Skip to content
PostMTA Hosted
StatusSign inOpen panelRequest access
Open menu

Enterprise

DPA / BAA

We-operate deployments of PostMTA Hosted enter into a Data Processing Agreement covering GDPR Art. 28 obligations and, where requested, a HIPAA Business Associate Agreement under §164.504(e). Submit compliance requirements via the contact form and we will return a countersigned DPA within five business days.

DPA scope (we-operate)

  • Subject matter — outbound mail delivery + contact intake via appliance.
  • Roles — PostMTA = Processor; Customer = Controller.
  • Sub-processors — listed at /trust/subprocessors; 30-day change notice for any addition.
  • Data categories — From/To headers, message bodies, contact form submissions, audit logs (no special categories unless the customer sends them).
  • Retention — contact intake 90 days; credit ledger append-only until workspace deletion.
  • Security controlsPMH-SEC matrix (CC6-equivalent).
  • Breach notification — within 72 hours of confirmed unauthorized access; we-operate customers receive PagerDuty push.
  • Audit rights — on-site customers get full PMH-SEC table; we-operate customers receive quarterly attestation reports.

BAA scope (HIPAA)

  • Permitted uses include transmission of PHI through the appliance; receipt-side delivery only.
  • Subcontractors — see /trust/subprocessors; same 30-day change notice.
  • Safeguards — TLS in transit; scrypt-hashed credentials; RLS-locked DKIM secrets (PMH-SEC-023).
  • Breach notification — within 60 days of discovery to the customer contact of record, with the §164.410 carve-out.
  • Termination — on customer request, return or destroy PHI within 30 days (excluding legal hold windows).

Customer-VPC mode

PostMTA Hosted running in customer-VPC mode does not require a DPA with PostMTA — the customer's appliance processes only their own data inside their trust boundary. PMH-SEC controls and the operator runbook at Production runbookremain their primary controls.

Request DPA / BAA