Skip to content
You're offline
MailFLowMailFLow
Get Started

Legal

Data Processing Agreement

Last updated: January 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Wavelength Technology (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) for the use of MailFLow services.

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person, including email content, email metadata, and account information.

“Processing” means any operation performed on Personal Data, including collection, storage, analysis, and deletion.

2. Scope of Processing

We process Personal Data only:

  • To provide the MailFLow email intelligence service
  • As instructed by you through your use of the service
  • To comply with applicable law

3. Data Categories

We process the following categories of Personal Data:

  • Email content: Subject lines, body text, attachments metadata
  • Email metadata: Sender, recipients, timestamps, labels
  • Account data: Name, email address, authentication tokens
  • Usage data: Feature usage, preferences, interactions

4. Security Measures

We implement appropriate technical and organizational measures including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication
  • Regular security assessments
  • Employee security training
  • Incident response procedures

5. Sub-processors

We use the following sub-processors:

  • Google Cloud Platform: Infrastructure and data storage (US)
  • OpenAI: AI processing for email analysis (US)
  • Clerk: Authentication services (US)
  • Stripe: Payment processing (US)

We maintain contracts with all sub-processors that provide equivalent data protection.

6. Data Subject Rights

We will assist you in responding to data subject requests including access, rectification, erasure, and portability requests. Contact us at privacy@wavelengthtechnology.com.

7. Data Retention

We retain Personal Data only for as long as necessary to provide the service. Upon account deletion, all Personal Data is permanently deleted within 30 days.

8. International Transfers

Personal Data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for such transfers.

9. Audit Rights

Upon reasonable notice, you may audit our data processing practices or request documentation demonstrating compliance with this DPA.

10. Breach Notification

We will notify you of any Personal Data breach without undue delay, and in any event within 72 hours of becoming aware of the breach.

Contact

For questions about this DPA, contact our Data Protection Officer at privacy@wavelengthtechnology.com

Need a signed DPA?

Enterprise customers can request a countersigned copy of this DPA. Contact legal@wavelengthtechnology.com