Sendivent Data Processing Addendum (DPA)

Last updated: 21 December 2025

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between:

  • Processor: Appitude AB ("Sendivent"), org.nr 556950-5448, Skeppargatan 18, 114 52 Stockholm, Sweden. Notices: legal@sendivent.com. Support: support@sendivent.com.
  • Controller: The customer entity that enters into the Agreement ("Customer" or "Controller").

This DPA applies where Sendivent processes Customer Content containing Personal Data on behalf of Customer.

1) Definitions

1.1 Customer Content means the data submitted to the Service by or on behalf of Customer, including contacts and identifiers (email/phone/Slack IDs), contact metadata (including free-form fields), event definitions, templates, payload values, delivery logs/status, and suppression/subscription state.

1.2 Data Protection Laws means applicable data protection laws, including the GDPR.

1.3 EEA means the European Economic Area.

1.4 GDPR means Regulation (EU) 2016/679.

1.5 Personal Data and Processing have the meanings given in the GDPR.

1.6 Security Incident means a confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content containing Personal Data.

1.7 Subprocessor means a third party engaged by Processor to process Customer Content on behalf of Customer.

1.8 Standard Contractual Clauses (SCCs) means the European Commission standard contractual clauses adopted under GDPR Article 46.

2) Roles and scope

2.1 Controller and Processor. Customer is the Controller. Processor acts as Processor and processes Personal Data only on Customer’s documented instructions.

2.2 Details of Processing. The subject matter, nature, purpose, and categories of Processing are described in Annex 1.

3) Processing on documented instructions

3.1 Instructions. Processor will process Customer Content only:

  • to provide, secure, and support the Service in accordance with the Agreement;
  • in accordance with Customer’s configurations, API calls, and use of the dashboard; and
  • as documented in the Documentation.

3.2 Unlawful instructions. If Processor believes an instruction infringes Data Protection Laws, Processor will inform Customer (unless prohibited by law).

3.3 No AI training; no LLM providers. Processor will not use Customer Content to train or improve AI models and will not send Customer Content to LLM providers.

4) Processor obligations

4.1 Confidentiality. Processor will ensure that persons authorized to process Personal Data are subject to confidentiality obligations.

4.2 Security. Processor will implement and maintain appropriate technical and organizational measures ("TOMs") designed to protect Personal Data against Security Incidents, as described in Annex 2.

4.3 Records of processing. Processor will maintain records of processing activities to the extent required by GDPR Article 30(2).

4.4 Assistance with data subject requests. Taking into account the nature of the Processing, Processor will provide reasonable assistance to Customer to respond to data subject requests under Data Protection Laws. Where legally permitted, Processor may require Customer to use self-serve features first. Processor may charge reasonable fees for requests that are excessive or require custom engineering, to the extent permitted by law.

4.5 Assistance with DPIAs and prior consultation. Processor will provide reasonable assistance with DPIAs and prior consultation, to the extent required under Data Protection Laws and reasonably available. Processor may charge reasonable fees for extensive or custom work.

4.6 Security Incident notification. Processor will notify Customer without undue delay after confirmation and, in any event, within 72 hours after confirmation. Such information may include the nature of the incident, likely consequences, and measures taken or proposed, to the extent available. Processor will provide updates as materially relevant information becomes available.

4.7 Cooperation; no public statements. Processor will reasonably cooperate regarding a Security Incident. Customer will not make public statements identifying Processor without consent, except where required by law.

5) Subprocessors

5.1 General authorization. Customer authorizes Processor to engage Subprocessors.

5.2 Subprocessor list. Processor maintains a current list at /subprocessors (the "Subprocessor List"). Annex 3 lists Subprocessors in use as of the Last updated date.

5.3 Notice of material changes. Processor will provide 30 days' prior notice of material changes by updating the Subprocessor List and, where appropriate, notifying account owners in-product or by email.

A change is material if it involves:

  • adding a new Subprocessor that will process Customer Content;
  • changing the primary processing location of Customer Content to a location outside the EEA;
  • adding a new category of processing of Customer Content performed by an existing Subprocessor; or
  • materially expanding the scope of processing performed by an existing Subprocessor.

5.4 Urgent changes. If required urgently for security or legal reasons, Processor may implement sooner and will provide notice as soon as practicable.

5.5 Objection. Customer may reasonably object on data protection grounds by notifying legal@sendivent.com within the notice period.

5.6 Remedies. If the objection cannot be resolved within a reasonable time, Processor will, where commercially reasonable, offer an alternative to avoid the new Subprocessor for the affected Processing. If no such alternative is available, Customer may terminate (i) the affected feature/portion, and if not reasonably practicable, (ii) the Agreement, by written notice. Processor will refund any prepaid fees for the terminated portion for the unused remainder of the then-current paid term (if applicable). Sections 5.5–5.6 do not apply to urgent security/legal changes under Section 5.4.

5.7 Flow-down. Processor will enter into a written agreement with each Subprocessor imposing obligations as required by GDPR Article 28.

6) International transfers

6.1 Hosting. Core hosting region is AWS eu-north-1 (Stockholm, Sweden).

6.2 Transfers may occur. Personal Data may be processed outside the EEA in limited cases, for example:

  • customer-connected integrations (such as Slack) that process data under Customer’s relationship with that provider;
  • SMS delivery routing depending on recipient destination and telecom networks;
  • limited support/admin access from outside the EEA.

6.3 Safeguards. Where Processor initiates a transfer subject to GDPR Chapter V, Processor will apply appropriate safeguards (e.g., adequacy decisions or SCCs), taking into account the transfer context.

6.4 SCCs on request. Where SCCs are required and applicable, Processor will make SCCs available and enter into SCCs with Customer upon request.

7) Return and deletion

7.1 Deletion on termination. Upon termination/expiration, Processor will delete Customer Content from production systems within a commercially reasonable time, unless retention is required by law. Customer may request return using self-serve functionality and access methods available at the time.

7.2 Ghost contact model. Customer acknowledges that the Service may apply a “ghost contact” anonymization model for individual contact deletion intended to remove identifiers and personal fields and remove payload values from deliveries, while retaining a record designed to be non-identifying for integrity, reporting, suppression compliance, auditability, and security/fraud prevention. If any retained data remains Personal Data under applicable law, it will continue to be processed under this DPA.

7.3 Company/application deletion. Deleting a company/application hard-deletes related records from primary databases (subject to referential constraints).

7.4 Backups. Deleted data may remain in backups until backup rotation completes (up to 30 days).

8) Audits

8.1 Documents-first. Processor will make available information reasonably necessary to demonstrate compliance, primarily via security summaries, policies, and documentation.

8.2 Audit rights. Customer may audit compliance subject to:

  • reasonable, proportionate, non-disruptive scope;
  • maximum once per 12 months (unless required due to a confirmed Security Incident or by law);
  • remote review first; on-site only if remote is insufficient and by mutual agreement;
  • scope limited to systems/controls relevant to Processing Customer Content for Customer;
  • auditors bound by confidentiality, not competitors, and compliant with Processor security policies;
  • reasonable advance notice and proposed scope;
  • Customer bears its own costs and reimburses Processor for reasonable time/expenses, except where prohibited by law.

9) Liability and precedence

9.1 No override of liability cap. This DPA does not alter liability allocation under the Agreement. The Agreement’s limitation of liability applies to this DPA to the maximum extent permitted by law.

9.2 Processing precedence only. If there is a conflict regarding Processing obligations, this DPA controls for that conflict only. For all other matters (including commercial terms and liability), the Agreement controls.

Annex 1 — Details of Processing

A) Subject matter

Processing Customer Content to provide a notifications platform (API + dashboard) enabling Customer to define events/templates and send notifications.

B) Duration

For the term of the Agreement and any retention periods described in the Agreement/DPA (including backups up to 30 days).

C) Nature and purpose

  • ingesting, storing, organizing, retrieving Customer Content;
  • rendering templates and merging payload values;
  • routing/transmitting notifications to Sendivent-managed delivery providers and customer-connected integrations (as configured);
  • maintaining suppression/subscription state and delivery logs/status;
  • operating, securing, and supporting the Service, including abuse prevention and auditability.

D) Categories of data subjects

  • Customer’s end users/recipients (contacts)
  • Customer’s employees/contractors/representatives

E) Types of Personal Data

Depending on Customer’s use:

  • contact identifiers (email, phone, Slack identifiers)
  • contact attributes/metadata (including free-form fields)
  • message content and template variables
  • delivery metadata (timestamps, status, routing metadata)
  • suppression/subscription state

F) Special categories

Customer should not provide special-category data unless strictly necessary and lawful. The Service is not designed to determine whether metadata contains special-category data.

G) Processing operations

Collection, recording, organization, storage, retrieval, use, disclosure by transmission, restriction, erasure/anonymization.

Annex 2 — Technical and Organizational Measures (TOMs)

Processor maintains a risk-based security program; measures may evolve.

  1. Access control and least privilege
  2. Authentication and secrets handling
  3. Encryption in transit (TLS/HTTPS)
  4. Encryption at rest controls where supported/appropriate by infrastructure (details on request)
  5. Security-focused logging minimizing message content/identifiers to the extent feasible
  6. Secure SDLC/change management appropriate to team size
  7. Managed backups (up to 30 days) and recovery procedures
  8. Incident response processes
  9. Deletion workflows (including ghost contact model; hard deletion on company/app deletion in primary DBs)
  10. Vendor management and GDPR Article 28 flow-downs

Annex 3 — Subprocessors

Subprocessor Purpose Customer Content processed Primary processing location
Amazon Web Services (AWS) Hosting and core infrastructure Customer Content stored/processed; operational logs/system metadata (excluding message content/identifiers to the extent feasible) Sweden (AWS eu-north-1 / Stockholm)
Cellsynt AB SMS delivery (when enabled) Phone numbers; SMS message content + delivery metadata necessary to deliver messages As applicable to SMS delivery (may vary based on delivery routing and telecom networks)

Annex 4 — International Transfers and Safeguards (as applicable)

Core hosting is in Sweden (EEA). Transfers outside the EEA may occur in limited cases due to customer-connected integrations, SMS routing, or limited support/admin access. Where Processor initiates a transfer subject to GDPR Chapter V, appropriate safeguards (adequacy/SCCs) apply as required; SCCs can be provided/entered into upon request where applicable.