My answer may come a little late but I can try to help you in the event that you have not yet found what you were looking for.
Did you check for or agree to Terms and conditions before using the websites services? Maybe a DPA is included in the terms and conditions and you have already approved it. In most contract such rules will be referred to as "GDPR standard clauses" (e.g., https://www.cisecurity.org/standard-gdpr-clauses)
Alternatively, since the websites are located in the US, it is possible they chose not to set out a DPA (which would mean that they can't make business with individuals or companies located in the EU). You need to be careful with your projects and your own clients/users if they are located in Europe.
Alternatively, are these websites hosted in California ? (rules which are comparable to GDPR applies to California).
Regarding your last question on email providing, I would need further information to give you an educated answer relevant for your specific situation. Email providers can indeed be processors as well as controllers. It all depends on the type of information they are provided with and how this information is shared and processed.
Don't hesitate to contact me