Is Mailers.io an email provider?

No. Mailers.io is an orchestration and control layer that sits above email providers. Customers connect their own Amazon SES, Mailgun, SendGrid, Resend, Postmark, Brevo, Gmail / Google Workspace SMTP, Outlook / Microsoft 365 SMTP, or any SMTP server.

How does quota-aware routing work?

Mailers.io distributes sending across connected providers using per-provider hourly and daily caps and a priority order. When a provider approaches its cap or returns a transient error, the router automatically falls back to the next eligible provider with no code changes.

Which providers can I connect?

Amazon SES, Mailgun, SendGrid, Postmark, Resend, Brevo, Gmail / Google Workspace SMTP, Outlook / Microsoft 365 SMTP, and any RFC-compliant SMTP server. New providers are added over time.

Is there a free plan?

Yes. The Free plan is $0 forever and includes 2,500 credits per month, one connected provider, campaigns, API access, and community support. No credit card required.

Does Mailers.io support transactional and marketing emails?

Yes. Transactional sends go through the unified API. Marketing, lifecycle, and cold-email sends run via the campaigns and automations modules. Per-provider routing rules can segment reputation by use case.

How is compliance handled?

Compliance is built into the platform: global unsubscribe, List-Unsubscribe header, bounce and complaint suppression, do-not-contact lists, domain-level suppression, per-workspace suppression, and full audit logs. A signed DPA is available at https://mailers.io/dpa covering GDPR Article 28, SCCs Module 2, UK IDTA, Swiss FADP, and CCPA/CPRA service-provider terms.

Does Mailers.io include inbox or reply management?

No. Mailers.io does not sync replies or provide a unified inbox. Replies are delivered to whichever mailbox receives them on the connected provider.

Can I white-label Mailers.io?

Yes, on the Enterprise plan. White-label covers the dashboard, email surfaces (unsubscribe, preference center, tracking), and per-client sending domains.

Legal

Data Processing Addendum

The processor terms enterprise buyers, security teams, and DPOs actually ask for — GDPR Article 28, SCCs, sub-processor commitments, and annexes.

Start Free Book a Demo

Last updated: 2026-01-15

How to execute this DPA

This DPA is pre-signed by Mailers.io, Inc.. By accepting the Terms of Service, or by using the Service on behalf of a Controller, Customer is deemed to have executed this DPA with effect from the account creation date. For a counter-signed PDF for procurement, email [email protected].

1. Parties

This Data Processing Addendum ("DPA") forms part of the Terms of Service or other written agreement between Mailers.io, Inc. ("Mailers.io", "Processor") and the customer identified in the applicable order form or account registration ("Customer", "Controller"). It applies whenever Mailers.io processes Personal Data on behalf of Customer in connection with the Mailers.io service ("Service").

2. Definitions

"Applicable Data Protection Law" means the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), and any other data protection or privacy laws applicable to the processing of Personal Data under this DPA. "Personal Data", "Controller", "Processor", "Data Subject", "Processing", "Sub-processor", and "Personal Data Breach" have the meanings given in the GDPR. "Standard Contractual Clauses" ("SCCs") means the clauses approved by Commission Implementing Decision (EU) 2021/914, Module Two (controller-to-processor), together with the UK International Data Transfer Addendum where required.

3. Roles & scope

In respect of Personal Data that Customer or its end users upload, submit, or route through the Service (including subscriber lists, campaign content, and sending telemetry), Customer is the Controller and Mailers.io is the Processor. Customer determines the purposes and means of processing. Mailers.io processes Personal Data only on documented instructions from Customer, which instructions are given through the Service, the Agreement, this DPA, and any additional written instructions consistent with them.

4. Subject-matter, duration, nature, and purpose

The subject-matter of the processing is the performance of the Service. The duration is the term of the Agreement, plus any period during which Mailers.io retains Personal Data in accordance with Section 11 (Return and deletion). The nature and purpose of the processing is to orchestrate and deliver email sends through sending providers connected by Customer, to provide analytics and reporting on those sends, and to secure and support the Service. Full processing details are set out in Annex I.

5. Processor obligations

Process Personal Data only on Customer's documented instructions, including transfers to third countries, unless required to do so by law. Where such legal requirement applies, Mailers.io will inform Customer before processing, unless that law prohibits it.
Ensure that personnel authorised to process Personal Data are bound by confidentiality obligations.
Implement and maintain the technical and organisational measures set out in Annex II to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Assist Customer, by appropriate technical and organisational measures and taking into account the nature of the processing, in responding to Data Subject requests under Chapter III of the GDPR.
Assist Customer in ensuring compliance with its obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to Mailers.io.
Make available to Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits in accordance with Section 10.
Immediately inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

6. Sub-processors

Customer provides a general authorisation for Mailers.io to engage Sub-processors to provide infrastructure, database, storage, email delivery, analytics, payment, and support services required to operate the Service. A current list of Sub-processors is set out in Annex III and maintained on the Mailers.io Trust page. Mailers.io will give Customer at least thirty (30) days' prior notice of any intended addition or replacement of Sub-processors via email or in-product notification, during which Customer may object on reasonable data-protection grounds. If the parties cannot agree on a resolution, Customer may terminate the affected parts of the Service without penalty. Mailers.io imposes on each Sub-processor data-protection obligations that are substantially equivalent to those set out in this DPA and remains liable for their acts and omissions.

7. International transfers

Customer acknowledges that Mailers.io may process Personal Data in countries outside the European Economic Area, the United Kingdom, or Switzerland. Where such transfers require a safeguard under Applicable Data Protection Law, the parties agree that: (a) the SCCs (Module Two, controller-to-processor) are incorporated by reference and deemed executed, with Clause 7 (docking), Clause 9(a) option 2 (general authorisation for Sub-processors, thirty (30) days' notice), Clause 11 (independent dispute resolution) not elected, Clause 17 Option 1 (EU Member State law of the data exporter, or Ireland where no EU establishment), and Clause 18 (supervising courts aligned with Clause 17); (b) for transfers subject to the UK GDPR, the UK International Data Transfer Addendum (IDTA) to the SCCs is incorporated and executed on the same terms; (c) for transfers subject to the Swiss FADP, the SCCs apply with references to the GDPR and EU supervisory authority interpreted consistent with Swiss law. Annex I and Annex II of this DPA serve as Annexes I.A, I.B, and II of the SCCs.

8. Security

Mailers.io implements and maintains the technical and organisational measures described in Annex II, designed to ensure a level of security appropriate to the risk, including measures to preserve the confidentiality, integrity, availability, and resilience of processing systems and services and to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident.

9. Personal Data Breach notification

Mailers.io will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Mailers.io will cooperate with Customer in the investigation and remediation of the breach and in communications with Data Subjects and supervisory authorities as required.

10. Audit rights

Mailers.io will make available to Customer, on reasonable request and at most once every twelve (12) months (except where there is a reasonable belief of non-compliance or following a Personal Data Breach), information reasonably necessary to demonstrate compliance with this DPA, including summaries of third-party audit reports (such as SOC 2 Type II or ISO 27001 where available) and responses to reasonable written questionnaires. Where Applicable Data Protection Law requires an on-site audit, it will be conducted under a separate written agreement, on reasonable prior notice, during normal business hours, without disrupting the Service, and subject to confidentiality obligations. Customer bears its own costs for audits and reimburses Mailers.io for time and resources beyond what is required by Applicable Data Protection Law.

11. Return and deletion

On termination or expiry of the Agreement, Mailers.io will, at Customer's choice, delete or return all Personal Data processed on behalf of Customer, and delete existing copies, unless retention is required by applicable law. Customer may export its data through the Service during the term and for a reasonable period after termination as described in the Terms of Service. Residual copies retained in routine backups will be deleted in accordance with Mailers.io's backup lifecycle and, while retained, remain subject to this DPA.

12. Data Subject requests

Taking into account the nature of the processing, Mailers.io will assist Customer by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of Customer's obligation to respond to requests for exercising Data Subject rights. If a request is made directly to Mailers.io, Mailers.io will, without undue delay, forward it to Customer and will not respond to the request itself unless authorised by Customer or required by law.

13. California Consumer Privacy Act

For Personal Data subject to the CCPA/CPRA, Mailers.io is a "Service Provider" and processes Personal Information only for the limited and specified business purposes set out in the Agreement. Mailers.io does not sell or share Personal Information, does not retain, use, or disclose it outside the direct business relationship with Customer, and does not combine it with Personal Information from other sources except as permitted by the CPRA regulations. Mailers.io will notify Customer if it determines it can no longer meet its obligations under the CCPA/CPRA.

14. Liability & order of precedence

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.

15. Changes to this DPA

Mailers.io may update this DPA from time to time to reflect changes in law, regulatory guidance, Sub-processors, or the Service. Material changes will be communicated through the Service or by email. Changes required by law take effect immediately.

Annex I — Processing details

A. List of parties

Data exporter (Controller): Customer, as identified in the account or order form.
Data importer (Processor): Mailers.io, Inc., reachable at [email protected].

B. Description of transfer

Categories of Data Subjects: Customer's employees, contractors, customers, prospects, and newsletter subscribers whose Personal Data is uploaded, submitted, or processed through the Service.
Categories of Personal Data: contact identifiers (name, email address, phone where provided), custom list fields supplied by Customer, message content, engagement telemetry (opens, clicks, bounces, complaints), IP address, user-agent, and timestamps.
Special category data: none processed by design. Customer must not upload special category data unless separately agreed in writing.
Frequency of transfer: continuous, for the duration of the Agreement.
Nature of processing: collection, storage, transmission, routing to connected sending providers, analysis, reporting, and deletion.
Purpose of transfer and further processing: provision of the Service as described in the Agreement.
Retention: for the duration of the Agreement and any export window thereafter. Telemetry retention is plan-specific and documented in the Service.
Transfers to Sub-processors: subject matter, nature, and duration match the processing described above.

C. Competent supervisory authority

For EEA data subjects: the supervisory authority of the EU Member State where the data exporter is established, or the Irish Data Protection Commission where the data exporter has no EU establishment.
For UK data subjects: the UK Information Commissioner's Office (ICO).
For Swiss data subjects: the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Annex II — Technical & organisational measures

Access control

Role-based access control (RBAC) with least-privilege defaults.
Mandatory SSO/MFA for production access.
Centralised identity provider with session expiry and device posture checks.
Workspace-scoped isolation between customer tenants.

Encryption

TLS 1.2+ for data in transit.
AES-256 encryption at rest for databases and object storage.
Envelope encryption and KMS-managed keys for sending provider credentials and webhook secrets.

Network & infrastructure security

Private networking between services. No direct public database exposure.
Web application firewall and rate limiting on public endpoints.
Continuous vulnerability scanning and patching on supported cadences.
Hardened images and infrastructure-as-code with peer review.

Application security

Secure SDLC with code review, SAST, and dependency scanning.
Separate staging and production environments.
Protected branches and signed releases.
Secrets managed through a dedicated secret store; no secrets in source control.

Logging & monitoring

Centralised application and audit logs with tamper-evident retention.
Alerting on anomalous authentication, access, and sending patterns.
Customer-visible audit logs for sensitive workspace actions.

Resilience & recovery

Automated backups with defined RPO/RTO targets.
Multi-AZ deployments for critical services.
Documented incident response and disaster recovery runbooks with periodic exercises.

Organisational measures

Background checks for personnel with production access, where lawful.
Mandatory security and privacy training on hire and annually.
Written confidentiality obligations for all personnel.
Vendor risk review before onboarding Sub-processors.

Annex III — Authorised Sub-processors

The current list of Sub-processors, including entity name, processing purpose, and country of processing, is published on the Mailers.io Trust page and is also available on written request. Customer is notified of additions or replacements as set out in Section 6. Sub-processor categories include: cloud infrastructure and compute, managed databases, object storage, transactional email and deliverability tooling, product analytics, error monitoring, customer support tooling, and payment processing.

Need the counter-signed version?

Procurement teams can request a counter-signed PDF, the current Sub-processor list, or SOC 2 / ISO 27001 documentation from [email protected]. For broader Trust & Compliance information, see our Security page.