This Data Processing Agreement (DPA) is provided for informational purposes and forms part of the agreement between you (“Customer,” the data controller) and DEFROST LLC (“Defrost,” the data processor) when you use Defrost. Customers requiring a counter-signed DPA should email legal@defrostmail.com — we'll send a version executable under your jurisdiction's legal regime.
1. Roles and definitions
For all personal data you submit through Defrost (e.g. cold-email recipient details, campaign copy, ICP definitions), you are the data controller and Defrost is the data processor. Capitalized terms not defined here have the meaning given in GDPR Article 4.
2. Subject matter, nature, purpose, and duration
Nature and purpose of processing: Defrost is a cold-email outreach automation platform. We process personal data on your behalf to research your prospects, draft and personalize outbound email copy, schedule and throttle sends through your own mailbox, and report engagement metrics back to you. The processing is necessary to deliver the contracted service.
Duration: Defrost processes personal data on your behalf for the duration of your active subscription. Processing terminates when your account is cancelled, subject to the hard-delete window and backup-erasure horizon described in our privacy policy and in Section 7.1 and Section 10 below (production hard-delete within 30 days of cancellation; permanent removal from backups within 37 days at the latest).
3. Categories of data subjects and personal data
Data subjects fall into two categories:
- Recipients (prospects): business contacts you target with outbound campaigns — typically professionals at organizations you have a legitimate business reason to contact. Defrost is not designed for B2C messaging or consumer-targeted outreach.
- Users (your team): the individuals on your team who hold a Defrost account, sign in, or operate a connected mailbox. Examples: account-holder email, authentication identifiers, OAuth refresh tokens for your connected Gmail / Microsoft 365 / IMAP mailbox, two-factor secrets, audit-log actor records.
Categories of personal data we process:
- Recipient data: work email address, name, role/title, employer, firmographic enrichment (company size, industry, location), publicly available context (e.g. recent press, blog activity), email engagement events (open / click / reply / bounce / unsubscribe), unsubscribe state.
- User data: account email, hashed password (or SSO/OAuth identifier), two-factor authentication secrets, session cookies, OAuth refresh tokens for connected mailboxes, mailbox credentials (when IMAP/SMTP is used in place of OAuth — stored AES-256-GCM encrypted), SMTP/IMAP server addresses, audit-log records of administrative actions.
- Content data: campaign copy and templates you author, ICP definitions, system prompts, reply text from prospects when surfaced into your inbox.
OAuth pass-through providers: when you connect a Gmail / Google Workspace or Microsoft 365 mailbox, your prospect mail content traverses your mailbox provider (not a Defrost-owned transport). For that subset of processing, your mailbox provider is the data processor — see Sub-processors for the full explanation.
4. Defrost's obligations
Defrost will:
- Process personal data only on documented instructions from you (your subscription, account configuration, and these terms).
- Ensure personnel with access to personal data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organizational measures to protect personal data — see Section 7.
- Provide reasonable assistance to help you respond to data subject requests under applicable law.
- Notify you without undue delay (and within 72 hours) after becoming aware of a personal data breach affecting your data.
- Make available all information necessary to demonstrate compliance with this DPA.
5. Customer's obligations
You warrant that:
- You have a lawful basis for processing the personal data you submit (e.g. legitimate interest, consent).
- You have provided required notices to data subjects, where applicable.
- You will honor unsubscribe requests within the timelines required by applicable law.
- You will not submit special-category personal data (health, biometric, etc.) — Defrost is not designed for it.
6. Sub-processors
Defrost engages the following sub-processors to deliver the service. The authoritative, always-current list with data-location and purpose detail is published at Sub-processors; the list below is reproduced here for the executable record.
- Anthropic — LLM inference (research, copy generation, classification).
- AWS SES — Defrost-owned transactional system mail (account verification, billing receipts, team invites, digests, usage alerts). Not used for cold/prospect mail.
- Resend — Transactional system mail only. A runtime sentinel rejects any attempt to route prospect mail through Resend.
- Postmark — Emergency system-mail failover transport. System mail only; the same prospect-mail sentinel applies.
- Mailreef (Mailreef LLC, Philadelphia, PA, USA) — Managed outbound email transport for the managed-relay cold-outreach path (recipient contact data + IP/connection metadata; US/AWS-hosted; independent SOC 2 Type 2 renewed annually; Article 28 DPA in force under EU/UK SCCs + Swiss FADP + EU-US Data Privacy Framework; breach notification within 3 business days). Live — the sole transport for managed-relay cold-outreach mail.
- Dynadot (Dynadot LLC, San Mateo, CA, USA; ICANN-accredited registrar IANA #472) — Domain registrar and authoritative DNS for the managed-relay sending domains you purchase through Defrost. Processes the registrant contact details ICANN requires (name, organization, postal address, email, phone) and hosts the domain's DNS records, including the per-customer DKIM, SPF, MX, and DMARC records that authorize managed-relay sending. US-hosted.
- Supabase — Primary database (Postgres with Row-Level Security), authentication, file storage.
- Vercel — Hosting, edge runtime, CDN.
- MillionVerifier — Email address verification (EU-hosted).
- ZeroBounce — Email address verification.
- NeverBounce — Email address verification.
- Stripe — Subscription billing and payment processing (engaged when self-serve billing ships; current Enterprise customers are invoiced without Stripe involvement).
We notify you 30 days in advance of any change to this list (new sub-processor, change in data location, change in purpose). Where you object to a new sub-processor on reasonable grounds, you may terminate the affected service for the remainder of your billing period.
We require every sub-processor to enter into a written agreement at least as protective as this DPA, including the obligation to flow down equivalent technical and organizational measures and breach-notification timelines.
OAuth pass-through providers (Google / Microsoft) are not sub-processorsin the traditional sense — when you connect your own mailbox, your prospect mail leaves your account under your provider's Terms of Service, not Defrost's. The Sub-processors page explains this in detail.
7. Security measures
Defrost maintains, at minimum, the following technical and organizational measures:
- Encryption at rest: AES-256-GCM for sensitive secrets — API keys, mailbox SMTP/IMAP credentials, OAuth refresh tokens, DKIM private keys, webhook signing secrets. Encrypted columns are REVOKE'd from the application's authenticated database role and accessible only via service-role server code.
- Encryption in transit: TLS 1.2 or higher for all API, database, and webhook connections.
- Multi-factor authentication (MFA): available on every customer account; required for Defrost engineering access to production.
- Tenant isolation: Row-Level Security policies in our Postgres database — workspace-isolated by default; cross-tenant queries blocked at the database layer, not just the application layer.
- Audit logging: administrative actions (auth events, SCIM/SAML provisioning, secret rotation, mailbox add/remove, two-factor changes, password changes, OAuth disconnect) are recorded in an append-only audit-events log with actor, action type, and timestamp.
- Least privilege: engineering access to production is scoped by role and gated by short-lived tokens; standing production access is the exception, not the default.
- Backups: Supabase Postgres point-in-time recovery (PITR) — see Section 7.1 for the explicit RPO/RTO/retention targets.
- Vulnerability management: regular dependency-update scans (npm audit, Dependabot) and platform-level vulnerability scanning; security patches applied per severity SLAs.
- Rate-limiting and abuse prevention: per-IP and per-organization rate limits on authentication, billing, and high-cost endpoints; LLM-spend caps per-organization to prevent runaway cost.
- Independent assurance: penetration-test summaries available to Enterprise customers on request.
7.1 Backup windows, RPO, and RTO
Defrost relies on Supabase Postgres point-in-time recovery (PITR) for the production database. The following targets are operational SLOs against which the platform is regularly exercised — see the disaster-recovery restore-drill runbook for the procedure and quarterly cadence (docs/runbooks/RUNBOOK-dr-restore-drill.md).
- Backup cadence: continuous write-ahead-log (WAL) streaming with PITR granularity of approximately five minutes. Snapshots are retained for seven (7) days on our current Supabase tier, which is the standard PITR window for Supabase Pro.
- Recovery Point Objective (RPO): ≤ 15 minutes. In a worst-case data-loss scenario, no more than fifteen minutes of customer data would be unrecoverable from the most recent restore point. WAL granularity supports a tighter bound; we publish fifteen minutes as the safe SLO.
- Recovery Time Objective (RTO): ≤ 2 hours. From incident declaration to the application booted against last-known-good data, including PITR restore time, staging-project switchover, and a smoke-test login.
- Disaster-recovery drills: conducted quarterly per the runbook above. Each drill exercises a full production-dump → staging-restore → row-count verification (5 sentinel tables, ≤1% delta tolerance) → smoke-test login cycle, and an outcome report is archived for the auditor of record.
- Erasure against backups (GDPR Art. 17): data soft-deleted in the production database falls out of the PITR retention window within the backup-cadence period above (≤ 7 days), and is permanently unrecoverable from PITR thereafter. For customer-initiated workspace deletion, the production hard-delete completes within thirty (30) days of cancellation; combined with the PITR rollover, customer data is unrecoverable from production and backups within thirty-seven (37) days at the latest.
Customers requiring evidence of a recent drill outcome (for example, in support of their own audit or DPA review) may request a redacted drill report from legal@defrostmail.com.
8. International transfers and regional equivalents
Defrost's production hosting is in the United States (Supabase US-East, AWS us-east-1 primary / us-west-2 failover, Vercel global edge with US-anchored compute).
EEA, UK, and Swiss transfers: Where personal data is transferred from the EEA, UK, or Switzerland to the United States, we rely on the European Commission Standard Contractual Clauses (SCCs Module 2: Controller to Processor) and, where applicable, the EU-US Data Privacy Framework. For UK transfers we use the SCCs together with the UK International Data Transfer Addendum (IDTA). Customers requiring formal SCC or IDTA execution should email legal@defrostmail.com.
UK GDPR equivalent:the obligations of this DPA apply to UK GDPR equivalently to EU GDPR. References to “GDPR” should be read to include the UK GDPR and the UK Data Protection Act 2018 where applicable to your processing.
California (CCPA / CPRA) equivalent: where you are a business subject to the California Consumer Privacy Act / California Privacy Rights Act, Defrost acts as your service provideras defined by Cal. Civ. Code § 1798.140. Defrost (a) does not sell or share personal information, (b) processes personal information only for the business purposes specified in your subscription and configuration, (c) provides reasonable assistance with consumer rights requests (right to know, delete, correct), and (d) will not retain, use, or disclose personal information for any purpose other than the specified business purposes or as otherwise permitted by the CCPA. See our privacy policy for the consumer-facing CCPA section.
Other jurisdictions: for Canada (PIPEDA), Australia (Privacy Act / APPs), Brazil (LGPD), and other regimes with substantially equivalent processor obligations, the terms of this DPA apply with equivalent effect.
9. Audits
Defrost will respond to reasonable customer audit requests with summaries of recent penetration-test reports. On-site customer audits are available to Enterprise customers on 30 days' notice, no more than once per year, at the auditing customer's cost, scoped to the controls relevant to your processing.
10. Data return and deletion
On termination of the agreement, Defrost will, at your choice, return or delete all personal data we hold on your behalf within 30 days (subject to legal retention requirements). On request we'll provide a CSV/JSON export within that window.
11. Liability
Liability under this DPA is governed by the limitation-of-liability provisions in our Terms of Service.
12. Term and termination
This DPA takes effect on the date you accept the Terms of Service (or the date you first submit personal data to Defrost, whichever is earlier) and remains in effect for the duration of your subscription. On termination of the underlying agreement, the obligations in Section 7 (security measures), Section 8 (international transfers), and Section 10 (return and deletion) survive until all personal data we hold on your behalf has been returned or deleted as required.
13. Signatures
This DPA is incorporated by reference into the Terms of Service and is binding when you accept those terms or first submit personal data to Defrost — no separate signature is required for the standard form.
Customers requiring a counter-signed instrument (for example, to satisfy a procurement or compliance program) may request one from legal@defrostmail.com. The counter-signed version below uses the standard fields and is executable under your jurisdiction's legal regime. Defrost will counter-sign and return within ten (10) business days of receipt.
Data Processor: DEFROST LLC
By: ______________________________________
Name: ____________________________________
Title: ___________________________________
Date: ____________________________________
Data Controller (Customer):
Entity: __________________________________
By: ______________________________________
Name: ____________________________________
Title: ___________________________________
Date: ____________________________________
14. Contact
For DPA execution requests, audit reports, or data-protection inquiries: legal@defrostmail.com. For the full list of sub-processors and OAuth pass-through providers, see Sub-processors. For our consumer-facing privacy notice, see Privacy.