Experience EasySend for 14 days free — build customer journeys with AI, easily
Request access

Data Processing Addendum

Last updated:31.12.2025

This Data Processing Addendum (“Addendum”) applies to and supplements the EasySend Platform Subscription Agreement (“Agreement”) entered into by EasySend Ltd. (“EasySend”) and Customer (as defined in the Agreement). This Addendum forms part of the Agreement.

If there is a conflict between this Addendum and the Agreement regarding the Processing of Customer Personal Data, this Addendum will control to the extent required by Data Protection Laws. Otherwise, the Agreement will control.

1. Definitions

1.1 “Applicable Laws” means any laws and regulations applicable to the Processing of Customer Personal Data.

1.2 “Customer Personal Data” means Personal Data Processed by EasySend on behalf of Customer in connection with the Services.

1.3 “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including (where applicable) the EU GDPR, UK GDPR, Swiss FADP, and applicable U.S. federal and state privacy laws (including, where applicable, CCPA/CPRA).

1.4 “EU GDPR” means Regulation (EU) 2016/679.

1.5 “UK GDPR” means the EU GDPR as incorporated into UK law and as amended.

1.6 “Personal Data” and “Processing” have the meanings given in the EU GDPR (and will be interpreted similarly under other Data Protection Laws).

1.7 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

1.8 “Subprocessor” means a third party authorized under this Addendum to Process Customer Personal Data to provide the Services.

1.9 “Services” has the meaning set forth in the Agreement.

2. Roles of the parties

2.1 Customer acts as a Controller (or equivalent role under Data Protection Laws) for Customer Personal Data. EasySend acts as a Processor (or equivalent).

2.2 For purposes of U.S. state privacy laws (where applicable), Customer acts as a Business/Controller (or equivalent) and EasySend acts as a Service Provider/Processor (or equivalent).

3. Scope and instructions for Processing

3.1 EasySend will Process Customer Personal Data only:

  • (a) to provide, secure, maintain, and support the Services in accordance with the Agreement;

  • (b) on documented instructions from Customer (including Customer’s configuration and use of the Services); and

  • (c) as required by Applicable Laws (in which case, to the extent permitted by law, EasySend will notify Customer of the legal requirement before Processing).

3.2 Processing details (GDPR Art. 28(3) information). The parties agree the Processing details are as follows:

  • Subject matter: Provision of the Services (including hosting, storage, transmission, support, maintenance, troubleshooting, and security monitoring).

  • Duration: The term of the Agreement, plus the return/deletion period in Section 11.

  • Nature of Processing: Operations on Customer Personal Data such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, alignment/combination, restriction, and deletion—only as necessary to provide the Services and as instructed by Customer.

  • Purpose(s): Providing, operating, securing, supporting, and improving the Services; preventing fraud/abuse; complying with law.

  • Categories of Data Subjects: Customer’s end users, employees, contractors, prospects/customers, and other individuals whose Personal Data Customer submits to the Services.
  • Types of Personal Data: Names, contact details, identifiers, account/user IDs, usage and device metadata, logs, communications/content submitted through the Services (as configured by Customer), and other Personal Data Customer chooses to upload or generate through use of the Services.

  • Special categories / sensitive data: Not intended. If Customer requires Processing of special category data, children’s data, or regulated data (e.g., PHI), it must be expressly agreed in writing and may require additional terms (e.g., a BAA for HIPAA).

3.3 International scope. Customer may use the Services to Process Customer Personal Data relating to individuals located in any jurisdiction, subject to the Agreement and this Addendum.

3.4 Processor compliance. EasySend will comply with Data Protection Laws applicable to it as a Processor in connection with the Processing of Customer Personal Data.

4. Customer obligations

4.1 Customer is responsible for:

  • (a) ensuring it has a valid legal basis and required notices/consents for Processing;
  • (b) ensuring its instructions are lawful and do not cause EasySend to violate Data Protection Laws; and
  • (c) the accuracy, quality, and legality of Customer Personal Data it provides.

4.2 Customer will not provide Customer Personal Data to EasySend in violation of Data Protection Laws.

5. Confidentiality

5.1 EasySend will ensure that persons authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations (contractual or statutory).

6. Security measures

6.1 EasySend will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing.

6.2 Minimum security controls include, as applicable:

  • Access controls (least privilege, role-based access, MFA where appropriate)
  • Encryption in transit (e.g., TLS) and encryption at rest where appropriate
  • Logging and monitoring for security events
  • Vulnerability management (patching, scanning, remediation processes)
  • Secure development lifecycle practices
  • Incident response processes and escalation
  • Business continuity and backup/restore practices
  • Employee security training and awareness
  • Vendor/Subprocessor security due diligence processes

6.3 Assurance. EasySend maintains an information security program aligned with recognized industry standards and (i) maintains a SOC 2 report covering relevant Trust Services Criteria and (ii) maintains an ISO/IEC 27001 certification for its information security management system (ISMS) (each as updated from time to time).

6.4 Evidence. Upon Customer’s written request and subject to confidentiality obligations (including execution of an NDA if requested), EasySend will provide Customer with (a) its then-current SOC 2 report and (b) its then-current ISO/IEC 27001 certificate and/or a summary of the applicable scope statement, in each case to the extent reasonably available and permitted.

7. Subprocessing

7.1 Customer authorizes EasySend to engage Subprocessors to Process Customer Personal Data for the Services, including affiliates.

7.2 EasySend will maintain an up-to-date list of Subprocessors and make it available to Customer upon request (or via a publicly available page if EasySend maintains one).

7.3 EasySend will provide notice of material changes to Subprocessors (e.g., adding a new Subprocessor that materially affects Processing). Customer may object on reasonable data protection grounds within ten (10) days of notice. If the parties cannot resolve the objection, Customer may terminate the affected Services for convenience (only) and receive a refund of any prepaid, unused fees for the terminated portion, if applicable.

7.4 EasySend will impose written obligations on Subprocessors that are no less protective than this Addendum and remains responsible for their performance.

8. Data Subject requests; regulator communications

8.1 Taking into account the nature of the Services, EasySend will provide reasonable assistance to Customer to respond to Data Subject requests required under Data Protection Laws.

8.2 If EasySend receives a Data Subject or regulator request relating to Customer Personal Data, EasySend will (to the extent legally permitted) notify Customer and will not respond except on Customer’s documented instructions, unless required by law.

9. DPIAs and prior consultation

EasySend will provide reasonable assistance, at Customer’s request, with data protection impact assessments and prior consultations required by GDPR/UK GDPR, considering the nature of the Services and information available to EasySend.

10. Security Incident notification

10.1 EasySend will notify Customer without undue delay after becoming aware of a Security Incident involving Customer Personal Data and will provide information reasonably necessary to support Customer’s compliance obligations.

10.2 EasySend will take reasonable steps to contain, investigate, and remediate the Security Incident.

11. Return and deletion

11.1 Upon termination or expiration of the Agreement, at Customer’s request, EasySend will delete or return Customer Personal Data within 90 days, unless Applicable Laws require retention.

11.2 EasySend may retain Customer Personal Data in backups for a limited period consistent with its backup policies, provided such data remains protected and is deleted in the ordinary course.

12. Audits and compliance information

12.1 EasySend will make available information reasonably necessary to demonstrate compliance with this Addendum.

12.2 Audit alternatives. Customer agrees that EasySend’s then-current third-party assurance materials (including a SOC 2 report and ISO/IEC 27001 certificate) may be used to satisfy Customer’s audit requests to the extent they reasonably address the scope of the request.

12.3 Customer audits. Where Data Protection Laws require Customer to have audit rights beyond the assurance materials described above, Customer may audit EasySend’s compliance no more than once per 12 months, with 30 days’ prior written notice, during business hours, and in a manner designed to avoid unreasonable disruption. Any such audit will:

  • be limited to Processing of Customer Personal Data;
  • be conducted by Customer or an independent auditor bound by confidentiality; and
  • be subject to EasySend’s reasonable security and confidentiality controls.

12.4 Costs. Unless otherwise required by Data Protection Laws, Customer will bear its own costs for any audit and will reimburse EasySend for reasonable time and materials incurred to support an on-site audit, provided EasySend has informed Customer of such costs in advance.

13. International data transfers (EU/UK/Switzerland)

13.1 Where Customer Personal Data is transferred from the EEA, Switzerland, or the UK to a country not recognized as providing adequate protection, the parties agree the transfer will be governed as follows:

  • EEA/Switzerland: The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and apply automatically. The parties select Module Two (Controller → Processor) for such transfers.

  • UK: The UK’s International Data Transfer Addendum to the EU SCCs (or UK IDTA, as applicable) is incorporated by reference and applies automatically.

13.2 For purposes of the SCCs/UK transfer terms, the parties agree:

  • Data exporter: Customer
  • Data importer: EasySend
  • Description of transfer: The Processing details and security measures set out in Sections 3.2 and 6 of this Addendum apply.
  • Subprocessors: As described in Section 7, based on EasySend’s then-current Subprocessor list.
  • Onward transfers: EasySend will ensure onward transfers are covered by an appropriate transfer mechanism as required by Data Protection Laws.

13.3 The parties will cooperate in good faith to implement supplemental measures where required following a risk assessment of the transfer.

14. U.S. privacy terms (where applicable)

To the extent U.S. state privacy laws apply (including CCPA/CPRA where applicable), EasySend will:

  • not “sell” or “share” Customer Personal Data (as those terms are defined by applicable law);
  • not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer except as permitted by law; and
  • not combine Customer Personal Data with data from other sources except as permitted by law.

15. Liability

Liability under this Addendum will follow the limitation of liability and other remedies provisions in the Agreement, except to the extent Data Protection Laws require otherwise.

16. Governing law; jurisdiction

This Addendum will follow the governing law and jurisdiction provisions in the Agreement, except where the SCCs/UK transfer terms require a different governing law/jurisdiction for those transfer terms.

17. Entire agreement; order of precedence

This Addendum is incorporated into and made part of the Agreement. If any provision of the Agreement conflicts with this Addendum regarding the Processing of Customer Personal Data, the conflict will be resolved as stated in the first paragraph of this Addendum.

Book a demo today

See how you can create and automate smart, AI-powered digital workflows that elevate customer experiences.

Let’s create a digital journey together

Want to learn more?
Let's talk