Sent
Log in

Sent, Inc. Data Processing Addendum: Sub-Processors

Last updated: September 1, 2025

The following third-party sub-processors are engaged by Sent, Inc. to assist in fulfilling our obligations with respect to the processing of personal data under our Data Processing Addendum. All sub-processors are bound by data protection terms that provide at least the same level of protection for personal data as outlined in our DPA.

Hetzner Cloud

Purpose

Cloud hosting (compute, storage, backups) for production workloads.

Data Processed

Customer content (as stored/transmitted via Sent.dm), account data, and usage logs (IPs, request metadata).

Location(s)

US/EU — confirm exact regions used

Safeguards

Regional hosting, DPA in place, and no cross-border transfer unless configured.

Zendesk, Inc.

Purpose

Customer support/ticketing and helpdesk.

Data Processed

Contact details, ticket content and attachments, and limited diagnostic context.

Location(s)

US/EU — confirm EEA data hosting setting

Safeguards

DPA + SCCs and role-based access controls.

Google Workspace (Google LLC)

Purpose

Business email/docs used for customer communications and artifact exchange (e.g., support attachments, contracts).

Data Processed

Contact details, support communications, and applicable attachments.

Location(s)

US/EU — confirm data region controls

Safeguards

DPA + SCCs, admin security controls, and retention per Workspace policies.

Cloudflare, Inc.

Purpose

CDN, DDoS protection, edge caching, and WAF.

Data Processed

IP addresses, request/response metadata, and security logs.

Location(s)

Global edge network (primary US/EU).

Safeguards

DPA + SCCs and security & privacy features enabled (WAF, bot mgmt).

OpenAI

Purpose

LLM inference powering product features.

Data Processed

User prompts/inputs, model outputs, and limited metadata.

Location(s)

US/EU as configured — confirm region/routing

Safeguards

Vendor DPA + SCCs. Training disabled on our data and retention minimized — confirm settings in prod.

Stripe, Inc.

Purpose

Payment processing & invoicing (we do not store raw card data).

Data Processed

Billing contact details and transaction metadata.

Location(s)

US/EU

Safeguards

PCI-DSS compliant, DPA + SCCs, and restricted data access.

PostHog

Purpose

Product analytics for feature usage and funnels.

Data Processed

Pseudonymous user IDs and event/usage data (no sensitive fields by design).

Location(s)

PostHog Cloud EU vs self-hosted? — confirm

Safeguards

DPA + SCCs (if Cloud) and IP redaction & privacy controls enabled — confirm configuration.

Resend, Inc.

Purpose

Transactional email delivery (e.g., verification, notifications, alerts).

Data Processed

Recipient email addresses, message metadata (timestamps, status), template variables, and message body content for delivery.

Location(s)

US/EU regions as configured — confirm region/routing

Safeguards

DPA + SCCs, domain authentication (SPF/DKIM/DMARC), suppression lists, and webhook signing — confirm retention/window.

Telnyx

Purpose

SMS/voice delivery for notifications/OTP and service alerts.

Data Processed

Phone numbers, message content (OTP/alerts), and delivery metadata (timestamps, status).

Location(s)

US/EU — confirm messaging routes/regions

Safeguards

DPA + SCCs, sender ID/consent management, and template controls for OTP.

Meta (WhatsApp Business / Messaging)

Purpose

Customer messaging via WhatsApp (and/or Messenger) for support/notifications — only if enabled.

Data Processed

Phone numbers, message content, media attachments, and delivery metadata.

Location(s)

Global (incl. US/EU) — confirm data residency/routing options

Safeguards

DPA + SCCs and WhatsApp Business terms and template approval — confirm enabled channels.

Additional Information

Sent, Inc. regularly reviews and updates the list of sub-processors to ensure compliance with data protection obligations. We will notify customers of any changes to this list at least 30 days in advance in accordance with Section 2.7 of our Data Processing Addendum.

All sub-processors listed above have executed data protection agreements with Sent that include Standard Contractual Clauses (SCCs) where applicable for international data transfers. We remain responsible for any acts or omissions of our sub-processors that cause us to breach any obligations under our DPA.

For more information about how we process personal data and our commitments to data protection, please review our Data Processing Addendum.