Docs Security & privacy Compliance (GDPR/CAN-SPAM)
Security & privacy · 02 of 03

Compliance — GDPR & CAN-SPAM.

Mama's posture on the two big regimes US/EU B2B outbound teams worry about. Not legal advice — your counsel should sign off on your specific motion. But these are the structural commitments and the operating patterns that keep teams compliant.

Time: 6 min·Updated: 2026-05-25·Audience: Legal, GRC, RevOps·Not legal advice: Consult your attorney

TL;DR

GDPR: Mama processes EU personal data on lawful-interest basis. DPA available. Data-subject requests (access, deletion, etc.) routable via in-app or email; we respond within 30 days. CAN-SPAM: Mama doesn't send outbound — your sequencer does. We make compliance easier (verified emails, unsubscribe-respect across the workspace) but the obligation is yours. Both regimes pair well with signal-anchored outbound.

01GDPR posture

Mama is GDPR-aware. We process personal data of EU data subjects (decision-maker info, etc.) under a defined lawful basis. The full DPA is available on request from [email protected].

Key commitments in the DPA:

  • Personal data processed only for the purposes you instruct (B2B outbound research)
  • Sub-processors disclosed (see Data handling) with 30-day notice on changes
  • Data-subject rights honored within 30 days of request
  • Breach notification within 72 hours of confirmation
  • EU residency available as an upgrade (Company tier)

02Lawful basis

Mama relies on legitimate interest as the lawful basis for processing B2B personal data (e.g., business contact info from public sources). Per GDPR Recital 47, "legitimate interest" applies when the controller's interest is balanced against data-subject rights and the data subject would reasonably expect the processing.

This passes the three-prong legitimate-interest test for B2B outreach to publicly-listed business contacts. It does NOT pass for:

  • B2C consumer outreach (consent typically required)
  • Sensitive categories (health, political views, etc.) — Mama doesn't process these
  • Marketing to private email addresses (gmail, etc.) as primary contact

If your motion requires consent (B2C, sensitive data), Mama is not the right tool — full stop. Talk to your legal team.

03Data-subject requests

EU data subjects can request: access, rectification, erasure ("right to be forgotten"), restriction, portability, objection. We honor all within 30 days.

Two routes for requests:

  • In-app form at signalmama.com/privacy/dsr — for individuals to request directly
  • Email [email protected] — for proxies (attorneys, employers)

If a data subject is in your workspace as a decision-maker and requests erasure, Mama removes them from our database and notifies you (so you can also remove them from your downstream CRM if required).

04CAN-SPAM posture

Mama doesn't send outbound email — your sequencer does. CAN-SPAM compliance is your obligation, but Mama makes it easier:

  • Verified contact data — fewer bounces, fewer angry recipients
  • Unsubscribe propagation — when someone unsubscribes via your sequencer (and the sequencer is connected), Mama suppresses them from your saved searches and decision-maker rolls
  • Honest sender info — Mama doesn't generate spoofed sender details
  • Cross-workspace suppression list — Company tier — a person who unsubscribes once is suppressed across all team workspaces

CAN-SPAM requirements you must still handle in your sequencer: accurate From/Subject lines, valid physical postal address in every email, working opt-out within 10 days, opt-out for 5 years minimum.

05Unsubscribe propagation

When Reply Loop classifies an inbound reply as "unsubscribe," Mama:

  1. Tags the person as suppressed in your workspace
  2. Removes them from saved-search match outputs
  3. Adds a suppression flag to all brief views of their account
  4. Pushes suppression status to connected CRM (so the unsubscribe propagates to your other tools)

The suppression is permanent unless an admin manually unsuppresses (rare; usually only if the classifier mis-labeled).

06EU residency option

Company tier customers can request that primary data storage move to AWS eu-west-1 (Ireland). Configured during contracting; can't be flipped mid-contract.

Sub-processors (Stripe for payment, Postmark for transactional email) remain in their normal regions but contractually limit cross-border transfers.

07Not legal advice

This page describes Mama's structural commitments. It does NOT constitute legal advice. Compliance depends on your specific motion, jurisdictions, and how you use the product.

For specific legal questions about your outbound motion under GDPR, CAN-SPAM, CASL, or other regimes, talk to qualified counsel. We're happy to be in those conversations and provide whatever documentation your counsel needs.

08Common mistakes

Assuming Mama makes you compliant
Mama makes compliance easier but compliance is your obligation. Your sequencer is the one sending email; CAN-SPAM is on you.
Ignoring DSR requests because "they came in via Mama"
If a data subject is in your CRM via Mama push, they're now in your CRM. Erasure must propagate downstream too.
Using Mama for B2C outbound
Mama's GDPR posture is for B2B legitimate-interest processing. B2C outreach typically requires consent. Different tool, different basis.
Security & privacy
Data handling
Infrastructure security.
Security & privacy
Retention & deletion
Data lifecycle and erasure.
Glossary · deep dive
GDPR for outbound
Long-form essay on GDPR + outbound.
Glossary · deep dive
CAN-SPAM
Long-form essay on CAN-SPAM.
Was this page helpful?
Yes No Report unclear