Terms and Conditions of Service
Sendvio Privacy Notice
Sendvio Data Processing Agreement (DPA)
Cookie Policy

Sendvio Data Processing Agreement (DPA)

Last Updated: September 17, 2024.

This Data Processing Agreement ("Agreement" or "DPA") forms a legally binding part of the terms and conditions between the customer ("Customer") and Sendvio ("Sendvio," "we," or "us") for the use of Sendvio's marketing automation platform and services (the "Services").

This Agreement governs the processing of Personal Data by Sendvio on behalf of the Customer in compliance with applicable Data Protection Laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018, the UK GDPR, the California Consumer Privacy Act ("CCPA"), and any similar or successor laws.

1. Definitions

1.1 "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including GDPR, UK GDPR, CCPA/CPRA, and other international or local data privacy and security laws.

1.2 "Personal Data" means any information that relates to an identified or identifiable natural person, which Sendvio processes on behalf of the Customer.

1.3 "Data Subject" means the individual to whom the Personal Data relates.

1.4 "Processing, Controller, Processor, and Supervisory Authority" shall have the meanings given under applicable Data Protection Laws.

1.5 "Sub-processor" means any third party engaged by Sendvio to assist in fulfilling its obligations with respect to the processing of Personal Data.

2. Scope and Role of the Parties

2.1 For the purposes of this Agreement, the parties acknowledge that the Customer acts as the Controller (or Business under the CCPA) and Sendvio acts as the Processor (or Service Provider under the CCPA), unless otherwise specified by law.

2.2 Sendvio will process Personal Data solely on documented instructions from the Customer, unless required to do so by applicable law. In such cases, Sendvio will inform the Customer, unless legally prohibited.

2.3 Details of the processing activities, including subject matter, nature, purpose, and types of Personal Data, are set out in Annex I.

3. Sendvio's Obligations as Processor

Sendvio shall:

  • Process Personal Data only in accordance with the Customer's lawful and documented instructions;
  • Ensure that individuals authorized to process the Personal Data are bound by confidentiality obligations;
  • Implement appropriate technical and organizational measures to ensure the security of Personal Data in accordance with Article 32 of the GDPR and comparable standards under other laws;
  • Provide reasonable assistance to the Customer in responding to Data Subject requests or exercising rights under Data Protection Laws;
  • Notify the Customer without undue delay of any confirmed Personal Data Breach affecting Customer Data;
  • Assist the Customer, where feasible, in data protection impact assessments or consultations with Supervisory Authorities as required;
  • At the end of the Agreement, delete or return all Personal Data, unless otherwise required to retain it by law;
  • Maintain records sufficient to demonstrate compliance and allow audits upon written request, subject to reasonable confidentiality and security obligations.

4. Use of Sub-processors

4.1 The Customer authorizes Sendvio to engage Sub-processors as necessary to deliver the Services, provided that:

  • Sendvio maintains a current list of Sub-processors available upon request;
  • Sub-processors are contractually required to provide data protection obligations equivalent to those in this Agreement;
  • Sendvio remains responsible for the performance of its Sub-processors.

4.2 The Customer may object to a new Sub-processor based on reasonable and documented data protection concerns. In such case, both parties shall cooperate in good faith to reach a resolution. If a resolution cannot be reached, either party may terminate the impacted portion of the Services.

5. Cross-Border Transfers of Personal Data

5.1 Where the processing of Personal Data involves a transfer outside the European Economic Area (EEA), the United Kingdom, or other jurisdictions with transfer restrictions, Sendvio shall ensure such transfers are made in compliance with applicable Data Protection Laws.

5.2 Appropriate safeguards may include:

  • Standard Contractual Clauses (SCCs) issued by the European Commission or other recognized authorities;
  • The UK International Data Transfer Addendum (IDTA);
  • Any additional technical, contractual, or organizational measures required under applicable law.

6. Customer Responsibilities

The Customer represents and warrants that:

  • It has obtained all necessary rights, consents, and lawful bases to provide Personal Data to Sendvio;
  • It will comply with its obligations as a Controller under Data Protection Laws;
  • It has provided proper notice to Data Subjects regarding the use of the Services;
  • It will not instruct Sendvio to process Personal Data in a way that violates applicable laws.

Sendvio shall not be liable for any claim or action arising from the Customer's failure to comply with the above obligations.

7. Limitation of Liability

Each party's liability under this Agreement shall be subject to the limitations of liability and indemnification provisions in the primary agreement between the parties. Nothing in this Agreement limits either party's liability for intentional misconduct, gross negligence, or breach of applicable Data Protection Laws.

8. Term and Termination

This Agreement remains in effect for the duration of the primary agreement between the Customer and Sendvio. Upon termination, Sendvio shall, at the Customer's option, delete or return all Personal Data unless retention is required by law. Evidence of deletion will be provided upon written request.

Annex I – Description of Processing Activities

Subject Matter: Provision of marketing automation and communication services (email and SMS).

Nature and Purpose: Data storage, delivery, segmentation, and analytics of communication campaigns and platform interactions.

Duration of Processing: As long as the Customer uses the Services, unless otherwise required by law.

Types of Personal Data: Names, email addresses, phone numbers, location/IP data, communication preferences, store/customer identifiers, and usage analytics.

Data Subjects: Individuals whose information is uploaded or collected by the Customer through their store or business (e.g., subscribers, customers, recipients).

Annex II – Technical and Organizational Security Measures

Sendvio maintains technical and organizational security measures appropriate to the risk, including:

  • Encryption of data at rest and in transit;
  • Role-based access controls and password policies;
  • Regular internal security audits and third-party assessments;
  • Secure hosting infrastructure and firewall protections;
  • Backup and disaster recovery processes;
  • Employee confidentiality agreements and security training.

Contact: For any questions regarding this Data Processing Agreement, please contact us at legal@sendvio.com.

This Agreement is legally binding and enforceable as part of the terms governing the use of Sendvio's Services. Any conflict between this Agreement and other Sendvio terms shall be resolved in favor of this Agreement with respect to data protection and privacy matters.