Sent, Inc. Data Processing Addendum
Last revised Sept 1, 2025.
This Data Processing Addendum ("DPA") is incorporated into and forms part of the Sent Online Terms of Service between you and Sent ("Agreement") and reflects the parties' agreement with respect to the Processing of Personal Data by Sent as a Processor on your behalf. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over other terms in the Agreement to the extent of such conflict or inconsistency. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will control.
1. Definitions
The terms used in this DPA shall have the meanings set forth in this DPA or as defined by Applicable Privacy Law, whichever is broader. Capitalized terms not otherwise defined herein or defined by Applicable Privacy Law shall have the meaning given to them in the Agreement. The following terms have the meanings set forth below:
1.1 "Data Protection Laws"
means all applicable worldwide legislation relating to data protection and privacy which applies to the Processing of Personal Data under the Agreement, including without limitation, European Data Protection Laws and other applicable U.S. federal and state privacy laws, in each case as amended, repealed, consolidated, or replaced from time to time.
1.2 "Controller"
means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data.
1.3 "Data Subject"
means an identified or identifiable natural person to whom Personal Data relates.
1.4 "Europe"
means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.
1.5 "European Data"
means Personal Data that is subject to the protection of European Data Protection Laws.
1.6 "European Data Protection Laws"
means Data Protection Laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Federal Data Protection Act and its Ordinance ("Swiss DPA"); in each case, as may be amended, superseded, or replaced.
1.7 "Instructions"
means the written, documented instructions issued by you to Sent, and directing Sent to perform a specific or general action with regard to Personal Data.
1.8 "Personal Data"
means any information relating to an identified or identifiable individual where such information is protected similarly as personal data, personal information, or personally identifiable information under Data Protection Laws.
1.9 "Privacy Authority"
means any competent supervisory authority, attorney general, or other regulator with responsibility for privacy or data protection matters.
1.10 "Process", "Processing" or "Processed"
means any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.
1.11 "Processor"
means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
1.12 "Restricted Transfer"
means transfer of Personal Data originating from Europe to a country that does not provide an adequate level of protection within the meaning of applicable European Data Protection Laws.
1.13 "Security Breach"
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by us and/or our Sub-processors in connection with the provision of the Services. "Security Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
1.14 "Services"
means the services as described in the Agreement or any related order form.
1.15 "Standard Contractual Clauses"
means the standard contractual clauses annexed to the European Commission's Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended, superseded, or replaced.
1.16 "Sub-processor"
means any Processor engaged by us to assist in fulfilling our obligations with respect to the Processing of Personal Data under the Agreement.
1.17 "UK Addendum"
means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.
2. Sent's Obligations
2.1 Compliance with Instructions
We will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws applicable to you or your industry that are not generally applicable to us. If we become aware that we cannot Process Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, we will (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as you issue new Instructions with which we are able to comply. If this provision is invoked, we will not be liable to you under the Agreement for any failure to perform the applicable Services until such time as you issue new lawful Instructions with regard to the Processing.
2.2 Processing Restrictions
We will Process Personal Data strictly for the purpose of performing the Services under the Agreement ("Business Purpose") or as otherwise permitted by Data Protection Laws. Further, we certify that we will not (i) "Sell" or "Share" Personal Data (as those terms are defined by Data Protection Laws); (ii) Process Personal Data outside the direct business relationship between the parties, unless required by applicable law; or (iii) combine your Personal Data with Personal Data that we collect or receive from another source (other than information we receive from another source in connection with our obligations under the Agreement). You have the right to take reasonable and appropriate steps to help ensure that we use Personal Data in a manner consistent with your obligations under Data Protection Laws. Upon notice, you have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of Personal Data. The parties acknowledge and agree that the disclosure of Personal Data by you to us does not form part of any monetary or other valuable consideration exchanged between the parties.
2.3 Security and Confidentiality
We will implement and maintain appropriate technical and organizational measures to protect Personal Data from Security Breaches, as described under Schedule B to this DPA. Notwithstanding any provision to the contrary, we may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures. We will ensure that any personnel whom we authorize to Process Personal Data on our behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.
2.4 Security Breaches
We will notify you without undue delay after we become aware of any Security Breach affecting your Personal Data and will provide timely information relating to the Security Breach as it becomes known or reasonably requested by you. At your request, we will promptly provide you with such reasonable assistance as necessary to enable you to notify relevant Security Breaches to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.
2.5 Deletion or Return of Personal Data
We will delete or return all Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of your Services in accordance with the procedures set out in the Agreement. This term will apply except where we are required by applicable law to retain some or all of the Personal Data, or where we have archived Personal Data on back-up systems, which data we will securely isolate and protect from any further Processing and delete in accordance with our deletion practices.
2.6 Data Subject Requests
We may provide you with controls that you can use to retrieve, correct, delete, or restrict Personal Data, which you can use to assist you in connection with your obligations under Data Protection Laws, including your obligations relating to responding to requests from Data Subjects to exercise their rights under Data Protection Laws ("Data Subject Requests"). To the extent that you are unable to independently address a Data Subject Request through the Services, then upon your written request, we will provide reasonable assistance to you to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. You will reimburse us for the commercially reasonable costs arising from this assistance. If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to us, we will promptly inform you and will advise the Data Subject to submit their request to you. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.
2.7 Sub-processors
(a) You agree we may engage Sub-processors to Process Personal Data on your behalf. For example, we engage Sub-processors to assist us with hosting and infrastructure, and we may engage with Sub-processors to support product features and integrations. We have currently appointed, as Sub-processors, the third parties listed at sent.dm/resources/sub-processors ("Sub-processors Page"). You may subscribe to receive notifications by email if we make changes to the Sub-processors Page. If you opt in to receive such email, we will notify you at least 30 days prior to any such changes.
(b) We will give you the opportunity to object to the engagement of new Sub-processors on reasonable grounds relating to the protection of Personal Data within 30 days of notifying you. If you do notify us of such an objection, the parties will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we will, at our sole discretion, either not appoint the new Sub-processor, or permit you to suspend or terminate the affected Services in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by you prior to suspension or termination).
(c) We will impose data protection terms on our Sub-processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processors. We will remain responsible for any acts or omissions of such Sub-processors that cause us to breach any of our obligations under this DPA.
2.8 Data Transfers
You acknowledge and agree that we may access and Process Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Personal Data may be transferred to and Processed by Sent in the United States and to other jurisdictions where Sent's Sub-processors have operations. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws. Sent will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures that are necessary to ensure the transfers are compliant with applicable European Data Protection Laws. Such measures may include (without limitation) (i) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws; or (iii) to a recipient that has executed the Standard Contractual Clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
2.9 Transfer Mechanisms
Where the transfer of Personal Data between the parties involves a Restricted Transfer and European Data Protection Laws require appropriate safeguards, the parties will comply with the following:
(a) Standard Contractual Clauses. The Standard Contractual Clauses will be incorporated by reference and apply to the Restricted Transfer as follows: (i) the Module Two terms apply; (ii) in Clause 7, the optional docking clause applies; (iii) in Clause 9, Option 2 applies and changes to Sub-processors will be notified in accordance with Section 2.7 of this DPA; (iv) in Clause 11, the optional language is deleted; (v) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes will be determined in accordance with the Republic of Ireland (without reference to conflicts of law principles); (vi) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Schedules of this DPA; and (vii) the supervisory authority that will act as competent supervisory authority will be the Irish Data Protection Commission.
(b) UK Addendum. In relation to Personal Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (a) of this section and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Schedules of this DPA and Table 4 will be deemed completed by selecting "neither party"; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
(c) Swiss Transfers. In relation to Personal Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (a) of this section and the following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU," "Union," and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner" and the "relevant courts in Switzerland."
(d) Alternative Transfer Mechanism. In the event that Sent is required to adopt an alternative transfer mechanism under European Data Protection Laws, in addition to or other than the mechanisms described above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with European Data Protection Laws), and you agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.
2.10 Cooperation and Demonstrating Compliance
To the extent that the required information is reasonably available to us, and you do not otherwise have access to the required information, we will provide reasonable assistance to you with any data protection impact assessments, and prior consultations with supervisory authorities. We will make all information reasonably necessary to demonstrate compliance with this DPA available to you and allow for and contribute to audits, including inspections conducted by you or your auditor to assess compliance with this DPA, where required by applicable law. You acknowledge that our systems are audited annually as part of SOC 2 compliance and upon request, we will supply (on a confidential basis) our SOC 2 report and summary copies of our penetration testing report(s) to you so that you can verify our compliance with this DPA. Further, at your written request, we will provide written responses (on a confidential basis) to all reasonable requests for information made by you necessary to confirm our compliance with this DPA, provided that you will not exercise this right more than once per calendar year.
3. Your Obligations
3.1 Compliance with Laws
Within the scope of the Agreement and your use of the Services, you will be responsible for complying with all requirements that apply to you under Data Protection Laws with respect to your Processing of Personal Data. You acknowledge and agree that you will be solely responsible for: (i) the accuracy, quality, and legality of Personal Data and the means by which you acquired such data; (ii) complying with all necessary transparency and lawfulness requirements under Data Protection Laws for the collection and use of Personal Data, including providing adequate notices, obtaining any necessary consents and authorizations, and honoring opt-out preferences (particularly for use for marketing purposes); (iii) ensuring you have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the terms of the Agreement (including this DPA); (iv) complying with all laws applicable to any messages or other content created, sent, or managed through the Services (including those relating to obtaining consents to send text and in-app messages, the content of text and in-app messages, and text message and in-app deployment practices); and (v) ensuring that your use of Personal Data complies with Data Protection Laws and is strictly limited to the purposes set out in the Agreement (including this DPA). You will inform us without undue delay if you are not able to comply with your responsibilities under this section or Data Protection Laws.
3.2 Instructions
You are responsible for ensuring that your Instructions to us regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws. The parties agree that the Agreement (including this DPA), together with your use of the Services in accordance with the Agreement, constitute your complete Instructions to us in relation to Sent's Processing of Personal Data, so long as you may provide additional instructions during the Term that are consistent with the Agreement and the nature and lawful use of the Services.
3.3 Security
You are responsible for independently determining whether the data security provided for in the Services adequately meets your obligations under Data Protection Laws. You are also responsible for your secure use of the Services, including protecting the security of Personal Data in transit to and from the Services (including to securely backup or encrypt such data).
4. General Terms
4.1 Severability
If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
4.2 Limitation of Liability
Each party's liability, taken in aggregate, arising out of or related to this DPA (including any other data processing agreements between the parties) and the Standard Contractual Clauses, where applicable, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the Limitation of Liability section of the Agreement.
4.3 Governing Law
This DPA will be governed by and construed in accordance with the Governing Law section of the Agreement, unless required otherwise by Data Protection Laws.
Schedule A – Details of Processing
A. List of Parties
Data Exporter:
Name: "You" or "user" as defined in the Agreement.
Address: Your address as set out in the applicable order form.
Contact person's name, position, and contact details: Your contact details as set out in the applicable order form.
Activities relevant to the data transferred: Processing of Personal Data in connection with your use of the Services under the Agreement.
Role (controller/processor): Controller
Data Importer:
Name: Sent, Inc.
Address: 157 W 18th St, Fl 7, New York, NY 10011, US
Activities relevant to the data transferred: Processing of Personal Data in connection with your use of the Services under the Agreement.
Role (controller/processor): Processor
B. Description of Transfer
Categories of Data Subjects
The Data Subjects may include your employees and other users authorized by you to use the Services, as well as your prospects and customers.
Categories of Personal Data
Categories of Personal Information include identification and contact information, as well as any other Personal Data submitted by, sent to, or received by you, or your end users, via the Services. You may not use the Services to process any data classified as "special category data" unless explicitly agreed in writing.
Frequency of Transfer
Continuous
Nature of Processing
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities: storage and other Processing necessary to provide, maintain, and improve the Services provided to you; and/or disclosure in accordance with the Agreement (including this DPA).
Purpose of Transfer and Further Processing
We will Process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the applicable order form and as further instructed by you in your use of the Services.
Retention
Subject to Section 2.5 of the DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
Schedule B – Security Measures
Sent will implement and maintain the security measures set out in this Schedule B. Sent reserves the right to revise these security measures at any time, without notice, so long as such revisions do not materially reduce the protection provided for Personal Data that Sent processes in the course of providing the Services.
- ●Organizational management and staff responsible for the development, implementation and maintenance of Sent's information security controls. Executive leadership is involved in reviewing and approving all security policies.
- ●Audit and risk assessment procedures for the purposes of periodic review and assessment of security risks to Sent's organization, monitoring compliance with Sent's policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
- ●Logical separation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data.
- ●Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
- ●User IDs and password configuration requirements have been established that are designed to prevent unauthorized access to production systems.
- ●Operational procedures and controls to provide for application deployment and change management, capacity management, and separation of development, testing and production.
- ●Incidents are handled in accordance with Sent's incident response plan. Designated personnel are responsible for managing the response process in accordance with the incident response plan, completing investigations, mitigation, and coordinating any external communications that may be necessary.
- ●Sent implements vulnerability assessment and threat protection technologies and scheduled monitoring procedures to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.