The eBook "Email marketing for companies. What is the best way to start? The fundamental guidelines of an effective email strategy from Sendios”.

Download the checklist


This Data Processing Addendum (“DPA”) forms an integral part of Sendios Terms of Service, available at link (including any Order Forms, exhibits, appendices, annexes, or policies referenced therein) (“Agreement”), entered into by and between the Customer (“Data Controller”) and Sendios (“Data Processor”) that governs Data Controller’s use and Sendios’ provision of Sendios’ Software and Services. Data Controller and Sendios are hereinafter jointly referred to as the “Parties” and individually as the “Party”. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

1. Definitions
1.1. “Applicable Privacy Law” means all laws, statutes, regulations, ordinances, codes, rules, guidance, orders or any other legal entitlement issued by any governmental body governing the collection, use, transfer, and disclosure of Personal Data.
1.2. “Affiliated Companies” means any legal entities controlling, controlled by or under common control with Data Controller.
1.3. “Data Controller” means the party that has authority over the processing of Personal Data, determining the purpose for its use and the manner that it is processed.
1.4. “Data Processor” means the party that processes Personal Data on behalf of, and under the instruction of, the Data Controller.
1.5. “Data Protection Authority” means the official body that ensures compliance with the Applicable Privacy Law within its applicable jurisdiction.
1.6. “Data Subject” means the directly or indirectly identified or identifiable person to whom the Personal Data relates.
1.7. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
1.8. “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
1.9. “Personal Data” means any information regulated by Applicable Privacy Law provided by the Data Controller, including information concerning an identified or identifiable individual, such as, name, address, age, gender, email address, etc.
1.10. “Processing”, “processes” and “process” mean either any activity that involves the use of Personal Data or as the Applicable Privacy Law may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes transferring Personal Data to third parties.
1.11. “Standard Contractual Clauses” (“SCC”) means contractual clauses established by the European Commission concerning the international transfer of Personal Data, as set out in the Annex to Commission Decision 2010/87/EU.
1.12. “Sub-processor” means third-party data processor engaged by the Data Processor, who has or potentially will have access to, or processes Personal Data.

2.1. The Parties acknowledge and agrees that with regard to processing of Personal Data, Cusotmer is the Data Controller and Sendios is the Data Processor.
2.2. The subject matter, duration, nature and purpose(s) of the processing of Personal Data, as well as type of Personal Data and categories of Data Subjects are specified in Schedule A.
2.3. Sendios shall refrain from processing Personal Data that is beyond the scope set forth in Schedule A.
2.4. In case Sendios receives additional information that is not needed to fulfil the Agreement, it must inform Data Controller immediately and stop the processing of the additional Personal Data.
2.5. The Data Controller represents and warrants that: (i) its Processing instructions shall comply with Applicable Privacy Law; and (ii) it will comply with Applicable Privacy Law, specifically with regards to the lawful basis principal for Processing Personal Data. Data Controller acknowledges and agrees that the end user does not have a direct relationship with Processor, however, the Processor’s Services are dependent and based upon end user’s consent or any other demonstrated lawful basis, that shall be obtained by Data Controller and which Processor relies on. Data Controller also acknowledges that it shall be able to demonstrate such consent at any time and represents that such consent is existent.

3.1. Sendios shall process the Personal Data only on instructions from Data Controller and for no other purpose than the purpose(s) defined in Schedule A.
3.2. Sendios shall inform the Data Controller if, in its opinion, an instruction infringes the GDPR or the Applicable Privacy Law. The processing of the Personal Data required in said instruction shall be delayed.
3.3. If Sendios is required to transfer Personal Data to a law enforcement agency, it shall inform the Data Controller of that legal requirement before processing the Personal Data, unless that law prohibits such information on important grounds of public interest.

4.1. Sendios shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Technical and organizational security measures are listed in Schedule B.
4.2. In assessing the appropriate level of security, Sendios shall take into account the risks that are presented by Processing Person Data, in particular risks arising from a Data Breach.

5.1. Sendios shall ensure that all employees with access to the Personal Data, are legally bound by confidentiality obligations during and after the termination of the DPA, including after the termination of their employment.
5.2. Sendios shall provide access to Personal Data to its employees on a need-to-know basis only and shall make sure that the employees are aware and compliant with the Agreement, the DPA, Data Controller’s written instructions and the Applicable Privacy Law.
5.3. Sendios shall train its employees involved in the processing of the Personal Data to comply with the Applicable Privacy Law and with the requirements established in this DPA.

6.1. Data Controller authorizes Sendios to appoint (and permit each Sub-processor appointed in accordance with this Clause 6 to appoint) Sub-processors in accordance with this Clause 6 and any restrictions in the Agreement.
6.2. Data Controller hereby grants general written authorization to Data Controller to engage an additional or replace existing Sub-processors for the processing of the Personal Data under the Agreement. Upon request of Data Controller, Sendios will provide a list of such Sub-processors. Data Controller has the right to object to any Sub-processor. The objection shall be made by written communication within 10 business days after receipt of requested list of Sub-processors. Sendios shall use reasonable efforts to replace the Sub-processor.
6.3. Where Sendios engages a Sub-processor for carrying out specific processing activities on behalf of Data Controller, the same data protection obligations as set out in this DPA shall be imposed on the Sub-processor by way of a written contract. The Sub-processor in particular shall provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Applicable Privacy Law.

7.1. Sendios shall assist Data Controller in fulfilling its obligations concerning the requests to exercise Data Subject rights under the GDPR and the Applicable Privacy Law.
7.2. Sendios shall promptly transfer to Data Controller any request received from the Data Subjects and shall inform the Data Subjects that they can direct their requests directly to Data Controller. Sendios will only handle the requests of the Data Subjects according to the Data Controller’s instructions.

8.1. Sendios shall notify Data Controller on Data Breach without undue delay. The notification shall include:
8.1.1. Description of the Data Breach, including, if possible, the categories of data and records concerned, the category and number of Data Subjects affected;
8.1.2. Likely consequences of the Data Breach;
8.1.3. Measures taken or proposed to address and/or mitigate the effects of the Data Breach.
8.2. Sendios shall, without undue delay, take all urgent measures as are agreed by the Parties or necessary under the Applicable Privacy Law, to investigate, mitigate and remedy the Data Breach and to protect the Personal Data.
8.3. Parties need the prior approval of the other Party to include and identify them in the breach notifications. Parties should not delay or withhold the approval without a reasonable cause.

9.1. Upon request, Sendios shall assist Data Controller to comply with its obligations under the Applicable Privacy Law when related to the processing of the Personal Data, including but not limited to:
9.1.1. Data Breaches;
9.1.2. Data Protection Impact Assessments;
9.1.3. Consultations with the Data Protection Authority;
9.1.4. Enquiries, complaints, audits, or claims from any court, government official, Data Protection Authority, third parties or individuals (including but not limited to the Data Subjects).
9.2. Sendios shall make available to Data Controller all information necessary to comply with its obligations under the DPA and the Applicable Privacy Law.
9.3. Sendios shall notify Data Controller of any requirements from an official authority as soon as possible.

9.1. Upon prior notice and no more than once a year, Data Controller has the right to conduct an audit to verify the compliance of Sendios with the DPA.
9.2. Sendios shall make available to Data Controller documentation necessary to demonstrate compliance with this DPA and Applicable Privacy Law, in particular, to provide information about appropriate technical and organizational measures that have been implemented. Such documentation can be a current attestation, reports or expert reports from independent bodies (auditors, DPO, accountant), certifications from an IT security or data protection audit, or a certification approved by the Data Protection Authority.
9.2.1. Data Controller can do more than one yearly audit in case of a Data Breach or a security incident.
9.2.2. Data Controller shall schedule the audit with Sendios at least 2 weeks in advance.
9.2.3. Both Parties shall agree upon the scope, the timing, and the duration of the audit.
9.3. The audit might be carried out by Data Controller directly or by a third-party auditor appointed by Data Controller.
9.4. Sendios has the right to object the use of a particular third-party auditor, if it could be considered a competitor of Sendios.

11.1. Sendios shall maintain a record of all categories of processing activities carried out on behalf of Data Controller. The records shall be in writing, including in electronic form.

12.1. Upon this DPA termination Sendios shall promptly return or irrevocably delete or remove the Personal Data, unless storage of the Personal Data is required by law.
12.2. Sendios may retain Personal Data to the extent required by Applicable Law and only to the extent and for such period as required by Applicable Privacy Law and always provided that Sendios shall ensure the confidentiality of such Personal Data and shall ensure that such Personal Data is only processed as necessary for the purpose(s) specified in the Applicable Privacy Law requiring its storage and for no other purpose.

13.1. The Parties agree that when the transfer of Personal Data from Data Controller to Data Processor is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows: the unchanged version of the Standard Contractual Clauses shall be deemed incorporated by reference hereto and completed as follows:
13.1.1. Module Two will apply;
13.1.2. in Clause 7, the optional docking clause will apply;
13.1.3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be at least 5 (five) business days;
13.1.4. in Clause 11, the optional language will not apply;
13.1.5. in Clause 17, Option 1 will apply, and the SCC will be governed by the law of Ireland;
13.1.6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
13.1.7. Annex I of the SCC shall be deemed completed with the information set out in ‎Annex I to this DPA;
13.1.8. Annex II of the SCC shall be deemed completed with the information set out in ‎Annex II to this DPA.

14.1. This Clause 14 is applicable to processing of Personal Information of Consumers. The terms “Personal Information” and “Consumer” shall have the meanings stipulated in the California Consumer Privacy Act of 2018, as amended from time to time (“CCPA”).
14.2. Sendios shall not retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the services specified in the Agreement.
14.3. Sendios shall not retain, use, or disclose Personal Information for a commercial purpose other than providing the services specified in the Agreement.
14.4. Sendios shall not retain, use, or disclose Personal Information outside of the direct business relationship between Sendios and Data Controller.
14.5. Sendios shall refrain from selling Personal Information, as the term “sell” is defined in the CCPA.
14.6. Sendios certifies that it understands the restrictions in Clauses 14.2 – 14.5 hereof and will comply with them.

15.1. This DPA shall be effective as of the effective e date of the Agreement.
15.2. This DPA will remain in force and effect so long as the Agreement remains in effect. Termination of this DPA shall not affect Parties’ accrued rights and obligations at the date of termination and the provisions of Clause 12 (Return and Deletion of Personal Data) hereof.

16.1. Any notice between the Parties shall be in writing to the respective Party’s address or email.

17.1. Should any provision of this DPA be or become, either in whole or in part, void, ineffective or unenforceable, then the validity, effectiveness and enforceability of the other provisions of this DPA shall remain unaffected thereby.
17.2. Any such invalid, ineffective or unenforceable provision shall, to the extent permitted by law, be deemed replaced by such valid, effective and enforceable provision as most closely reflects the economic intent and purpose of the invalid, ineffective or unenforceable provision regarding its subject-matter, scale, time, place and scope of application.
17.3. The aforesaid rule shall apply mutatis mutandis to fill any gap that may be found to exist in this DPA.

18.1. Parties explicitly declare that this DPA and the documents referred to herein constitute the entire agreement between Parties and supersedes any prior draft, agreements, undertakings, understandings, conditions and arrangements, notwithstanding any conflicting order of precedence, of any nature between the Parties, whether or not in writing, in relation to the subject-matter of this DPA.

19.1. The DPA shall be governed by law as stipulated in the Agreement.
19.2. The Parties hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.

20.1. In the case of conflict or ambiguity between:
20.1.1. any provision of the DPA and any provision of the Agreement, the provisions of the DPA shall prevail;
20.1.2. any provision contained in the body of this Agreement and any provision contained in the Schedules, the provisions in the body of this Agreement shall prevail;
20.1.3. any provision of this Agreement and any executed SCC, the provisions of the executed SCC shall prevail.

Schedule A – Details of Personal Data Processing
This Schedule includes certain details of processing of Personal Data by Sendios as required by Applicable Privacy Law.

Schedule B - Technical and Organizational Security Measures

Measures for

Measures taken

pseudonymization and encryption of personal data

Suitable measures have been implemented to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof.

This is accomplished by:

· use of adequate firewall and encryption technologies to protect the gateways and pipelines through which the data travels;

ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Suitable measures have been implemented to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.

This is accomplished by:

· continuously monitoring infrastructure security that is obtained by usage of Prometheus and Zabbix;

· organizing work through the internal network, providing access to all the services via closed VPN connection;

· constant monitoring of the infrastructure perimeter, checking the internal software components of servers for vulnerabilities and version updates in a timely manner (via Nessus);

· taking semi-annually penetration tests;

· logging access to host servers, applications, databases, routers, switches, etc. with the help of graylog.

ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Suitable measures have been implemented to ensure that data is protected from accidental destruction or loss.

This is accomplished by:

· global and redundant infrastructure that is set up with disaster recovery;

· service level agreements from ISPs to ensure a high level of uptime;

· rapid failover capability.

processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Periodic testing of products and relevant processes with respect to the data protection has been implemented.

Holding regular penetration tests and audits to ensure security.

user identification and authorization

Not applicable due to the specifics of the services provided.

protection of data during transmission

Utilizing encryption during data transmission.

protection of data during storage

All the customer data, including personal data stored in primary and backup storage of our cloud infrastructure (OVH). It is possible to access the data only from the internal network.

ensuring physical security of locations at which personal data are processed

Databases are located in cloud infrastructure (OHV), i.e. without direct physical access. The server is configured with iptables in such a way that the connection to the server may be established only from the internal Sendios network.

ensuring events logging

Implementation of logging and alerting controls with the help of graylog and alert manager.

ensuring system configuration, including default configuration

Baseline systems are selected with hardened security configuration such as restricted remote access only with SSH, disabled remote root login, reduced number of non-critical packages, kernel live patching, and automatic installation of important security updates during initial boot.

Baseline systems with hardened security configuration and vulnerability fixes are used in the production environment.

internal IT and IT security governance and management

Organizing regular weekly meetings with Security team.

Holding weekly sync meeting with Security team and CISO to:

· improve product security;

· implement or improve component security;

· implement new security policies.

certification/assurance of processes and products


ensuring data minimization

Only the personal information which is necessary for the purposes of the services provision is collected. No personal information is used for purposes other than those which have been identified in the DPA and the Services Agreement and only retained for as long as is necessary to fulfil such purposes.

ensuring data quality

The Controller can request alteration or deletion of the end-users data.

ensuring limited data retention

Personal data is retained as per the contractual terms agreed with the customers and as required by law.

ensuring accountability

Personal data is unique, mapped to individuals (clients), and not shared between users.

Events and audit trails related to platform and system access are logged, monitored, and reviewed periodically.

allowing data portability and ensuring erasure

Personal data is retained as per the contractual terms agreed with the customers and as required by law.

· Personal data records are removed through a secure data deletion process that irreversibly destroys the data.