Data Processing Agreement (DPA)

Parties

This Data Processing Agreement (“agreement”) is entered into between:

  • Controller: the customer of Xendy (“Customer”), located at [customer address and contact details], who provides personal data to Xendy for processing.
  • Processor: Xendy BV, located at Oostervelden 62, 6681WZ Bemmel, The Netherlands, Chamber of Commerce number 72086416, VAT number NL858980058B01.

1. Purpose and scope of the agreement

1.1 This Agreement governs the processing of personal data by Xendy on behalf of the customer for the provision of email marketing services. The purpose of the processing is limited to supporting the customer’s marketing activities, including storing contact details, sending statistics, and tracking email campaign interactions.

1.2 Xendy acts solely in accordance with the customer’s written instructions regarding the processing of personal data as described in this agreement.

2. Definitions

For the purposes of this agreement, the following definitions apply:

  • Personal data: any information relating to an identified or identifiable natural person.
  • Data subject: the natural person to whom the personal data relates.
  • Subprocessor: a third party that processes personal data under the responsibility of Xendy.
  • Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
  • Security incident: a situation that may threaten the confidentiality, integrity, or availability of personal data.

3. Types of personal data and categories of data subjects

3.1 Personal data: Xendy processes the following personal data, depending on the customer’s usage: name, email address, interaction data (such as click and open statistics), and any additional information provided by the customer.

3.2 Data subjects: the data processing concerns the customer’s contacts registered in Xendy’s email marketing system.

4. Obligations of Xendy as processor

4.1 Xendy guarantees that it has taken appropriate technical and organizational measures to protect personal data, including:

  • Encryption of personal data during transmission and storage.
  • Daily backups of all data to prevent loss.
  • Application of ISO-27001 standards for data security, including monitoring and updating security systems.

4.2 Xendy ensures that access to personal data is restricted to authorized employees who are bound by confidentiality agreements.

5. Engagement of subprocessors

5.1 Key subprocessors: Xendy uses selected subprocessors to optimally deliver its services, including:

  • Hosting provider: for secure storage and access to data within the European Economic Area (EEA). Subprocessor details: TransIP B.V., Vondellaan 47, 2332AA Leiden, The Netherlands.
  • Email service provider: for distributing and delivering email campaigns to the customer’s contacts. Subprocessor details: Amazon Web Services EMEA SARL, Dutch Branch, Mr. Treublaan 7, 1097DP Amsterdam, The Netherlands.

5.2 Subprocessor management and processing outside the EEA: Xendy reserves the right to engage other specialized subprocessors for specific functions such as data processing, analytics, customer support, or payments. If a subprocessor processes personal data outside the EEA, Xendy ensures that such transfers comply with the GDPR through Standard Contractual Clauses (SCCs) and, if necessary, additional security measures to guarantee an adequate level of protection. This includes data encryption and protective control mechanisms.

To meet the requirements of specific EEA countries, such as Germany, Xendy provides additional documentation on security measures and safeguards for international data flows upon request. Customers may always request information about specific data flows and the location of data processing by subprocessors.

5.3 Responsibility and GDPR compliance: Xendy is responsible for ensuring its subprocessors comply with this agreement. All subprocessors are bound by a data processing agreement imposing the same privacy and security standards set out in this agreement. This also applies to subprocessors outside the EEA, ensuring compliance with applicable GDPR standards.

5.4 Customer information requests: upon request, Xendy provides the customer with an overview of the subprocessors currently used, as well as their role in the service. Upon request, Xendy also provides detailed information about subprocessors involved in processing outside the EEA, including the measures taken to ensure GDPR compliance.

6. Security and data retention

6.1 Security: Xendy applies security-by-design and security-by-default approaches and regularly updates its security measures to counter emerging threats.

6.2 Data retention and deletion: Xendy does not retain personal data longer than necessary for the processing purpose or according to legal retention obligations. upon termination of the agreement or at the customer’s request, Xendy deletes the personal data within 90 days. Backups are deleted after 30 days unless legal obligations require otherwise.

7. Data subject rights and assistance

7.1 Data subject rights: Xendy assists the Customer in facilitating data subjects’ requests under the GDPR, such as access, correction, deletion, and restriction of processing. Requests are generally processed within 5 business days. If the customer is dissatisfied with the handling of personal data, they may contact the Dutch data protection authority (Autoriteit Persoonsgegevens).

7.2 Procedure and costs: Xendy responds to customer requests within 5 business days. Reasonable costs for handling requests may be charged if these exceed regular support. Assistance with data subject requests is generally free of charge unless the requests are excessive or unfounded, resulting in administrative costs.

8. Security incidents and data breaches

8.1 Notification: in case of a security incident or data breach potentially affecting personal data, Xendy promptly informs the customer, no later than 24 hours after discovery.

8.2 Assistance: Xendy provides all necessary information to assist the customer with regulatory and data subject notifications if legally required. Xendy also takes steps to prevent further damage, including a detailed investigation and a written report within 72 hours of discovery.

9. Audits and inspections

9.1 Audit rights: the customer has the right to conduct an audit or inspection at Xendy upon written notice to verify compliance with this Agreement.

9.2 Audit conditions: audits may take place once per year, unless a serious incident justifies an additional inspection. Audits must be conducted by an independent third party without unnecessarily disrupting Xendy’s operations. Xendy also conducts regular internal reviews to ensure compliance with GDPR standards.

9.3 Costs: audit costs are borne by the customer unless the audit reveals serious non-compliance with this Agreement.

10. Termination of the agreement

10.1 Upon termination of the agreement or at the customer’s request, Xendy will delete or transfer all personal data in a structured, commonly used, and machine-readable format unless otherwise required by law.

11. Liability and indemnification

11.1 Liability for direct damage: Xendy is only liable for direct damage resulting from non-compliance with this agreement or GDPR. For customers processing fewer than 50,000 records, the maximum liability is €10,000 per incident. For larger customers, the maximum liability is €25,000 per incident or three times the value of the services provided in the three months prior to the incident, whichever is higher.

11.2 Customer indemnification: the customer indemnifies Xendy against claims by third parties arising from the customer’s non-compliance with this Agreement, including but not limited to claims related to sending unsolicited emails (spam) or other legal violations.

12. Applicable law and dispute resolution

12.1 This agreement is governed by Dutch law.

12.2 Disputes arising from this agreement will be resolved by the competent court in the Netherlands.

13. Amendments and final provisions

13.1 Xendy reserves the right to amend this agreement to comply with changes in legislation or improve security and privacy practices. Amendments will be communicated at least 30 days before they take effect.

13.2 If amendments substantially alter the agreement and the customer disagrees, the Customer may terminate the Agreement free of charge within the notice period.

13.3 If any provision of this agreement is invalid or unenforceable, the remaining provisions shall remain in full force and effect.