Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the Terms of Service between you (“Customer”) and SendMailr LLC (“SendMailr”), and applies to SendMailr’s processing of personal information on Customer’s behalf as part of the Services. In the event of conflict, this DPA controls with respect to the matters it addresses.

1. Definitions

Applicable Privacy Law means data-protection and privacy laws applicable to a party’s processing of Personal Information under this DPA, including the CCPA / CPRA, comparable state laws (VA, CO, CT, UT, TX, OR, FL, and others as enacted), and, where applicable, the GDPR and UK GDPR.
Personal Information means information relating to an identified or identifiable natural person that Customer uploads to or instructs SendMailr to process through the Services, including recipient names and mailing addresses (“Recipient Data”).
Controller / Business means the party that determines the purposes and means of processing.
Processor / Service Provider means the party that processes Personal Information on behalf of, and on the documented instructions of, the Controller / Business.
Sub-processor means a third party engaged by SendMailr to process Personal Information on its behalf.
Data Subject means the individual to whom the Personal Information relates.

2. Roles

With respect to Recipient Data, Customer is the Controller / Business and SendMailr is the Processor / Service Provider. With respect to Customer’s own account information (name, email, billing, etc.), SendMailr is the Controller / Business, governed by the Privacy Policy.

3. Scope and Purpose of Processing

Subject matter: SendMailr’s provision of mail-printing, delivery, content-generation, tracking, and analytics services to Customer.
Duration: the term of Customer’s use of the Services, plus any post-termination retention required by law.
Nature and purpose: to render the Services on Customer’s documented instructions, including the production and delivery of mail pieces and related operational, security, and billing functions.
Categories of Personal Information: recipient names, mailing addresses, optional dates (e.g., birthday / anniversary for event-mailings), property data retrieved on instruction, and tracking events.
Categories of Data Subjects: Customer’s mailing-list recipients.

4. Customer Obligations

Customer warrants and agrees that:

It has a lawful basis to provide Recipient Data to SendMailr and to instruct SendMailr to process it for the purposes set out above.
It has provided any notices and obtained any consents required under Applicable Privacy Law.
Its instructions to SendMailr regarding Recipient Data comply with Applicable Privacy Law.
It will not provide SendMailr with sensitive categories of data (such as health, financial-account, government-identifier, or biometric data) unless expressly agreed in writing.
It will implement appropriate security measures over data while in its control, including managing user-account access and credentials.

5. SendMailr Obligations as Processor

SendMailr will:

Process Recipient Data only on Customer’s documented instructions, including as set out in the Terms of Service, this DPA, and the configuration choices made by Customer in the platform.
Not sell or share Recipient Data, and not retain, use, or disclose Recipient Data for any purpose other than performing the Services or as permitted by law.
Ensure personnel authorized to process Recipient Data are subject to confidentiality obligations.
Implement and maintain appropriate technical and organizational measures designed to protect Recipient Data against accidental or unlawful loss, alteration, or unauthorized disclosure (see Section 8).
Promptly notify Customer if SendMailr believes an instruction infringes Applicable Privacy Law.
Reasonably assist Customer with Data Subject requests, data-protection impact assessments, and consultations with supervisory authorities, taking into account the nature of the processing and information available to SendMailr.

6. Sub-processors

Customer provides general authorization for SendMailr to engage sub-processors to provide the Services. A current list of sub-processors is published at /subprocessors. SendMailr will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains liable for its sub-processors’ acts and omissions to the extent required by Applicable Privacy Law. SendMailr will provide notice of material sub-processor changes through the subprocessors page or by other reasonable means. Customer may object to a new sub-processor on reasonable grounds related to data protection by emailing support@sendmailr.com within 14 days of notice; the parties will work in good faith to resolve the objection.

7. Data Subject Rights

As between the parties, Customer is responsible for responding to Data Subject requests regarding Recipient Data. Where a Data Subject submits a request directly to SendMailr, SendMailr will forward the request to Customer without undue delay, unless SendMailr is independently obligated to respond. SendMailr will provide reasonable assistance to Customer in responding to verified Data Subject requests.

8. Security

SendMailr implements and maintains reasonable administrative, technical, and physical safeguards designed to protect Personal Information, including: encryption in transit; encryption at rest for sensitive credentials; access controls and authentication; password hashing; JWT-based session management with defense-in-depth route authorization; IP rate-limiting on public endpoints; webhook signature verification; and use of PCI-DSS-compliant Stripe for payment data. Security measures may evolve in line with industry practice.

9. Incident Notification

SendMailr will notify Customer without undue delay after becoming aware of a confirmed unauthorized acquisition, access, or disclosure of Recipient Data in SendMailr’s possession (a “Security Incident”). The notice will describe the nature of the Security Incident to the extent then known and the measures SendMailr is taking. SendMailr’s notice is not an acknowledgment of fault.

10. International Transfers

SendMailr is established in the United States and processes Personal Information in the U.S. To the extent any Personal Information is transferred from the European Economic Area, the United Kingdom, or Switzerland to SendMailr, the parties will rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, or other lawful transfer mechanisms, which are incorporated by reference where applicable.

11. Audits

On Customer’s reasonable written request, SendMailr will make available information reasonably necessary to demonstrate compliance with this DPA. Where Applicable Privacy Law requires an audit, the audit shall be conducted at Customer’s expense, no more than once per twelve-month period, during normal business hours, on at least 30 days’ notice, subject to confidentiality, and in a manner that does not unreasonably interfere with SendMailr’s business.

12. Return and Deletion of Data

On termination of the Services, SendMailr will, at Customer’s election, delete or return Recipient Data within a reasonable period, except to the extent retention is required by law or necessary to enforce SendMailr’s rights. Backups and logs may persist for limited periods until they are overwritten in the ordinary course.

13. Liability

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or any other theory, is subject to the limitations of liability set out in the Terms of Service.

14. Governing Law

This DPA is governed by the laws specified in the Terms of Service. Where Applicable Privacy Law requires application of a different governing law for portions of this DPA, that law applies only to the extent required.

15. Acceptance

By using the Services, Customer accepts this DPA. Customers requiring a counter-signed copy may request one through our contact form.