A Data Processing Agreement (DPA) is a contract that governs how Rackwave, as a data processor, handles personal data on your behalf. This article explains when you need a DPA, what it covers, and how to request one from Rackwave.
What Is a DPA?
When you use Rackwave to send emails, SMS, or WhatsApp messages, Rackwave processes personal data belonging to your recipients — email addresses, phone numbers, and delivery metadata. Under data protection laws such as GDPR (EU/UK) and India's Digital Personal Data Protection Act (DPDPA), this makes Rackwave a Data Processor acting on behalf of you — the Data Controller.
A DPA is a legally required contract between the Data Controller (you) and Data Processor (Rackwave) that defines:
- The categories of personal data being processed.
- The purpose and duration of processing.
- The technical and organisational security measures in place.
- Each party's rights and obligations under data protection law.
- Sub-processing arrangements (third parties Rackwave uses to deliver the service).
- Procedures for data subject rights requests.
- Breach notification timelines.
When Do You Need a DPA with Rackwave?
| Scenario | DPA Required? | Reason |
|---|---|---|
| You send emails or SMS to EU/UK residents | Yes — required under GDPR/UK GDPR | GDPR Article 28 mandates a written DPA between controller and processor |
| You are an Indian business processing Indian citizens' phone numbers | Recommended under DPDPA 2023 | India's DPDPA 2023 establishes controller-processor obligations |
| Your customers or clients require proof of DPA for their own compliance | Yes — requested by your clients | Enterprises and regulated industries require DPAs from their vendors |
| You operate solely within India and send only to Indian recipients | Not strictly required (GDPR) | GDPR does not apply; DPDPA 2023 obligations are evolving — recommended regardless |
| Free trial usage only | Not typically required | Trial use with test data usually does not trigger DPA requirements |
What Rackwave's DPA Covers
| Section | What It Addresses |
|---|---|
| Scope of processing | Categories of personal data (email addresses, phone numbers, delivery metadata), purposes (email/SMS/WhatsApp delivery), duration (subscription period) |
| Data controller instructions | Rackwave processes data only on your documented instructions and for no other purpose |
| Security measures | Encryption in transit (TLS) and at rest (AES-256), access controls, vulnerability management, incident response procedures |
| Sub-processors | List of third-party sub-processors used (e.g. hosting providers, SMS carrier networks); your right to object to new sub-processors |
| Data subject rights | How Rackwave assists you in responding to access, erasure, portability, and restriction requests from your recipients |
| Breach notification | Rackwave notifies you within 48–72 hours of becoming aware of a personal data breach affecting your data |
| Data return and deletion | Upon account termination or your written request, Rackwave deletes or returns your data (excluding legally retained records) |
| Audit rights | Your right to audit Rackwave's data processing practices (typically satisfied via third-party audit reports or questionnaires) |
How to Request a DPA
- Log in to the Rackwave portal.
- Open a support ticket with the subject: DPA Request — [Your Company Name].
- Include the following in your request:
- Your company's legal name and registration number.
- The jurisdiction under which you need the DPA (GDPR, UK GDPR, DPDPA, or general).
- Whether you need a standard Rackwave DPA or need to review your own DPA template.
- The Rackwave legal team will respond within 3–5 business days with a DPA for your review and signature.
- Once both parties sign, the executed DPA is stored on your account record.
International Data Transfers
If personal data of EU/UK residents is transferred to India (where Rackwave's infrastructure is located), the following safeguards apply:
- Rackwave relies on Standard Contractual Clauses (SCCs) as the legal mechanism for transferring EU/UK personal data to India.
- SCCs are incorporated into the DPA and represent the current EU Commission-approved transfer mechanism.
- A Transfer Impact Assessment (TIA) is available on request for organisations that require one for their own compliance programmes.
Frequently Asked Questions
| Can we use our own DPA template instead of Rackwave's? |
| Yes. Send your template to the Rackwave legal team via a support ticket. We will review and respond with any required amendments within 5–7 business days. |
| Is a DPA required for the free trial? |
| Generally not — trial accounts typically use test data rather than real personal data. If your trial does involve real personal data of EU/UK residents, a DPA is technically required from the moment processing begins. |
| How long does it take to get a signed DPA? |
| Using Rackwave's standard template: typically 3–5 business days. Custom templates requiring legal review: 7–14 business days. Urgent requests can be escalated — note this in your support ticket. |
| Does Rackwave sign DPAs electronically? |
| Yes. Rackwave uses DocuSign for electronic signatures, which carries the same legal validity as wet ink signatures in India and most international jurisdictions. |