Data Processing Agreement

Our commitments as your processor.

This DPA supplements our Terms for customers in regulated jurisdictions. It is legally binding and auto-applies to every paid workspace.

Last updated · April 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Controller”) and send0, Inc. (“Processor”) and applies to Personal Data processed through the Services. Capitalized terms have the meanings given to them in GDPR (EU 2016/679) and UK GDPR, unless defined below.

01

Overview

send0 processes Personal Data solely to provide the Services to you. You remain the Controller of your end users' Personal Data. send0 acts as a Processor, and in some cases a Sub-processor, for that Personal Data.

02

Scope of processing

Categories of data: recipient contact information (email, phone number), message content, delivery metadata, IP addresses, and API usage telemetry.

Categories of data subjects: your end users, your employees, and the recipients you message through the Services.

Purpose: to deliver messages, generate delivery analytics, and operate the Services as described in the Terms.

03

Our security measures

We implement appropriate technical and organizational measures including TLS 1.3 in transit, AES-256 at rest, role-based access, enforced MFA for human operators, audit logging, and routine penetration testing. Full detail on the Security page.

04

Sub-processors

A current list of sub-processors is published on the Security page. We notify workspace admins at least 30 days before adding or replacing a sub-processor. You may object for reasonable cause.

Every sub-processor is bound by terms at least as protective as those in this DPA.

05

Data subject rights

We assist you in responding to data subject requests (access, rectification, erasure, portability, restriction). The dashboard exposes the main flows; for edge cases, email dpa@send0.dev — we respond within 5 business days.

06

International transfers

Where Personal Data is transferred out of the EEA or UK, we rely on the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum. Our current processing regions are AWS us-east-1 and eu-west-1.

07

Breach notification

We notify you without undue delay (and in any case within 48 hours) after becoming aware of a Personal Data breach affecting your data, including the nature of the breach, the categories and approximate number of records, and the remediation steps we're taking.

08

Return and deletion

On termination, we return or delete Personal Data we hold on your behalf within 30 days, except where retention is required by law. Encrypted backups are purged within 90 days.

09

Audits

On reasonable notice, we provide information necessary to demonstrate compliance with this DPA, including current audit reports where available (SOC 2 once complete) and documentation of our controls.

DPA questions or execution requests? Email dpa@send0.dev. An executable version is available on request for procurement.