Legal

Data Processing Agreement

When you send notifications through palumb, we process your subscribers' personal data on your behalf. Our Data Processing Agreement (DPA) sets out that relationship under Article 28 of the GDPR — your instructions, our obligations, and the EU data residency that keeps palumb sovereign.

Last updated: 12 June 2026

Draft — pending legal review

Our standard DPA is being finalised. Request it by email and we will share the current version; this page summarises what it covers.

What the DPA covers

Roles

You are the data controller for your subscribers' personal data; palumb is your processor and acts only on your documented instructions.

Sub-processors

The EU-based sub-processors palumb uses are listed publicly, with advance notice of material changes so you can object.

Security

Encryption in transit and at rest, encrypted channel credentials, least-privilege access, and breach-notification commitments.

Data-subject requests

We assist you in responding to access, erasure and other GDPR requests relating to data we process on your behalf.

EU data residency

Your notification data is hosted in the EU by EU providers — no transfers outside the EU/EEA in the ordinary course of the service.

Deletion & return

On termination you can export your data, after which it is deleted or returned in line with the agreement and our Privacy Policy.

Request the DPA

To receive palumb's Data Processing Agreement, or for any data-protection question, email privacy@palumb.com. We will send you the current version to review and sign.