Data processing agreement (DPA)
This document is part of your contract for the Flywheel service. It should be read with the General Data Protection Regulation (EU) 2016/679 (GDPR). In a typical use case, you (the business that holds the account) are the controller of personal data in the messages and lists you use with the service, and Sleinir ApS is a processor in respect of processing on your documented instructions in the terms of service, in this DPA, in the product, and in requests you make to our support.
Data processor (contact for this DPA): Sleinir ApS, Søledsvej 41, 4684 Toksværd, Denmark. General privacy contact and supervisory information are in the privacy policy.
In force: 24 April 2026 · Version 1.0.0
Table of contents
- Subject matter, duration, nature, and purpose of processing
- Roles (controller and processor)
- Our obligations as processor
- Your instructions and your obligations as controller
- Sub-processors and changes
- Transfers outside the EEA
- Deletion and return of data at end of service
- Security
- Personal data breach notification
- Support for your compliance
- Audits and information
- Liability in connection with this DPA
Subject matter, duration, nature, and purpose of processing
Subject matter is the hosted service that allows you to send transactional email and to manage related sending and reputation through your account. Duration of processing is the time your agreement runs, plus a reasonable wind-down in which we complete deletion or return as in this DPA. Nature and purpose of processing include operating the product, delivering the messages and data you submit, bounces and complaints handling, fraud and abuse prevention, invoicing, and support when you contact us. The categories of data and the end users you affect depend on your own use. You are responsible for legal compliance in how you use the product.
Roles (controller and processor)
You are the controller for the processing in your use of the service, to the extent the GDPR and national law assign you that role. Sleinir ApS is a processor in respect of processing on your instructions as set out in the terms of service, this DPA, the settings you use in the product, and tickets you file. We are a separate controller in respect of some processing of your own data as our customer, as described in the privacy policy.
Our obligations as processor
We process personal data on your documented instructions in the terms of service, this DPA, your in-product settings, and your tickets, unless the law to which we are subject requires otherwise. If the law requires processing without your instructions, we will inform you, except when the law prohibits that in a concrete case.
Your instructions and your obligations as controller
You warrant that your sending and the data you provide are lawful and that you are entitled to give the processing instructions you give. You remain responsible for e-privacy and direct marketing rules, end-user rights where the law addresses you as controller, and for transfers you make in a way that conflicts with your own obligations as controller.
Sub-processors and changes
We use sub-processors to deliver the service, including for hosting, payment processing, and other infrastructure we need. The current sub-processor list shows who they are, how we notify you of changes, and the chance to object where the law and our main terms give you one. We bind sub-processors with terms that meet the expectations of Article 28(3) of the GDPR in substance.
Transfers outside the EEA
If personal data is transferred to a country without an adequacy decision, we use a permitted mechanism in Chapter V of the GDPR (for example, Standard Contractual Clauses). Details of which tool we use for which sub-processor are available in the documentation for your order or on request.
Deletion and return of data at end of service
When your agreement ends, or you instruct us in line with the terms of service, we delete or return personal data in our control within reasonable delays for this kind of service, having regard to our suppliers’ backup and archive cycles.
Security
We implement appropriate technical and organisational measures under Article 32(1) GDPR for our role as processor, including access controls, encryption in transit and at rest where appropriate, and incident handling procedures appropriate to a hosted email sending service of this class.
Personal data breach notification
We notify you without undue delay after we become aware of a personal data breach that affects the processing we carry out for you, with the information the GDPR (Articles 33–34) and good practice would expect a processor to make available, unless the breach is unlikely to result in a risk to natural persons.
Support for your compliance
We assist you, taking into account the nature of processing, with reasonable requests that help you meet your obligations in respect of security, data protection impact assessments, prior consultation with an authority, and the rights of data subjects, in each case in so far as the GDPR and our contract expect from a processor.
Audits and information
On reasonable written request and with reasonable prior notice, we make available the information and copies of the audit reports that demonstrate compliance with the obligations in Article 28(3) GDPR (including certification if an appropriate certification is maintained), or we allow a mutually agreed and proportionate audit by you or a mandatary you name under an appropriate confidentiality agreement, in line with the terms of the main service agreement and industry practice for SaaS.
Liability in connection with this DPA
Liability under or in connection with this DPA is subject to the terms of service and to the GDPR, including Article 82 on processing in the context of a processing activity by a controller and processor, as applied by a competent court or authority in a relevant jurisdiction. Nothing here is a waiver of rights that the law does not allow to be limited.