Last Updated: May 20, 2026
Effective Date: Immediately
Applies To:
- https://www.sendarix.com
- https://app.sendarix.com (Client Dashboard)
- All SMTP endpoints, Email API endpoints, dashboards, webhooks, analytics, suppression, tracking, DNS/reputation tooling, domain authentication, support, billing, security monitoring, abuse prevention, and related services
This DPA forms part of the agreement between Sendarix and Customer where Sendarix processes Customer Personal Data as processor or service provider. It supplements the Terms of Service and Privacy Policy.
This legal document is provided in English. If translations or localized summaries are made available, the English version controls to the maximum extent permitted by law.
1. Introduction and incorporation
This Data Processing Agreement (“DPA”) applies when Sendarix processes Customer Personal Data on behalf of Customer through the Service. It is incorporated into and forms part of the agreement governing Customer’s use of Sendarix, including the Terms, any applicable checkout terms, order form, dashboard settings, Documentation, and the Acceptable Use Policy.
For Customer Personal Data processed by Sendarix as processor or service provider, this DPA prevails over conflicting terms in the Terms or Privacy Policy only for the subject matter covered by this DPA. For data Sendarix processes as controller or business for its own purposes, the Privacy Policy applies.
Customer’s use of the Service to submit, transmit, upload, configure, store, or otherwise make Customer Personal Data available to Sendarix constitutes Customer’s documented instruction to process that data as described in this DPA, the Terms, the AUP, the Documentation, dashboard settings, support requests, and applicable order or checkout terms.
2. Definitions
- “Applicable Data Protection Laws” means privacy, data protection, data security, and electronic communications laws that apply to processing under this DPA, including GDPR, UK GDPR, Swiss data protection law, and applicable U.S. state privacy laws where relevant.
- “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Personal Data Breach” have the meanings given by Applicable Data Protection Laws.
- “Customer” means the person or entity that registers for, pays for, configures, or uses the Service and determines the purposes and means of processing Customer Personal Data.
- “Customer Content” means email messages, templates, subject lines, headers, attachments, sender identities, recipient lists, suppression records, webhook payloads, and other materials or instructions submitted to or transmitted through the Service.
- “Customer Personal Data” means Personal Data processed by Sendarix on behalf of Customer through the Service, including recipient data, Customer Content containing Personal Data, message metadata, suppression data, webhook data, and support data submitted by Customer.
- “Documented Instructions” or “Customer Instructions” means Customer’s instructions through dashboard configuration, SMTP/API submissions, templates, recipient uploads, suppression settings, webhooks, support requests, written instructions accepted by Sendarix, the Terms, AUP, Documentation, and this DPA.
- “SCCs” means the European Commission Standard Contractual Clauses for international transfers of personal data, as updated or replaced from time to time.
- “Service” means Sendarix email infrastructure and related services, including SMTP relay, Email API, dashboards, logs, analytics, webhooks, suppression lists, tracking, DNS guidance, domain authentication, deliverability and reputation tooling, billing, support, security monitoring, and abuse prevention.
- “Subprocessor” means a third party engaged by Sendarix to process Customer Personal Data in support of the Service.
- “TOMs” means technical and organizational measures designed to protect Customer Personal Data, as described in Annex B.
- “UK Addendum/IDTA” means the UK International Data Transfer Addendum or International Data Transfer Agreement, as applicable.
- “Aggregated or De-identified Data” means data derived from use of the Service that does not identify Customer, users, recipients, or other Data Subjects.
3. Scope, roles, and relationship to other terms
Customer is the Controller, business, or otherwise responsible party for Customer Personal Data. Sendarix is Processor, service provider, or contractor only for Customer Personal Data processed on Customer’s behalf through the Service.
Sendarix does not determine whether Customer’s campaigns, lists, recipient targeting, legal basis, notices, tracking, sender identity, or Customer Content are lawful. Customer remains responsible for obtaining and maintaining all rights, consents, notices, permissions, lawful bases, opt-out mechanisms, and records required for Customer’s use of the Service.
Sendarix may process account, billing, fraud, abuse, security, legal compliance, product telemetry, website analytics, service improvement, Aggregated or De-identified Data, and operational Service Data as controller or business as described in the Privacy Policy. The AUP controls acceptable use, abuse, and enforcement.
Customer must not submit data that Customer is not legally permitted to process or instruct Sendarix to process, and must not use the Service for prohibited or high-risk campaigns or data processing under the AUP.
4. Customer instructions
Sendarix will process Customer Personal Data only on Documented Instructions unless required by law. Instructions include Customer’s configuration and use of the dashboard, SMTP/API submissions, templates, recipient uploads, suppression settings, webhooks, support requests, and written instructions accepted by Sendarix.
Instructions outside the scope of the Service, this DPA, the Terms, the AUP, or the Documentation require prior written agreement and may be subject to additional fees, security review, technical limits, or refusal.
If Sendarix reasonably believes an instruction violates Applicable Data Protection Laws, the Terms, the AUP, technical limits, security requirements, platform integrity, or third-party rights, Sendarix may notify Customer where permitted and may refuse, suspend, limit, or stop the relevant processing.
5. Customer obligations
- Comply with Applicable Data Protection Laws and all laws applicable to Customer’s campaigns, recipients, content, tracking, and sending instructions
- Provide required privacy notices, obtain required consents or other lawful bases, and maintain records of list source, permission, opt-outs, and suppression handling
- Ensure Customer Personal Data is accurate, necessary, lawful, limited to the agreed use, and not excessive for the Service
- Configure the Service lawfully, including webhooks, analytics, tracking, suppressions, unsubscribe flows, sender domains, authentication, and integrations
- Honor Data Subject rights, unsubscribes, opt-outs, complaints, bounces, suppression records, and mailbox-provider feedback
- Avoid submitting sensitive or prohibited data unless expressly agreed, lawful, necessary, and protected by appropriate safeguards
- Protect API keys, SMTP credentials, passwords, administrator accounts, subuser accounts, webhook endpoints, and connected systems
- Ensure Customer’s users, affiliates, agencies, clients, resellers, and third-party senders comply with this DPA, the Terms, and the AUP
- Respond promptly to Sendarix requests reasonably needed for compliance, security, abuse investigation, deliverability protection, or legal process
- Not instruct Sendarix to process Customer Personal Data unlawfully or in a manner that infringes Data Subject rights
6. Sendarix processor obligations
- Process Customer Personal Data only on Documented Instructions unless required by law
- Ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations
- Implement appropriate TOMs taking into account the nature of processing, state of the art, implementation costs, and risks to Data Subjects
- Assist Customer with Data Subject requests, security obligations, DPIAs, and prior consultations, taking into account the nature of processing and information available to Sendarix
- Notify Customer of Personal Data Breaches affecting Customer Personal Data without undue delay after becoming aware, as described in Section 12
- Impose data protection obligations on Subprocessors that are materially equivalent to this DPA
- Delete or return Customer Personal Data at the end of processing subject to Section 13 and applicable retention carveouts
- Make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, legal, and operational limitations
7. Confidentiality
Sendarix will ensure that personnel and Subprocessors with access to Customer Personal Data are subject to confidentiality obligations or professional or statutory duties of confidentiality.
Customer must keep non-public security, audit, Subprocessor, transfer, and compliance documentation received from Sendarix confidential and may use it only to assess compliance, security, procurement, or legal obligations related to the Service.
8. Security measures
Sendarix will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. The TOMs are summarized in Annex B and may evolve over time, provided Sendarix does not materially reduce overall protection for Customer Personal Data.
Security measures are risk-based and depend on the nature of the Service, Customer configuration, Customer’s systems, third-party integrations, mailbox providers, and Subprocessors. Customer is responsible for securing its own accounts, endpoints, credentials, webhooks, applications, DNS, and recipient-facing processes.
9. Subprocessors
Customer grants Sendarix general written authorization to engage Subprocessors to provide, secure, monitor, support, bill, and improve the Service. Categories may include hosting, cloud, storage, DNS, CDN/security, email transport and infrastructure, monitoring, error logging, analytics, support/helpdesk, payment processing, fraud/abuse/security tooling, and professional service providers.
Sendarix will enter into written agreements with Subprocessors imposing data protection obligations materially equivalent to this DPA and remains responsible for Subprocessors’ processing of Customer Personal Data to the extent required by Applicable Data Protection Laws.
Sendarix will make a list of Subprocessors or Subprocessor categories available in the DPA, dashboard, website, or upon request. Sendarix does not currently publish a separate vendor-specific Subprocessor URL in this DPA.
Where practicable, Sendarix will provide notice of material new Subprocessors by website, dashboard, email, or another reasonable method. Customer may object on reasonable data-protection grounds within the period stated in the notice. If the objection cannot be resolved, Customer may stop using the affected Service; this does not create refund rights beyond the Terms.
Sendarix may use emergency Subprocessors without prior notice where reasonably necessary for security, availability, abuse prevention, incident response, legal compliance, or platform integrity, with notice afterward where practicable.
10. International transfers
Customer authorizes Sendarix and Subprocessors to process and transfer Customer Personal Data in countries where Sendarix, Customer, and Subprocessors operate. Customer is responsible for determining whether its own use of the Service and transfer instructions are lawful.
Where EEA, UK, or Swiss Customer Personal Data is transferred to a country requiring transfer safeguards, the parties will use appropriate mechanisms where required and applicable, such as adequacy decisions, the SCCs, the UK Addendum/IDTA, Swiss adaptations, supplementary safeguards, or other lawful mechanisms.
Where SCCs are incorporated, Module Two generally applies where Customer is Controller and Sendarix is Processor, and Module Three may apply where Sendarix engages a Subprocessor. Annex A and Annex B of this DPA describe the processing details and TOMs for those purposes. Sendarix will provide relevant transfer information on request where required by law.
11. Data Subject requests
Customer is responsible for responding to Data Subject requests relating to Customer Personal Data. If Sendarix receives a request directly from a Data Subject relating to Customer Personal Data, Sendarix may refer the request to Customer unless legally required to respond directly.
Sendarix will provide reasonable assistance through product functionality or support channels, taking into account the nature of processing and information available. Customer may be required to verify authority, identify the relevant account, provide message IDs, recipient addresses, timestamps, or other details needed to locate data. Non-standard assistance may be subject to fees where permitted by law and the Terms.
12. Personal data breach notification
Sendarix will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. “Awareness” means Sendarix has a reasonable degree of certainty that a security incident has led to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
Notice may be sent to the account owner, administrator, security contact, privacy contact, dashboard, email address, or other contact method associated with the account. Notifications will include known information where available, such as the nature of the breach, affected data or categories, approximate number of affected Data Subjects or records if known, likely consequences if known, measures taken or proposed, and a contact point.
Sendarix may provide information in phases as investigation proceeds. Customer is responsible for regulatory and Data Subject notices unless law requires otherwise. Unsuccessful attacks, blocked attempts, pings, scans, spam, routine security events, or events not involving Customer Personal Data are not Personal Data Breaches under this DPA.
13. Deletion, return, and retention
During the term, Customer may delete or export certain Customer Personal Data through product functionality where available. Standard operational SMTP/API logs, delivery event logs, message metadata, and related operational email logs are generally retained for 30 days. This is the standard operational retention period for those logs only and does not mean all Customer Personal Data is deleted after exactly 30 days.
- Billing, tax, account, invoice, payment, and accounting records retained as required or permitted by law
- Security logs, authentication logs, fraud signals, and abuse investigation evidence
- Suppression, unsubscribe, bounce, complaint, block, and do-not-contact records needed to prevent unwanted or unlawful sending and protect recipients, mailbox providers, and platform reputation
- Operational email logs or related data retained longer where reasonably necessary for abuse prevention, security investigations, fraud, billing/tax/legal compliance, disputes, suppression/unsubscribe/bounce/complaint management, backups, legal holds, deliverability protection, or platform integrity
- Records subject to legal hold, disputes, chargebacks, regulatory inquiries, investigations, enforcement, or legal defense
- Backups retained until overwritten or deleted in the ordinary course unless earlier deletion is legally required and technically feasible
- Aggregated or De-identified Data
- Data Sendarix processes as controller or business under the Privacy Policy
Sendarix is not required to delete data needed to protect recipients, mailbox providers, other customers, Sendarix-owned or managed infrastructure, deliverability, security, abuse prevention, legal compliance, or platform integrity.
14. Audits and compliance information
Sendarix may satisfy audit and information obligations by providing security summaries, TOMs, Subprocessor information, transfer information, certifications or reports if available, questionnaires, or other reasonable documentation.
Customer audits must be reasonable, no more than once annually unless a verified Personal Data Breach affecting Customer Personal Data or a legal requirement justifies more, under confidentiality, during business hours, with prior written notice, limited to relevant processing, and conducted without accessing other customers’ data, disrupting the Service, or creating security risk.
On-site, intrusive, or non-standard audits require prior written agreement on scope, timing, personnel, tools, confidentiality, security controls, and costs. Customer bears its own costs and may be responsible for Sendarix’s reasonable costs for non-standard audits where permitted. Sendarix may reject auditors that are competitors or present security, confidentiality, or conflict risks.
15. Legal requests
If Sendarix receives a legally binding request for Customer Personal Data, Sendarix will notify Customer where legally permitted. Sendarix may comply with valid legal process, emergency requests, security requirements, sanctions/export requirements, or requests needed to protect rights, safety, security, recipients, the Service, or platform integrity.
Sendarix may challenge requests where appropriate and lawful but does not guarantee a particular outcome. Customer remains responsible for its own legal obligations and for responding to requests directed to Customer.
16. Aggregated and de-identified data
Sendarix may create and use Aggregated or De-identified Data to operate, secure, analyze, benchmark, maintain, and improve the Service, including abuse detection, deliverability tooling, reliability, capacity planning, and product development. Sendarix will not attempt to reidentify such data except to test de-identification, investigate abuse or security issues, or as permitted by law.
17. U.S. state privacy service provider terms
Where applicable U.S. state privacy laws apply to Customer Personal Data, Sendarix acts as service provider, processor, or contractor for Customer Personal Data. Sendarix will not sell Customer Personal Data or share it for cross-context behavioral advertising as those terms are defined by applicable laws.
Sendarix will not retain, use, or disclose Customer Personal Data outside the business purposes of providing, securing, supporting, enforcing, and improving the Service, except as permitted by Applicable Data Protection Laws, this DPA, the Terms, or Customer Instructions. Sendarix may process Customer Personal Data for security, debugging, fraud and abuse prevention, internal operations, service improvement, compliance, and legal defense as permitted by law.
18. Liability
Liability arising from or related to this DPA is subject to the limitations and exclusions in the Terms unless prohibited by Applicable Data Protection Laws. Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Laws.
19. Term and survival
This DPA remains effective while Sendarix processes Customer Personal Data. Termination of the Terms ends new processing of Customer Personal Data, but DPA obligations continue until deletion, return, or permitted retention is complete.
Confidentiality, deletion and retention, audit records, international transfer terms, liability, legal request provisions, and any provisions that by their nature should survive will survive termination.
20. Order of precedence
For Customer Personal Data processed by Sendarix as processor, the order of precedence is: (1) SCCs or mandatory transfer terms where applicable; (2) this DPA; (3) the Terms or Order Form; and (4) Privacy Policy, AUP, Cookie Policy, Documentation, or dashboard settings. For Sendarix controller processing, the Privacy Policy controls. For acceptable use and enforcement, the AUP controls.
21. Contact
Privacy: privacy@sendarix.com
Legal: legal@sendarix.com
Abuse/security: abuse@sendarix.com
Dashboard: app.sendarix.com for account, billing, support, and configuration controls where available.
Annex A: Processing details
| Subject matter | Provision of email infrastructure and related services, including SMTP/API transmission, queueing, routing, suppression, bounce/complaint processing, analytics, webhooks, dashboard operations, support, security, and abuse prevention. |
|---|---|
| Duration | For the term of Customer’s use of the Service and until Customer Personal Data is deleted or returned according to this DPA, Privacy Policy, product settings, backup cycles, and legal or operational retention requirements. Standard operational SMTP/API logs, delivery event logs, message metadata, and related operational email logs are generally retained for 30 days, subject to the exceptions in Section 13. |
| Nature and purpose | Transmit and relay email; process message queues and retries; handle bounces, complaints, unsubscribes, and suppressions; provide dashboards, logs, analytics, tracking, webhooks, DNS guidance, domain authentication, rate limiting, abuse detection, security monitoring, fraud prevention, support, troubleshooting, billing administration where relevant, legal compliance, and enforcement. |
| Data Subjects | Customer account users, administrators, subusers, employees, contractors, representatives, recipients of emails sent by Customer, Customer’s end users, leads, subscribers, customers, prospects, and individuals included in message content, templates, support tickets, logs, or attachments if Customer includes them. |
| Categories of Personal Data | Names; email addresses; sender and recipient identifiers; IP addresses; domains; device/browser/user-agent/request metadata; account, login, and security data; standard operational logs including SMTP/API logs, delivery event logs, message metadata, subject, headers, message IDs, timestamps, and delivery status; message body/content, template variables, and attachments where sent or stored; bounce, complaint, unsubscribe, suppression, engagement, open, click, and tracking data where enabled; webhook payload data; support ticket content; and billing contact data where processed as processor if applicable. |
| Sensitive data | The Service is not intended for special category data, children’s data, financial account data, government IDs, health data, biometric data, or highly sensitive data unless expressly agreed in writing, lawful, necessary, and covered by appropriate safeguards. Customer is responsible for ensuring unnecessary sensitive data is not submitted. |
| Frequency | Continuous or as initiated by Customer’s use of the Service. |
| Processing operations | Collect, receive, transmit, route, queue, store, host, organize, retrieve, consult, use, disclose to Subprocessors, restrict, erase, return, and otherwise process as necessary to provide, secure, support, enforce, and improve the Service in accordance with Customer Instructions. |
Annex B: Technical and organizational measures
- Access controls: role-based and least-privilege access for personnel with a need to support, secure, or operate the Service.
- Authentication and credential management: account authentication, administrative access controls, credential handling practices, and support for customer credential rotation through product functionality where available.
- Encryption and transport security: encryption in transit for supported web and API connections and appropriate storage protections for systems that store Customer Personal Data.
- Network and infrastructure security: controls designed to protect production infrastructure, segment access, monitor availability, and reduce unauthorized access risk.
- Logging and monitoring: operational, security, authentication, abuse, and delivery logging to detect anomalies, investigate incidents, support customers, and protect deliverability.
- Vulnerability and patch management: reasonable processes to identify, prioritize, and remediate security issues in systems under Sendarix control.
- Backup and recovery: backup, recovery, and continuity practices appropriate to the Service, with backup retention and deletion handled through ordinary rotation unless legal, security, or operational needs require otherwise.
- Tenant isolation and segregation: logical controls appropriate to a multi-customer email infrastructure service to separate customer accounts, credentials, and data access.
- Personnel confidentiality: confidentiality obligations and access expectations for personnel and contractors who may access Customer Personal Data.
- Incident response: processes to evaluate, respond to, mitigate, document, and notify relevant parties of security incidents where required.
- Vendor and Subprocessor review: risk-based assessment and contractual controls for Subprocessors supporting the Service.
- Change management: operational controls for material platform changes designed to protect reliability, security, and data integrity.
- Retention and minimization controls: product, operational, backup, security, billing, suppression, and abuse-retention practices designed to limit data to what is reasonably needed.
- Abuse and deliverability monitoring: automated and manual processes where appropriate to detect spam, phishing, malware, fraud, credential misuse, open relay behavior, suspicious traffic, and reputation risk.
- Administrative access controls: controls for privileged access, support actions, and access review appropriate to the role and system.
