GDPR
Dreamlit supports GDPR compliance by acting as a data processor, providing a Data Processing Addendum (DPA) and (where required) Standard Contractual Clauses (SCCs), maintaining technical and organizational measures designed to protect data, and providing tooling to help customers meet their GDPR obligations.
Last updated: January 29, 2026
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union privacy law. It sets rules for how personal data of people in the EU/EEA can be collected, used, and shared.
Controller vs. processor
In most setups, you (our customer) act as the controller of your end users’ data, and Dreamlit acts as a processor, providing email workflow infrastructure on your behalf.
Data subject requests
If you’re an end user and you want to exercise GDPR rights regarding an email you received, you should contact the organization you interacted with (our customer). Dreamlit assists customers with requests relating to our processing activities when needed.
International transfers (SCCs)
Dreamlit and its subprocessors may process data outside the EEA/UK. Where required for international transfers, Dreamlit offers Standard Contractual Clauses (EU SCCs (Commission Decision 2021/914) and the UK Addendum, as applicable). If you need executed SCCs for your review, email [email protected].
Data retention
Dreamlit retains Customer personal data for up to one (1) year (for example, workflow execution history and delivery events) unless Customer requests deletion sooner or longer retention is required by law.
What we publish for compliance reviews
Here are the resources we keep up to date:
Questionnaires
If you have a vendor security or GDPR questionnaire, email [email protected] and we’ll help.