AlpacaRelay logo
AlpacaRelay
Data Processing Addendum

Data Processing Addendum

Last Updated: May 5, 2026

Download PDF
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between AlpacaRelay LLC (“Processor”) and the customer entity (“Customer”) and applies where AlpacaRelay processes personal data on Customer’s behalf.

1. Role of the Parties

• Customer is the Data Controller
• AlpacaRelay is the Data Processor

2. Scope of Processing

2.1 Subject Matter
Provision of the Service, including AI-based generation of email marketing templates and related content.

2.2 Duration
For the duration of Customer’s use of the Service.

2.3 Nature and Purpose
Processing personal data to:
• Provide, operate, and support the Service
• Generate Outputs
• Improve and enhance models and services, except where prohibited by applicable data source restrictions
• Provide customer support
• Maintain security and reliability

2.4 Types of Personal Data
• Account and contact information
• Usage data
• Inputs submitted to the Service
• Outputs generated by the Service (to the extent they contain personal data)
• Connected Account data, including encrypted OAuth refresh tokens associated with Gmail connections (stored in Nango’s encrypted vault)
• Send audit log data, including hashed recipient addresses, hashed subject lines, provider-returned message IDs, requesting IP addresses, send timestamps, and campaign identifiers

2.5 Categories of Data Subjects
• Customer users
• Customer’s end customers or contacts (as included in Inputs)

3. Processor Obligations

AlpacaRelay shall:
• Process personal data in accordance with Customer’s documented instructions, as set forth in this DPA, the Terms of Service, the Privacy Policy, and as necessary to provide and operate the Service, unless otherwise required by applicable law.
• Implement reasonable security measures
• Ensure personnel are subject to confidentiality obligations
• Assist with data subject requests where applicable
• Notify Customer of a confirmed personal data breach involving Customer’s data without undue delay. Such notification will include, to the extent reasonably available at the time of notification: (i) a description of the nature of the breach; (ii) the categories and approximate number of affected data subjects; (iii) the categories and approximate volume of affected personal data; (iv) the identity of the AlpacaRelay contact handling the matter; and (v) a description of measures taken or proposed to address and mitigate the breach
• Upon termination or expiration of the Service, AlpacaRelay will retain Customer’s personal data for a period of up to ninety (90) days to allow for account reactivation or data retrieval. Following that period, AlpacaRelay may delete Customer’s personal data in the ordinary course of its data management practices. At any time, Customer may submit a written request to support@alpacarelay.com requesting deletion of its personal data, and AlpacaRelay will use commercially reasonable efforts to honor such request within ninety (90) days, except as required to be retained by applicable law or maintained in encrypted backup or log archives pursuant to AlpacaRelay’s standard retention practices. AlpacaRelay may retain anonymized or aggregated data indefinitely

4. Subprocessors

Customer authorizes AlpacaRelay to engage subprocessors, including:
• Cloud hosting providers
• Payment processors (e.g., Stripe)
• Analytics and monitoring providers
• Nango (OAuth token vault and authenticated API proxy for Gmail account connections)

AlpacaRelay remains responsible for subprocessors’ compliance with this DPA.

AlpacaRelay maintains a current internal list of all Subprocessors that process personal data on Customer’s behalf. This list will be made available to Customer upon written request to support@alpacarelay.com. AlpacaRelay may update its Subprocessors at any time at its discretion.

5. International Transfers

Where personal data is transferred internationally, AlpacaRelay will implement appropriate safeguards as required by applicable law.

6. Security Measures

AlpacaRelay maintains reasonable technical and organizational measures, including:
• Access controls
• Encryption in transit
• Segregation of production systems
• Incident response procedures

7. Liability

Liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

8. Governing Law

This DPA is governed by the laws of the State of New Hampshire, without regard to conflict of laws principles.
Create your first email today
Bring your ideas to life with AI — it's faster and easier than you think
🎉 No credit card required