Data Processing Addendum
This Data Processing Addendum ("DPA") supplements the Terms of Service and Privacy Policy and applies automatically to every account for the processing of personal data within lead lists and recipient data ("Customer Data") that you, the customer, provide to agent-cold-email (the "Service"), operated by EpiphanyMade. It does not require separate signature to take effect; a countersigned/negotiated version for enterprise agreements is available on request — see Contact below.
1. Roles
For Customer Data, you are the controller and EpiphanyMade is the processor. You determine the purposes and means of processing (who to contact, what to say, and on what lawful basis) — see the customer-is-sender designation and representations in the Terms of Service §§2–3. EpiphanyMade processes Customer Data solely to deliver the Service you configure: provisioning, sequencing, suppression, reply handling, and the monitoring described in §5 of the Terms.
2. Subject matter, duration, and instructions
Subject matter: hosting and processing of Customer Data to operate cold-outreach infrastructure on your behalf. Duration: for as long as your account is active, plus the retention period described in the Privacy Policy §7. EpiphanyMade processes Customer Data only on your documented instructions — the configuration you provide through the API, MCP, or CLI surface — and will inform you if an instruction appears to violate applicable data-protection law, rather than execute it silently.
3. Subprocessors
EpiphanyMade uses the following subprocessors to operate the Service, each engaged under its own terms and limited to the function listed:
- Stripe — billing and payment processing.
- Cloudflare — hosting, DNS, and application infrastructure (Workers, Durable Objects, D1).
- Domain registrar (Namecheap or Porkbun, depending on the operation) — domain registration for provisioned sending domains.
- Mailbox / warmup vendor (e.g., Inboxkit) — mailbox provisioning, warmup, and deliverability monitoring for provisioned mailboxes.
This list reflects the vendors actually wired into the Service (see Privacy Policy §6); it is not a static exhibit. We'll update this page and its "Last updated" date before adding a new subprocessor with access to Customer Data, and enterprise customers with a countersigned DPA may request advance notice by email.
4. Security
EpiphanyMade uses industry-standard technical and organizational safeguards for Customer Data in transit and at rest, and every tenant's data is isolated at the storage layer (per-tenant scoping enforced on every query and Durable Object access — see SECURITY.md for how to report a vulnerability). No system is perfectly secure, and this DPA does not warrant an outcome beyond using these safeguards in good faith.
5. Assistance with data subject requests
If EpiphanyMade receives a request from one of your recipients to access, correct, or delete their data, we will forward it to you promptly and will reasonably assist you in responding, since you (not EpiphanyMade) are the controller with the relationship and context needed to fulfill it. EpiphanyMade will also reasonably assist with your own obligations around security, breach notification, and data-protection impact assessments to the extent they depend on how the Service processes Customer Data.
6. Data handling on termination
What happens to Customer Data when your account is canceled or terminated is deliberately not uniform, because one category has a legal reason to be handled differently from the rest:
- Provisioned infrastructure — domains and mailboxes purchased or provisioned on your behalf — is deprovisioned/reclaimed as part of teardown (see Terms §11).
- Lead lists, campaign content, and other Customer Data are retained per the standard window in the Privacy Policy §7 (active account plus a reasonable period for legal, tax, and dispute-handling purposes) and deleted on request — email [email protected].
- The suppression / opt-out list is the one deliberate exception: it is retained indefinitely and is never deleted, including after termination. This is not an oversight — CAN-SPAM and equivalent laws require honoring an opt-out permanently, and deleting that record would risk a re-contact of someone who already withdrew consent if the domain or account is ever reactivated.
7. International transfers
The Service is US-first at this stage. Customer Data is processed and stored in EpiphanyMade's and its subprocessors' US infrastructure. EU/UK/GDPR-scoped processing is currently out of scope for the Service — see Privacy Policy §8 and Terms §1.
8. Precedence
This DPA supplements, and does not replace, the Terms of Service and Privacy Policy. In the event of a conflict specific to the processing of Customer Data, this DPA controls.
9. Contact
Questions, a countersigned DPA for an enterprise agreement, or a data subject request to forward: [email protected].
EpiphanyMade, 209 Crest Hill Road, Toms River, NJ 08755, US