Data Processing Agreement

1. Scope & Purpose

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and SendHup ("Data Processor"). It governs the processing of personal data that you submit to the Service for the purpose of sending messages to your end users. This DPA applies wherever the processing of personal data is subject to applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, transmission, and deletion.
• "Sub-processor" means any third party appointed by SendHup to process Personal Data on your behalf.
• "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data.

3. Data Processing Details

4. Processor Obligations

SendHup shall:

• Process Personal Data only on your documented instructions
• Ensure that personnel authorized to process data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist you in fulfilling data subject access requests and regulatory obligations
• Notify you without undue delay (and within 72 hours) upon becoming aware of a Data Breach
• Delete or return all Personal Data upon termination, at your choice
• Make available all information necessary to demonstrate compliance and allow for audits

5. Sub-processors

SendHup uses third-party sub-processors to deliver the Service, including SMS carriers, email delivery providers, and cloud infrastructure providers. A current list of sub-processors is maintained and updated with at least 30 days' advance notice before adding a new sub-processor. You may object to a new sub-processor within 14 days of notification.

6. Security Measures

SendHup implements and maintains the following security measures:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Role-based access control with least-privilege principles
• Regular penetration testing and vulnerability assessments
• Comprehensive audit logging of all system access
• Incident response procedures with defined escalation paths
• Employee security awareness training

7. International Transfers

Where Personal Data is transferred outside the European Economic Area or the UK, SendHup ensures adequate safeguards are in place. These include EU Standard Contractual Clauses (SCCs) as adopted by the European Commission, supplementary measures where required by applicable law, and data processing impact assessments for high-risk transfers.

8. Data Subject Rights

SendHup will assist you in responding to data subject requests, including access, rectification, erasure, restriction, portability, and objection. We will redirect any data subject requests we receive directly to you without undue delay.

9. Audit Rights

You may audit our compliance with this DPA once per year, with reasonable advance notice. We will cooperate with audits conducted by you or an independent third-party auditor bound by confidentiality. We may provide SOC 2 Type II reports or equivalent certifications in lieu of on-site audits.

10. Termination & Data Return

Upon termination of the Service, SendHup will, at your election, return or securely delete all Personal Data within 30 days. Certification of deletion will be provided upon request. Data required for legal compliance may be retained in encrypted form for the minimum period required by law.

11. Contact

For DPA-related inquiries or to request a signed copy, contact us at legal@sendhup.com.