the requirements of GDPR. You can find it here.
We have worked hard to meet our obligations as a processor under Article 28 of GDPR. To this end:
As guidance about specific aspects of GDPR continues to be published, we will also continue our efforts to fine tune and improve our compliance.
Like the Data Protection Directive that is presently in effect, GDPR includes provisions on international data transfer mechanisms. In order to comply with these provisions we have certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, a mechanism that had been approved for cross border transfer of personal data under the Directive and expected to apply under GDPR as well.
We have also worked with legal counsel to create a standard Data Processing Addendum (DPA), which meets with GDPR requirements for agreements between Data Controllers (you) and Data Processors (us). This outlines in detail our current security practices. To receive and sign a copy of our DPA, please visit the Data Processing Addendum tab on this page.
No. Under GDPR a company is allowed to transfer personal data outside of the EU provided that it puts in place a mechanism, approved under GDPR, to make sure that personal data is adequately protected even when it is transferred outside of the EU. We have certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to satisfy this requirement (more detail in the Privacy Shield tab), and also offer a Data Processing Addendum (DPA) to all customers who require it (see below information about cross border data transfers).
As of now our intention is to service DSR requests (such as delete and export) manually. If you have an account with us, you may access, correct, or request that we delete your personal data by contacting us at firstname.lastname@example.org.
This request can include personal data of other individuals, like your employees or customers that you have provided to us and who have requested this of you. We will respond to these requests within 14 days or less, which is well within the GDPR requirement of 30 days.
We chose the UK as a reasonable location for GDPR enforcement, and will reassess in 2019 before Brexit takes effect. The UK is hoping for a unique status under GDPR and are working towards it. For the time being the UK has declared it will be GDPR compliant and its new data protection bill is in line with GDPR.
We are are happy to answer any questions and address any concerns regarding how we protect your personal data in general, as well as specifically under GDPR. If you have any questions, please don't hesitate to contact us at email@example.com.
We offer data processing addendums (DPAs) for our customers that operate in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our clients. You can see a sample of the addendum here.
To ensure no inconsistent or additional terms are imposed on us beyond that reflected in our standard DPA and model clauses, we cannot agree to sign customers’ DPAs. As a small team we also can’t make individual changes to our DPA since we don't have a legal team on staff. Any changes to the standard DPA would require legal counsel and a lot of back and forth discussion that would be cost prohibitive for our team.
Once you complete this form, the addendum will be signed electronically by both parties, and become legally binding. A copy of the signed addendum will be emailed to you. Drop us a line if you have any questions.
We share certain information with companies that may be considered our "sub-processors" under GDPR. This information is limited to the following:
Below is a full list of our sub-processors.
|Server Central||Infrastructure hosting|
|Amazon Web Services||Cloud infrastructure hosting|
|Packet||Cloud infrastructure hosting|
|Digital Ocean||Cloud infrastructure hosting|
If you would like to be notified when we start working with a new company that may be considered a "sub-processor", you can sign up below. We will only use your email to send notifications about new sub-processors.