Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between BZG Apps LLC. (“Sendra,” “Processor”) and the customer that accepts the Terms of Service (“Customer,” “Controller”), and forms part of those Terms. It applies where Sendra processes Personal Data on the Customer’s behalf in connection with the Service. Where there is a conflict between this DPA and the Terms regarding the processing of Personal Data, this DPA controls.

1. Definitions

“Personal Data,” “processing,” “controller,” “processor,” “data subject,” and “personal data breach” have the meanings given in Applicable Data Protection Law. “Applicable Data Protection Law” means data-protection and privacy laws applicable to a party’s processing, including the EU General Data Protection Regulation (“GDPR”), the UK GDPR and Data Protection Act 2018, and the California Consumer Privacy Act as amended by the CPRA (“CCPA”). “Customer Personal Data” means Personal Data within the Contact Data and Customer Content that Sendra processes on the Customer’s behalf.

2. Roles & scope of processing

The Customer is the controller and Sendra is the processor of Customer Personal Data (where the Customer is itself a processor, Sendra is a sub-processor). Sendra will process Customer Personal Data only on the Customer’s documented instructions — including those set out in this DPA, the Terms, and the Customer’s configuration and use of the Service — except where required by law (in which case Sendra will, where permitted, inform the Customer first). The details of processing are set out in Annex I.

3. Customer obligations & warranties

The Customer is responsible for the lawfulness of Customer Personal Data and of its instructions. The Customer represents and warrants that it has a valid legal basis and all necessary consents and notices to collect the Contact Data, to send the Customer Content to data subjects, and to authorize Sendra’s processing. The Customer’s instructions must not cause Sendra to violate Applicable Data Protection Law.

4. Confidentiality

Sendra ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as necessary to provide the Service.

5. Security

Sendra implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data, as described in Annex II, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of processing.

6. Sub-processors

The Customer authorizes Sendra to engage the sub-processors listed in Annex III to process Customer Personal Data. Sendra imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for its sub-processors’ performance. Sendra will give the Customer notice of any intended addition or replacement of a sub-processor, and the Customer may object on reasonable data-protection grounds.

7. International transfers

Where Sendra transfers Customer Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree that the applicable Standard Contractual Clauses (and the UK International Data Transfer Addendum, where relevant) apply and are incorporated by reference.

8. Data subject rights & assistance

Taking into account the nature of the processing, Sendra will provide reasonable assistance — including through the Service’s features (such as the preference center, data export, and deletion tools) — to help the Customer respond to data-subject requests and meet its obligations regarding security, breach notification, data-protection impact assessments, and prior consultation. If Sendra receives a data-subject request directly, it will, where lawful, direct the data subject to the Customer.

9. Personal data breach

Sendra will notify the Customer after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to help the Customer meet its notification obligations.

10. Return & deletion

On termination of the Service, Sendra will, at the Customer’s choice, delete customer data and delete existing copies within a commercially reasonable period (consistent with the export window described in the Terms), except to the extent retention is required by law.

11. Audits

Sendra will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable confidentiality, frequency, scope, and notice conditions.

12. CCPA terms

To the extent the CCPA applies, Sendra acts as a service provider. Sendra will not sell or share Customer Personal Data, will not retain, use, or disclose it except as necessary to provide the Service or as permitted by the CCPA, and will not combine it with personal information from other sources except as the CCPA allows. Sendra certifies that it understands and will comply with these restrictions.

13. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

Annex I — Details of processing

• Subject matter & duration: Sendra’s provision of the Service to the Customer for the duration of the Terms.
• Nature & purpose: hosting, storing, transmitting, and analyzing Customer Personal Data to enable the Customer to manage contacts and send email through the Customer’s own Amazon SES account.
• Categories of data subjects: the Customer’s contacts, subscribers, and email recipients.
• Types of Personal Data: email address; name; custom fields and attributes the Customer collects; list/segment membership; engagement data (opens, clicks, bounces, complaints, unsubscribes); consent metadata (such as consent timestamp, source, IP address, and user agent); and IP addresses captured through forms.
• Special categories: not intended; the Customer should not upload special-category data unless it has a valid legal basis and has so configured its use.

Annex II — Technical & organizational measures

• encryption of sensitive credentials (including AWS/Amazon SES credentials) at rest using AES-256-GCM;
• encryption of data in transit using TLS;
• logical tenant isolation so each workspace’s data is segregated;
• role-based access controls and least-privilege access for personnel;
• authentication, including hashed credential storage;
• logging, monitoring, and backup practices; and
• verification of inbound webhooks (for example, Amazon SES feedback) and tenant scoping.

Annex III — Authorized sub-processors