Data Processing Agreement (DPA)

Last Updated: March 20, 2026
Effective Date: Immediately
Applies To:

• https://www.sendarix.com
• https://app.sendarix.com (Client Dashboard)
• All SMTP & API Services

This DPA reflects common GDPR-style processor terms for email infrastructure. It supplements the Terms of Service when we process personal data on your behalf.

---

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between Sendarix (“Processor”) and the Customer (“Controller”) and applies when Sendarix processes Personal Data on behalf of the Customer in connection with the Service.

By using the Service to transmit or otherwise process personal data about data subjects, the Customer enters into this DPA. In case of conflict between the Terms and this DPA regarding data protection, the DPA prevails for processing covered here.

---

2. Definitions

• “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Personal Data Breach” — as defined in applicable data protection law (including GDPR where it applies).
• “Sub-processor” — a third party engaged by Sendarix to process Personal Data subject to this DPA.
• “Customer Instructions” — documented instructions from the Customer regarding Processing, including configuration and use of the Client Dashboard, APIs, SMTP submission, support tickets that direct Processing, and the Customer’s legitimate use of the Service within the Terms and AUP.

---

3. Scope & roles

The Customer is Controller of Personal Data it supplies in connection with the Service. Sendarix is Processor and will process such Personal Data only on Customer Instructions unless applicable law requires otherwise (in which case Sendarix will inform the Customer unless prohibited).

The nature, purpose, and categories of processing are described in Section 5 and Annex A (summary below).

---

4. Customer Instructions

The Customer instructs Sendarix to process Personal Data to provide, secure, and improve the email delivery Service in accordance with the Terms, this DPA, the Documentation, and the Customer’s settings in the Service. Instructions outside this scope require prior written agreement.

If Sendarix believes an instruction infringes applicable law, we may refuse or suspend the instruction and will notify the Customer where permitted.

---

5. Nature & purpose of processing (Annex A summary)

Sendarix processes Personal Data to:

• Transmit and relay email via SMTP and API
• Handle bounces, complaints, and suppressions
• Provide delivery analytics, webhooks, and dashboards
• Authenticate accounts, enforce rate limits, and detect abuse
• Provide billing and support through app.sendarix.com

Processing is limited to what is reasonably necessary for these purposes.

---

6. Types of Personal Data

Depending on use, this may include email addresses, message metadata (including subjects), sender/recipient identifiers, IP addresses, delivery and engagement events, support ticket content that contains personal data, and billing contact details.

Email content is processed transiently for routing and delivery; Sendarix does not use message bodies for unrelated marketing or profiling.

---

7. Processor obligations

• Process Personal Data only on Customer Instructions as described in Section 4
• Ensure persons authorized to process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational measures taking into account the state of the art, cost, and risk
• Assist the Customer with reasonable technical and organizational measures for Data Subject requests, DPIAs, and prior consultations where applicable
• Notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, and provide information reasonably required for the Customer’s regulatory notifications
• At the end of the Service (or on request), delete or return Personal Data per Section 11, subject to legal retention

---

8. Sub-processors

The Customer authorizes Sendarix to engage Sub-processors (for example hosting, DNS, payment, transport, abuse detection, support tools) subject to written agreements that impose data protection obligations materially equivalent to this DPA.

Sendarix remains responsible for Sub-processors’ performance of their obligations. A current list is available upon request and may be published on <strong>sendarix.com</strong>. Sendarix will give reasonable notice of changes to Sub-processors where practicable; the Customer may object on reasonable data-protection grounds.

---

9. International transfers

Where Personal Data originating in the EEA, UK, or Switzerland is transferred to countries not recognized as adequate, Sendarix will implement appropriate safeguards such as the EU Commission Standard Contractual Clauses (2021), the UK International Data Transfer Addendum (IDTA) or Addendum to the EU SCCs, Swiss requirements where applicable, or other lawful transfer tools.

Upon request, Sendarix will provide information about the mechanisms relied on for specific transfers relevant to the Customer’s use.

---

10. Data Subject rights

Sendarix will assist the Customer in responding to Data Subject requests regarding Personal Data processed on the Customer’s behalf. Unless legally required, Sendarix will not respond directly to Data Subjects; the Customer should submit requests through its account or to privacy@sendarix.com with enough detail to route the request.

---

11. Retention &amp; deletion

Upon termination of the Service or expiry of the Customer relationship, Sendarix will delete or return Personal Data in accordance with the Privacy Policy and operational capabilities, except where longer retention is required by law or for legitimate security and abuse-prevention archives stated in our documentation.

Typical operational retention (subject to change with notice): SMTP/API logs 30–90 days; bounce/complaint data up to 6 months; billing records 5–10 years where legally required.

---

12. Audits

The Customer may request information reasonably necessary to confirm compliance with this DPA (for example summaries of security practices and Sub-processor lists). On-site or intrusive audits that risk Service security or availability require prior written agreement on scope, timing, and confidentiality. Costs of audits beyond reasonable assistance may be charged.

---

13. Data breach notification

Notifications will describe, to the extent known, the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.

---

14. Liability

Liability for processing under this DPA is subject to the limitations in the Terms, except where mandatory law prohibits such limitations for data protection violations.

---

15. Term

This DPA remains in effect for the duration of Processing and until Personal Data has been returned or deleted in line with Section 11.

---

16. Governing terms

Where GDPR applies, the parties acknowledge that this DPA includes the substance required of Article 28. For other laws, analogous obligations apply to the extent required.

---

17. Contact

privacy@sendarix.com · legal@sendarix.com