Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SENTD ("we," "our," or "us") and the customer ("Customer," "you," or "your"). This DPA applies when SENTD processes personal data on behalf of Customer in connection with the provision of our email API platform (the "Service").

This DPA is designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection (FADP).

2. Definitions

• "Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Processor" means the entity that processes Personal Data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Personal Data" means any information relating to a Data Subject that is processed by SENTD on behalf of Customer through the Service.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, storage, use, transmission, and deletion.
• "Sub-processor" means a third party engaged by SENTD to process Personal Data on behalf of Customer.
• "Standard Contractual Clauses (SCCs)" means the contractual clauses adopted by the European Commission for the transfer of Personal Data to processors established in third countries.

3. Scope of Processing

In the course of providing the Service, SENTD processes the following categories of Personal Data on behalf of Customer:

• Email addresses: To, From, CC, BCC, and Reply-To addresses
• Email content: Subject lines and body content (HTML and plain text)
• Metadata: IP addresses, user agent strings, and timestamps
• Tracking data: Email opens and link clicks (when tracking is enabled)

The purpose of processing is limited to: email delivery, delivery analytics, and abuse prevention.

4. Roles

For the purposes of this DPA and applicable data protection laws:

• Customer is the Controller. Customer determines the purposes and means of processing Personal Data transmitted through the Service.
• SENTD is the Processor.SENTD processes Personal Data solely on behalf of Customer and in accordance with Customer's documented instructions.

SENTD only processes Personal Data in accordance with Customer's instructions as provided through the API and Service configuration. SENTD will not process Personal Data for any other purpose.

5. Customer Obligations

Customer agrees to the following obligations:

• Ensure that a lawful basis exists for the processing of Personal Data transmitted through the Service (e.g., consent, legitimate interest, or contractual necessity)
• Provide appropriate notices to Data Subjects regarding the processing of their Personal Data, including the use of SENTD as a Processor
• Ensure the accuracy and quality of Personal Data provided to SENTD
• Comply with all applicable data protection laws in connection with Customer's use of the Service
• Not transmit any special categories of Personal Data (e.g., health data, biometric data) through the Service unless expressly agreed in writing

6. SENTD Obligations

SENTD agrees to the following obligations as Processor:

• Process Personal Data only on the basis of documented instructions from Customer, unless required by applicable law
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational security measures as described in Section 8 of this DPA
• Assist Customer in responding to Data Subject requests to exercise their rights under applicable data protection laws (e.g., access, rectification, erasure, portability)
• Assist Customer in ensuring compliance with obligations related to security of processing, data breach notification, and data protection impact assessments
• At Customer's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless retention is required by applicable law
• Make available to Customer all information necessary to demonstrate compliance with the obligations set out in this DPA

7. Sub-processors

Customer authorizes SENTD to engage the following Sub-processors to assist in providing the Service:

SENTD will notify Customer at least 30 days before adding or replacing any Sub-processor. Customer may object to a new Sub-processor within 14 days of receiving notice. If Customer objects and SENTD cannot reasonably accommodate the objection, either party may terminate the affected portion of the Service.

8. Security Measures

SENTD implements and maintains the following technical and organizational security measures to protect Personal Data:

• Encryption in transit using TLS 1.2 or higher
• Encryption at rest for stored Personal Data
• API key authentication with scoped permissions
• Rate limiting to prevent abuse and unauthorized access
• IP allowlisting for restricted API access
• Comprehensive audit logging of data access and processing activities
• Constant-time comparison for authentication to prevent timing attacks
• Automated vulnerability scanning and dependency monitoring

For additional details on our security practices, see our Security page.

9. Data Breach Notification

SENTD will notify Customer without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting Customer's Personal Data. The notification will include:

• The nature of the personal data breach
• The categories and approximate number of Data Subjects affected
• The likely consequences of the breach
• The measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects

SENTD will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of each personal data breach.

10. Data Retention and Deletion

SENTD retains Personal Data in accordance with the following schedule:

• Email metadata: Retained in accordance with the retention policy described in our Privacy Policy
• Email content: Purged within 90 days of delivery or final delivery attempt
• On contract termination: Customer data deleted within 30 days upon written request, or automatically within 90 days of termination
• Backup copies: Deleted within 180 days of primary data deletion

SENTD may retain Personal Data beyond these periods only where required by applicable law, in which case SENTD will isolate and protect such data from further processing.

11. International Transfers

SENTD processes Personal Data in the United States. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, SENTD relies on the Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).

Customer's use of the Service constitutes an instruction to SENTD to transfer Personal Data as necessary for the provision of the Service. SENTD will ensure that any onward transfers to Sub-processors are subject to equivalent data protection obligations.

12. Audit Rights

Customer may request information reasonably necessary to demonstrate SENTD's compliance with this DPA. SENTD will:

• Make available relevant audit reports, certifications, or summaries of independent security assessments upon reasonable request
• Permit on-site audits by mutual written agreement, with at least 30 days' prior notice, no more than once per calendar year, during normal business hours, and subject to reasonable confidentiality obligations
• Cooperate with Customer's reasonable audit requests and provide timely responses to inquiries regarding data processing practices

13. Term and Termination

This DPA is effective for the duration of the Terms of Service between SENTD and Customer. Upon termination of the Terms of Service:

• SENTD's obligations regarding data deletion as set out in Section 10 will apply
• Provisions of this DPA that by their nature should survive termination – including confidentiality, data deletion, audit rights, and liability – will survive termination
• SENTD will cease all processing of Customer's Personal Data except as necessary for deletion or as required by applicable law

14. Contact

For questions or requests related to this Data Processing Agreement, please contact us at dpa@sentd.io.