Legal — Data Processing Agreement

Data Processing Agreement

Effective date: 22 January 2026 · Version 1.0

This Data Processing Agreement ("DPA") forms part of the Terms of Service between FluentCart Inc. ("Processor," "toSend," "we," or "us") and the entity identified on the toSend account ("Controller," "Customer," or "you").

By accepting the Terms of Service or by using the Service, you agree to this DPA on behalf of the Controller. No separate signature is required; this DPA is binding as of the date of account creation or continued use of the Service, whichever is earlier. A signed PDF version is available on request to support@tosend.com for customers whose procurement requires one.

Where this DPA conflicts with the Terms of Service in respect of Processing of Personal Data, this DPA prevails.

1. Definitions

Capitalised terms not defined here have the meanings given to them under applicable Data Protection Laws.

  • "Applicable Data Protection Laws" means the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and any other privacy laws applicable to the Processing of Personal Data under this DPA.
  • "Controller," "Processor," "Data Subject," "Personal Data," "Processing," "Sub-processor," "Supervisory Authority" have the meanings given in the GDPR.
  • "Customer Personal Data" means Personal Data submitted to, stored on, or otherwise Processed through the Service by or on behalf of the Controller.
  • "Service" means the toSend transactional email delivery platform and related APIs, applications, and services.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission in Decision 2021/914 of 4 June 2021 and, where the UK GDPR applies, the UK International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner's Office.

2. Subject matter and scope

The subject matter of the Processing is the provision of the Service to the Controller. The Processor Processes Customer Personal Data only on the documented instructions of the Controller, including as set out in the Terms of Service, this DPA, and any reasonable written instructions thereafter.

The Processor will inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws.

Nature and purpose of Processing

Storing, transmitting, and delivering email messages; providing dashboards, logs, and webhook events; billing, support, and abuse prevention.

Categories of Data Subjects

  • The Controller's end recipients (the addressees of messages sent through the Service).
  • The Controller's employees, contractors, and agents who interact with the Service.

Types of Personal Data

  • Contact identifiers: email addresses, display names.
  • Message content: subject lines, message bodies, attachments, headers, custom variables.
  • Delivery metadata: timestamps, message IDs, delivery/bounce/complaint status, IP addresses, user-agent strings.
  • Any other Personal Data that the Controller includes in message content or recipient data.

Duration of Processing

For the duration of the Controller's account, plus the retention periods set out in the Privacy Policy for logs and metadata.

3. Controller and Processor obligations

The Controller warrants that it has a lawful basis for the Processing, has provided all required notices to Data Subjects, and has obtained any necessary consents. The Controller is solely responsible for the content of messages sent through the Service and for the accuracy and lawfulness of recipient lists.

The Processor will:

  • Process Customer Personal Data only on the Controller's documented instructions.
  • Ensure that personnel authorised to Process Customer Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational measures as described in Annex A.
  • Assist the Controller in responding to Data Subject requests and, where applicable, in consultations with Supervisory Authorities.
  • Return or delete Customer Personal Data at the end of the Service, as set out in Section 9.

4. Sub-processors

The Controller grants the Processor general authorisation to engage Sub-processors subject to this Section.

A current list of Sub-processors is maintained at /legal/subprocessors/. The Processor will give the Controller at least 7 days' prior written notice (by email to the account's billing address or an in-product notice) before adding or replacing a Sub-processor.

The Controller may object in writing to the appointment of a new Sub-processor on reasonable, good-faith grounds relating to data protection within the notice period. If the Parties cannot agree on a resolution, the Controller may terminate the affected portion of the Service without penalty, with a pro-rata refund of any prepaid fees for the unused portion.

The Processor remains responsible for the acts and omissions of its Sub-processors to the same extent as its own acts and omissions under this DPA. Each Sub-processor is engaged under a written agreement containing data-protection obligations no less protective than those set out in this DPA.

5. Security

The Processor will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as described in Annex A.

6. Personal Data Breach notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the information required under Article 33(3) GDPR to the extent available at the time, and updates as further information becomes available.

The Processor will cooperate with the Controller and provide reasonable assistance in the Controller's investigation, notification, and remediation of the Breach.

7. Data Subject requests

Taking into account the nature of the Processing, the Processor will provide the Controller with reasonable assistance — by appropriate technical and organisational measures, insofar as possible — to help the Controller fulfil its obligations to respond to Data Subject requests under Chapter III of the GDPR.

If the Processor receives a request directly from a Data Subject that relates to Customer Personal Data, the Processor will (unless prohibited by law) redirect the Data Subject to the Controller and promptly notify the Controller.

8. Audits

The Processor will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, including summaries of relevant third-party audit reports and certifications where available.

The Controller may, once per calendar year and on at least 30 days' prior written notice, conduct an audit of the Processor's compliance with this DPA. Audits must be carried out during business hours, without unreasonable disruption to the Processor's operations, and at the Controller's cost. The Controller may appoint an independent third-party auditor (other than a competitor of the Processor) who is bound by written confidentiality obligations.

A Supervisory Authority's audit authority is unaffected by this Section.

9. Return and deletion of Customer Personal Data

On termination or expiry of the Service, the Processor will, at the Controller's choice, return or delete Customer Personal Data in its custody, except where retention is required by applicable law. Deletion will occur within 30 days of termination, subject to the retention periods set out in the Privacy Policy and the Service's internal backup cycles (no longer than 90 days).

10. International data transfers

The Service is operated from the United States, and Customer Personal Data may be transferred to, stored in, and Processed in the United States or in any other country where the Processor or its Sub-processors maintain facilities.

Where the Controller transfers Personal Data to the Processor from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision:

  • The EU Standard Contractual Clauses, Module Two (Controller to Processor), are hereby incorporated by reference. The docking clause in Clause 7 applies; Option 1 of Clause 9(a) applies (general written authorisation for Sub-processors), with the 7-day notice period in Section 4 of this DPA; Clause 11(a) optional language is not selected; Clause 17 governing law is the law of Ireland; and Clause 18 is the courts of Ireland.
  • For transfers subject to the UK GDPR, the UK International Data Transfer Addendum issued by the Information Commissioner's Office applies and modifies the EU SCCs as set out in the IDTA.
  • For transfers subject to the Swiss Federal Act on Data Protection, the EU SCCs apply with the adaptations published by the Swiss Federal Data Protection and Information Commissioner.

Annex I (Parties, description of transfer, competent supervisory authority) and Annex II (technical and organisational measures) of the SCCs are completed by the information in this DPA and in Annex A below.

11. Liability

Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either Party's liability to Data Subjects under the third-party beneficiary rights in the SCCs.

12. Term and termination

This DPA takes effect on the Effective Date above and continues until the Terms of Service terminate. Sections that by their nature should survive termination (including Sections 5, 6, 9, 10, 11, and 13) will survive.

13. General

  • The Processor may update this DPA from time to time to reflect changes in law or the Service. Material changes will be notified by email and will take effect no earlier than 30 days after notice.
  • This DPA is governed by the law of the State of Delaware, USA, except that Clause 17 of the SCCs governs the SCCs themselves.
  • If any provision is found unenforceable, the remaining provisions remain in effect.

Annex A — Technical and organisational measures

The Processor implements the following technical and organisational measures to protect Customer Personal Data (TOMs within the meaning of Article 32 GDPR):

Encryption

  • TLS 1.2 or higher for all data in transit, including API, webhooks, and inter-service traffic.
  • Encryption at rest for message bodies (R2 object storage) and databases (D1).
  • API credentials hashed at rest; never logged in plaintext.

Access control

  • Role-based access control for internal systems; least-privilege by default.
  • Mandatory multi-factor authentication for personnel accessing production systems.
  • Personnel access reviewed on a quarterly basis and revoked immediately on role change or departure.

Network and infrastructure security

  • Email data-plane infrastructure (message delivery, logs, suppression, webhooks) and the public marketing website hosted on Amazon Web Services and Cloudflare; each operating SOC 2 Type II and ISO/IEC 27001 certified environments.
  • Customer dashboard (dash.tosend.com) hosted on Hetzner Online GmbH (Germany, EU); ISO/IEC 27001 certified.
  • Network segregation between tenant data via logical isolation; no shared-memory or shared-filesystem access across tenants.
  • DDoS protection and Web Application Firewall at the edge (Cloudflare).

Logging and monitoring

  • Audit logs for administrative actions, API requests, and data access; retained for a minimum of 90 days.
  • Automated alerting on anomalies, failed logins, and integrity-sensitive operations.

Backups and recovery

  • Automated database backups taken daily; retained for 30 days.
  • Documented disaster-recovery runbooks; recovery tested at least annually.

Personnel

  • Confidentiality obligations in every employment and contractor agreement.
  • Security and privacy training on hire and refreshed annually.
  • Background checks where permitted by applicable law.

Secure development

  • Peer code review required for all changes to production code.
  • Automated dependency and vulnerability scanning in CI.
  • Staged rollouts with production monitoring before full release.

Incident response

  • Documented incident-response plan, reviewed annually.
  • Breach notification process aligned with Section 6 of this DPA.

Annex B — Sub-processors

The current list of authorised Sub-processors, including name, purpose, location, and link to each Sub-processor's data-processing agreement, is maintained at /legal/subprocessors/ and is incorporated into this DPA by reference.

Contact

FluentCart Inc. (toSend)
Attn: Data Protection
131 Continental Dr, Suite 305
Newark, DE 19713, USA
support@tosend.com