Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and SendNex ("Processor") for the provision of email sending services. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Nigeria Data Protection Act 2023("NDPA").

1. Definitions

In this DPA, the following terms have these meanings:

• Controller — the entity that determines the purposes and means of processing personal data (you, the SendNex customer).
• Processor — the entity that processes personal data on behalf of the Controller (SendNex).
• Data Subject — an identified or identifiable natural person whose personal data is processed.
• Personal Data — any information relating to a Data Subject, as defined in GDPR Art 4(1).
• Processing — any operation performed on personal data, including collection, storage, transmission, and deletion.
• Sub-processor — a third party engaged by the Processor to process personal data on behalf of the Controller.

2. Subject Matter and Duration

This DPA governs the processing of personal data by SendNex when providing its API-based email sending, receiving, and tracking services to the Controller. The duration of processing corresponds to the term of the underlying service agreement between the parties, plus any retention period specified in Section 12.

3. Nature and Purpose of Processing

SendNex processes personal data solely for the purpose of providing email services to the Controller. This includes:

• Sending emails on behalf of the Controller via the SendNex API
• Receiving inbound emails routed through Controller domains
• Tracking delivery events (delivered, bounced, complained, opened, clicked) when enabled by the Controller
• Storing email metadata and content for the retention period
• Processing attachments transmitted through the service

4. Types of Personal Data Processed

• Email addresses — sender and recipient addresses (to, cc, bcc)
• Names — sender and recipient display names
• Email content — subject lines, message bodies (HTML and plain text)
• Attachment content — files transmitted with emails
• IP addresses — of API callers and email recipients (when tracking is enabled)
• Tracking data — open timestamps, click timestamps, and URLs clicked
• Custom metadata — tags and headers provided by the Controller

5. Categories of Data Subjects

• Controller's customers — recipients of emails sent through SendNex
• Email recipients — any individual whose email address is processed
• Controller's employees — individuals who use the SendNex dashboard or API

6. Controller's Obligations

The Controller shall:

• Ensure a lawful basis exists for processing personal data through SendNex (GDPR Art 6)
• Ensure the accuracy of personal data provided to SendNex
• Provide documented instructions to SendNex regarding the processing of personal data
• Comply with the Acceptable Use Policy and all applicable data protection laws
• Respond to Data Subject requests and inform SendNex where assistance is required

7. Processor's Obligations

7.1 Processing on Instructions

SendNex shall process personal data only on documented instructions from the Controller (GDPR Art 28(3)(a)), unless required to do so by applicable law. If such a legal requirement arises, SendNex will inform the Controller before processing, unless the law prohibits such notification.

7.2 Confidentiality

SendNex ensures that all personnel authorized to process personal data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality (GDPR Art 28(3)(b)).

7.3 Security Measures

SendNex implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk (GDPR Art 32), including:

• Encryption in transit — TLS 1.3 for all API and email communications
• Encryption at rest — AES-256 via AWS managed encryption
• Access controls — role-based access with least-privilege principles
• Password hashing — BCrypt with salted hashes
• API key security — SHA-256 hashed, never stored in plain text
• Session security — HMAC-SHA256 signed session tokens
• Pseudonymization — where technically feasible

7.4 Sub-Processors

SendNex shall not engage another processor without prior written authorization from the Controller (GDPR Art 28(2)). SendNex maintains a list of approved sub-processors at our Sub-Processor List. The same data protection obligations set out in this DPA are imposed on each sub-processor by way of contract (GDPR Art 28(4)).

7.5 Data Subject Requests

SendNex shall assist the Controller in fulfilling its obligations to respond to Data Subject requests (GDPR Art 28(3)(e)), including requests for access, rectification, erasure, and data portability. SendNex will respond to Controller requests for assistance within 72 hours.

7.6 Data Protection Impact Assessments

SendNex shall assist the Controller with data protection impact assessments and prior consultation with supervisory authorities where required (GDPR Art 28(3)(f), Art 35, Art 36).

7.7 Deletion or Return of Data

Upon termination of the service agreement, SendNex shall, at the Controller's choice, delete or return all personal data within 30 days and delete existing copies, unless applicable law requires further storage (GDPR Art 28(3)(g)).

7.8 Audit and Compliance

SendNex shall make available to the Controller all information necessary to demonstrate compliance with GDPR Art 28 obligations and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (GDPR Art 28(3)(h)).

8. Sub-Processing

A current list of approved sub-processors is maintained at sendnex.xyz/sub-processors.

• SendNex will provide 30 days' written notice before adding or replacing a sub-processor
• The Controller has the right to object to a new sub-processor within 14 days of notification
• If the Controller objects and no reasonable alternative is available, either party may terminate the affected service

9. International Data Transfers

SendNex is based in Lagos, Nigeria. Personal data may be transferred to and processed in the following locations:

• AWS eu-west-1 (Ireland) — primary infrastructure region within the EU
• Nigeria — SendNex operational base

For transfers from the EU/EEA to Nigeria, SendNex relies on Standard Contractual Clauses(SCCs) as approved by the European Commission (GDPR Art 46(2)(c)). For transfers to the US (where sub-processors are located), the applicable sub-processor's own transfer mechanisms apply (e.g., EU-US Data Privacy Framework).

10. Security Measures

10.1 Technical Measures

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for all data at rest (AWS managed keys)
• BCrypt password hashing with unique salts
• SHA-256 hashing for API keys
• HMAC-SHA256 signed session tokens
• Rate limiting and abuse detection
• Automated vulnerability scanning

10.2 Organizational Measures

• Role-based access control with least-privilege principles
• Comprehensive audit logging of all administrative actions
• Documented incident response plan
• Regular security reviews and testing
• Confidentiality agreements for all personnel

11. Data Breach Notification

In the event of a personal data breach (GDPR Art 33), SendNex shall:

• Notify the Controller within 48 hoursof becoming aware of the breach (stricter than GDPR's 72-hour requirement)
• Provide the following information:
  • Nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Categories of personal data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Measures taken to mitigate possible adverse effects
• Cooperate with the Controller in notifying the relevant supervisory authority and affected Data Subjects where required

12. Data Retention and Deletion

• Email logs and tracking data: retained for 90 days, then automatically purged
• Account data: retained until termination of the service agreement, plus 30 days for data export
• Backups: purged within 60 days of data deletion from production systems
• Payment records: retained as required by Nigerian tax law (minimum 6 years under FIRS regulations)

13. Audit Rights

• The Controller may audit SendNex's compliance with this DPA once per year with at least 30 days prior written notice
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with SendNex's operations
• The Controller bears the cost of the audit unless a material breach is discovered
• As an alternative to on-site audits, SendNex may provide a SOC 2 Type II report or equivalent third-party certification

14. Liability

• Each party shall be liable for damage caused by processing that infringes the GDPR (Art 82)
• The Processor's liability under this DPA shall not exceed 12 months of fees paid by the Controller under the service agreement
• This limitation does not apply to liability arising from willful misconduct or gross negligence

15. Term and Termination

• This DPA is effective for the duration of the underlying service agreement
• Obligations relating to data deletion (Section 12) and confidentiality (Section 7.2) survive termination
• Either party may terminate this DPA if the other party materially breaches its obligations and fails to cure within 30 days of written notice

16. Governing Law

This DPA is governed by the laws of the Federal Republic of Nigeria. Where the Controller or Data Subjects are located in the EU/EEA, the provisions of GDPR shall apply to the processing of their personal data, and disputes relating to GDPR compliance may be brought before the competent courts of the relevant EU member state.

17. Contact

For questions about this DPA or to exercise any rights under it, contact us at:

• Email: privacy@sendnex.xyz
• Location: Lagos, Nigeria