Senderkit

Legal

Data Processing Agreement

Last updated: February 11, 2026

1. Parties

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Senderkit ("Processor") and the entity agreeing to these terms ("Controller").

2. Scope of processing

Subject matter
Provision of email marketing platform services
Duration
For the term of the service agreement
Nature & purpose
Storing subscriber data, sending emails, tracking engagement
Data categories
Email addresses, names, IP addresses, engagement data, consent records
Data subjects
Controller's email subscribers and contacts

3. Processor obligations

  • Process personal data only on documented instructions from the Controller
  • Ensure authorized personnel are bound by confidentiality
  • Implement appropriate technical and organisational security measures
  • Not engage sub-processors without prior written authorization
  • Assist the Controller with data subject rights requests
  • Delete or return all personal data upon termination
  • Make available information necessary to demonstrate compliance

4. Sub-processors

Provider
Purpose
Location
Elastic Email
Email delivery
US/EU
Neon
Database hosting
Sydney (ap-southeast-2)
Stripe
Payment processing
US (DPF certified)
Anthropic
AI content generation
US

5. International transfers

Where personal data is transferred outside the EEA, we ensure appropriate safeguards via:

  • EU-US Data Privacy Framework (where applicable)
  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission

6. Security measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security enforcing strict tenant data isolation
  • Database access restricted to secure connection pooling
  • Authentication via bcrypt password hashing with JWT token handling
  • API rate limiting to prevent abuse

7. Breach notification

Processor shall notify Controller without undue delay (within 72 hours) after becoming aware of a personal data breach, including:

  • Nature of the breach and approximate number of affected data subjects
  • Contact details of the data protection point of contact
  • Likely consequences and measures taken to address the breach

8. Data subject rights

Processor assists Controller in responding to data subject requests including access, rectification, erasure, restriction, portability, and objection. Senderkit provides self-service tools for data export and deletion.

9. Retention & deletion

Upon termination, Processor deletes all personal data within 30 days unless retention is required by law. Controller may export data prior to termination.

10. Audit rights

Controller may audit Processor's compliance upon reasonable notice. Processor makes available all information necessary to demonstrate compliance.

Acceptance

By using Senderkit, you accept this DPA as part of the Terms of Service. A countersigned copy can be requested at privacy@senderkit.hatched.digital.

See also: Privacy Policy · Terms of Service