Sendvio Data Processing Agreement (DPA)

Last updated: September 22, 2025

This Data Processing Agreement ("Agreement" or "DPA") forms part of the Terms and Conditions of Service ("Terms") between the customer ("Customer," "Controller," or "Business") and Sendvio, Inc. ("Sendvio," "we," or "us") for the use of Sendvio's marketing automation platform and services (the "Services").

This Agreement governs Sendvio's processing of Personal Data on behalf of the Customer in compliance with all applicable Data Protection Laws worldwide, including but not limited to:

• GDPR (EU Regulation 2016/679);
• UK GDPR and the UK Data Protection Act 2018;
• the California Consumer Privacy Act as amended by CPRA ("CCPA/CPRA");
• Brazil's LGPD;
• Canada's PIPEDA;
• Australia's Privacy Act 1988;
• CASL, CAN-SPAM, TCPA, and other relevant privacy and communications laws.

1. Definitions

1.1 "Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data, including GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA, Australia's Privacy Act, CASL, CAN-SPAM, TCPA, and any successors.

1.2 "Personal Data" means any information relating to an identified or identifiable natural person which Sendvio processes on behalf of the Customer.

1.3 "Data Subject" means the individual to whom the Personal Data relates.

1.4 "Processing," "Controller," "Processor," "Sub-processor," "Supervisory Authority," and "Personal Data Breach" have the meanings given under applicable Data Protection Laws.

1.5 "Breach" means a Personal Data Breach as defined under GDPR Art. 4(12) or equivalent under other laws.

2. Scope and Roles of the Parties

2.1 The Customer acts as Controller/Business, and Sendvio acts as Processor/Service Provider, except where Sendvio acts as Controller for billing, fraud prevention, and legal compliance.

2.2 Sendvio will process Personal Data solely under documented Customer instructions, unless required by law.

2.3 Annex I describes the subject matter, nature, purpose, categories, and duration of the Processing.

2.4 No Joint Controllership. The parties expressly agree this Agreement does not create joint controllership under GDPR or equivalent laws.

3. Sendvio's Obligations as Processor

Sendvio shall:

• Process Personal Data only under documented instructions;
• Ensure authorized personnel are bound by confidentiality;
• Implement appropriate technical and organizational measures in line with GDPR Art. 32 and comparable standards;
• Provide reasonable assistance to Customer in responding to Data Subject rights requests;
• Notify Customer without undue delay of a confirmed Breach, providing available information required under GDPR Art. 33 and equivalent laws;
• Assist Customer, where feasible, with Data Protection Impact Assessments (DPIAs) and consultations with Supervisory Authorities;
• Delete or return all Personal Data upon termination, unless law requires retention;
• Maintain records of processing to demonstrate compliance.

Audit Rights. Sendvio may, at its discretion, satisfy audit obligations by providing up-to-date third-party certifications, audit reports, or attestations (e.g., SOC 2, ISO 27001). Direct onsite audits will only be permitted where required by applicable law, must be requested in writing with at least sixty (60) days' prior notice, limited to once every twelve (12) months, conducted at Customer's sole expense, and subject to strict confidentiality, security, and non-disruption requirements. Sendvio may deny any audit request that imposes disproportionate burden or risk to other customers' data or Sendvio's infrastructure.

4. Sector-Specific Restrictions & Exclusions

4.1 The Services are not designed or intended for:

• Protected health information (PHI) under HIPAA;
• Educational records regulated by FERPA;
• Financial data subject to PCI DSS;
• Biometric or genetic data;
• Children's data under the age of 18;
• Any other special category or high-risk data as defined under GDPR Art. 9 or equivalent laws.

4.2 Customer agrees not to input or process any such data in the Services unless:

• It has a valid lawful basis;
• It has disclosed the processing to Sendvio in writing;
• And Sendvio has explicitly consented to such processing.

4.3 Sendvio expressly disclaims any liability arising from Customer's failure to comply with this clause.

5. Use of Sub-processors

5.1 Customer authorizes Sendvio to engage Sub-processors necessary to deliver the Services.

5.2 Sendvio maintains an up-to-date list of Sub-processors, available upon request.

5.3 Sub-processors will be bound by obligations equivalent to those in this Agreement. Sendvio remains responsible for their performance.

5.4 Customer may object to a new Sub-processor on reasonable, documented grounds. If no resolution is possible, Customer may terminate only the affected Services.

6. International Data Transfers

6.1 Where Personal Data is transferred outside the EEA, UK, or Switzerland, Sendvio will implement safeguards including:

• Standard Contractual Clauses (SCCs);
• the UK IDTA/Addendum;
• and supplementary measures such as encryption and access controls.

6.2 By using the Services, Customer acknowledges such transfers are necessary for contract performance and global service delivery.

6.3 If Customer objects to a transfer legally required or technically essential for the Services, Sendvio may suspend or terminate the affected Services without liability, to the extent that continued provision would be unlawful or technically impossible.

7. Customer Responsibilities

Customer represents and warrants that:

• It has obtained all necessary rights, consents, and lawful bases for the processing of Personal Data;
• It has provided appropriate notice to Data Subjects;
• It will not instruct Sendvio to process Personal Data unlawfully;
• It will comply with its obligations as Controller/Business;
• It will ensure lawful use of Sendvio's AI features, SMS/WhatsApp tools, and cookies.

Sendvio disclaims liability for claims arising from Customer's unlawful or negligent use of the Services.

8. Data Subject Rights

8.1 Sendvio will forward any Data Subject request to Customer and will not respond directly unless legally obligated.

8.2 Sendvio will provide reasonable assistance with Data Subject requests under GDPR, CPRA, LGPD, and other laws, subject to technical feasibility and cost reimbursement.

9. AI-Powered Processing

9.1 Customer is solely responsible for lawful use of Personal Data in AI prompts and for reviewing outputs before use.

9.2 Customer must disclose AI use to Data Subjects where legally required (e.g., EU AI Act).

9.3 Sendvio disclaims liability for AI outputs and prohibits AI use in high-risk or unlawful contexts including biometric identification, credit scoring, political manipulation, or discriminatory content.

10. Breach Notification

10.1 Sendvio will notify Customer without undue delay of a confirmed Breach affecting Customer Data.

10.2 Customer is responsible for notifying Data Subjects or authorities unless law obligates Sendvio to do so directly.

10.3 Sendvio's obligations for Breach-related costs are limited solely to its direct responsibilities under applicable law and expressly exclude indirect damages or regulatory fines imposed on Customer for its own compliance failures.

11. Limitation of Liability

11.1 Each party's liability under this Agreement is subject to the limitations of liability and indemnification provisions in the Terms of Service.

11.2 In no event shall Sendvio's aggregate liability under this Agreement exceed the total fees paid by Customer to Sendvio in the twelve (12) months preceding the event giving rise to the claim.

11.3 Nothing limits liability for intentional misconduct, gross negligence, or non-excludable obligations under applicable law.

11.4 Sendvio shall not be liable for indirect, incidental, consequential, or punitive damages arising from Customer's unlawful or negligent use of the Services.

12. Term and Termination

12.1 This Agreement remains in effect for the duration of the Terms.

12.2 Upon termination, Sendvio will delete or return Personal Data at Customer's choice unless retention is required by law. Evidence of deletion will be provided upon written request.

Annex I – Description of Processing Activities

Subject Matter: Provision of marketing automation and communication services, including email, SMS, WhatsApp, and AI-powered features.

Nature and Purpose: Storage, transmission, analytics, campaign execution, and optional AI content generation.

Duration: For the duration of Customer's use of Services.

Types of Data: Names, email, phone, store identifiers, order history, preferences, campaign interactions, IP addresses, technical logs.

Data Subjects: Subscribers, customers, or contacts uploaded by Customer.

Annex II – Technical and Organizational Security Measures

Sendvio maintains measures appropriate to the risk, including:

• Encryption of data in transit and at rest;
• Role-based access controls and MFA;
• Logging, monitoring, and intrusion detection;
• Firewalls and DDoS mitigation;
• Secure hosting in SOC 2/ISO 27001 certified facilities;
• Regular audits and penetration tests;
• Backup and disaster recovery protocols;
• Employee confidentiality and security training.

Annex III – Approved Sub-processors

1. Categories of Sub-processors

To provide the Services, Sendvio engages carefully selected third parties ("Sub-processors") in the following categories:

• Cloud Infrastructure Providers – for hosting, storage, and security services.
• Communication Gateways – for SMS, WhatsApp, and telecommunication delivery.
• Email Delivery Networks – for outbound email delivery.
• Analytics and Monitoring Tools – for performance monitoring, error tracking, and service reliability.
• Support and CRM Platforms – for customer support requests and account inquiries.
• Payment and Billing Providers – for subscription management and payments.

A detailed list of Sub-processors, including names and locations, is maintained internally by Sendvio and may be provided to the Customer upon written request, subject to reasonable confidentiality and security restrictions.

2. Appointment of Sub-processors

2.1 Customer authorizes Sendvio to engage Sub-processors within the categories listed above, as well as others reasonably necessary to deliver the Services.

2.2 All Sub-processors will be contractually bound by data protection obligations no less protective than those in this Agreement.

2.3 Sendvio remains responsible for the performance of its Sub-processors.

3. Updates to Sub-processors

3.1 Sendvio may update its Sub-processor engagements from time to time.

3.2 Customers will be notified of material changes (e.g., engagement of a new Sub-processor that will process Personal Data) via in-app notice, website update, or email.

3.3 If Customer objects to a new Sub-processor based on reasonable and documented privacy grounds, Customer must notify Sendvio in writing within 30 days of receiving notice.

3.4 If no objection is received within this period, continued use of the Services constitutes acceptance of the new Sub-processor.

3.5 If objection is made and no resolution is possible, Customer's sole and exclusive remedy is to terminate only the affected portion of the Services.

4. Disclaimers and Limitations

4.1 Sendvio disclaims liability for acts or omissions of Sub-processors not under its direct control, provided Sendvio exercised reasonable care in their selection and monitoring.

4.2 Customer acknowledges that refusal of necessary Sub-processors may impair or prevent Sendvio from delivering the Services. In such cases, Sendvio may suspend or terminate the impacted Services without liability.