Move Now, Pay Later—Don’t pay a penny until you’re fully onboarded and successfully sending! Learn More

Data Processing Agreement

This Data Processing Agreement (the “DPA”) is incorporated into the agreement under which Sendlane, Inc. (“Sendlane”) has agreed to provide Services to a customer (“Customer”) (Sendlane and Customer collectively, the “Parties”), whether such agreement is Sendlane’s Terms of Use, Master Customer Agreement, or otherwise (in each such case, the “Agreement”), and includes the terms required by the applicable Privacy Laws (defined below). Any terms not defined in this DPA shall have the meaning set forth in the Agreement.

1. Definitions

1.1 “Authorized Subprocessor” means a third-party subprocessor, subcontractor, agent, reseller, or auditor engaged by Sendlane or employee of the same, that has a need to know or otherwise access Sendlane’s Personal Data to enable Sendlane to perform its obligations under this DPA or the Agreement, and that has been previously approved by Customer in accordance with Section 4.1 of this DPA, and who is bound in writing by a data processing agreement pursuant to which their duties and obligations to protect Personal Data are in strict accordance with the terms hereof.

1.2 “Sendlane Account Data” means Personal Data that relates to Sendlane’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Sendlane Account Data also includes any data Sendlane may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.

1.3 “Sendlane Usage Data” means Service usage data collected and processed by Sendlane in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.

1.4 “Consumer” means a natural person who is a resident of, as applicable: (1) California, however identified, including by any unique identifier; or (2) Colorado, Virginia, or Utah acting only in an individual or household context; or Connecticut, acting only in an individual context.

1.5 “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of Processing Personal Data. “Controller” includes a “Business” as defined by the CCPA.

1.6 “Personal Data” means any information that is linked or reasonably linkable to an identified or identifiable Consumer that is processed by Sendlane on behalf of the Customer pursuant to the Agreement. “Personal Data” includes “Personal Information” or “Personal Data” as defined by the applicable Privacy Law.

1.7 “Privacy Laws” means, as applicable, (i) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), (ii) the Virginia Consumer Data Protection Act (“VCDPA”), (iii) the Colorado Privacy Act (“CPA”), (iv) the Connecticut Data Privacy Act (“CTDPA”), and the Utah Consumer Privacy Act (“UCPA”) in each case as updated, amended or replaced from time to time.

1.8 “Process” or “Processing” means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means.

1.9 “Processor” means a natural or legal entity that Processes Personal Data on behalf of a Controller or a Business. “Processor” includes “Service Provider,” and “Contractor,” as defined by applicable Privacy Laws.

2. Nature and Purpose of Processing

2.1 Nature and Purpose of Processing: Except with respect to Sendlane Account Data and Sendlane Usage Data, Sendlane shall Process Personal Data provided by Customer under the Agreement as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions. Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Privacy Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause Sendlane to be in breach of the Privacy Laws. Such purposes shall include, without limitation, Sendlane’s provision of marketing, automation, and related Services to Customer.

2.2 Duration of Processing: Sendlane shall Process Personal Data provided by Customer as long as required (i) to provide the Services to Customer under the Agreement, or (ii) by applicable law or regulation.

2.3 Categories of Consumers: Sendlane may Process the following Consumers’ Personal Data to the extent provided by Customer: Customer’s end-users and/or Customer’s own customers who are recipients of marketing communications and activities from Customer.

2.4 Categories of Personal Data: Sendlane may Process the following categories of Personal Data to the extent provided by Customer: name, location, email address, phone number, address, occupation, title, IP address, device identifiers, usage data, and any additional personal data provided by Customer in connection with their use of the Services.

2.5 Customer Obligations Regarding Personal Data: Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Sendlane by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Sendlane regarding the processing of such Personal Data. Customer shall not provide or make available to Sendlane any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Sendlane from all claims and losses in connection therewith.

3. Audits

3.1 To the extent required by applicable Privacy Laws, and upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Sendlane shall either (1) make available for Customer’s review copies of certifications or reports demonstrating Sendlane’s compliance with prevailing data security standards applicable to the Processing of Personal Data provided by Customer under the Agreement, or (2) if the provision of reports or certifications pursuant to (1) is not reasonably sufficient under the applicable Privacy Laws, allow Customer or Customer’s independent third party representative to conduct an audit or assessment of Sendlane’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments, that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Sendlane’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Sendlane for any time expended for on-site audits.

4. Authorized Subprocessors

4.1 A list of Sendlane’s current Authorized Subprocessors (the “List”) will be made available to Customer, either attached hereto, at a link provided to Customer, via email or through another means made available to Customer. Such List may be updated by Sendlane from time to time. Sendlane may provide a mechanism to subscribe to notifications of new subprocessors and Customer agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing Authorized Subprocessors to access or participate in the processing of Personal Data, Sendlane will add such third party to the List and notify Customer via email. Customer may object to such an engagement by informing Sendlane within ten (10) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain subprocessors are essential to providing the Services and that objecting to the use of a subprocessor may prevent Sendlane from offering the Services to Customer.

4.2 If Customer reasonably objects to an engagement in accordance with Section 4.1, and Sendlane cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Sendlane.  Discontinuation shall not relieve Customer of any fees owed to Sendlane under the Agreement.

4.3 If Customer does not object to the engagement of a third party in accordance with Section 4.1 within ten (10) days of notice by Sendlane, that third party will be deemed an Authorized Sub-Processor for the purposes of this DPA.

4.4 Sendlane will enter into a written agreement with the Authorized Subprocessor imposing on the Authorized Subprocessor data protection obligations comparable to those imposed on Sendlane under this DPA with respect to the protection of Personal Data.  In case an Authorized Subprocessor fails to fulfill its data protection obligations under such written agreement with Sendlane, Sendlane will remain liable to Customer for the performance of the Authorized Subprocessor’s obligations under such agreement.

5. Security of Personal Data

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Sendlane shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data.

6. Consumer Requests

6.1 Sendlane shall, to the extent permitted by law, notify Customer upon receipt of a Verifiable Consumer Request, as defined in the applicable Privacy Laws. If Sendlane receives a request from a Consumer in relation to Customer’s data, Sendlane shall advise Consumer to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that any Verifiable Consumer Requests are communicated to Sendlane, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Consumer.

7. California-Specific Terms

7.1 Additional Definitions

  • 7.1.1 For purposes of this Section 7, the terms “Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Personal Information,” “Processing,” “Sell,” “Service Provider,” “Share,” and “Verifiable Consumer Request” shall have the meanings set forth in the CCPA.

7.2 Obligations

  • 7.2.1 In addition to all other obligations provided in Sections 1-6 of this DPA, the following shall apply to Personal Information subject to the CCPA.

  • 7.2.2 Except with respect to Sendlane Account Data and Sendlane Usage Data (as defined in the DPA), the parties acknowledge and agree that Sendlane is a Service Provider for the purposes of the CCPA (to the extent it applies) and Sendlane is receiving Personal Information from Customer in order to provide the Services pursuant to the Agreement, which constitutes a Business Purpose.

  • 7.2.3 Sendlane shall not Sell or Share Personal Information provided by Customer under the Agreement.

  • 7.2.4 Sendlane shall not retain, use, or disclose Personal Information provided by Customer pursuant to the Agreement outside of the direct business relationship with Customer or for any purpose, including a Commercial Purpose, other than as necessary for the specific purpose of performing the Services for Customer pursuant to the Agreement, or as otherwise set forth in the Agreement or as permitted by the CCPA.

  • 7.2.5 Sendlane shall notify Customer if Sendlane makes a determination that it can no longer meet its obligations under the CCPA.

  • 7.2.6 Sendlane will not combine Personal Information received from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another party, or that it collects from its own interaction with the Consumer.

  • 7.2.7 Sendlane shall comply with all obligations applicable to Service Providers under the CCPA, including by providing Personal Information provided by Customer under the Agreement the level of privacy protection required by the CCPA.

  • 7.2.8 If Customer determines that Sendlane is Processing Personal Information in an unauthorized manner, Customer may, taking into account the nature of Sendlane’s Processing and the nature of the Personal Information Processed by Sendlane on behalf of Customer, take commercially reasonable and appropriate steps to stop and remediate such unauthorized Processing.

8. Virginia-Specific Terms

8.1 Additional Definitions

  • 8.1.1 For purposes of this Section 8, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the VCDPA.

8.2 Obligations

  • 8.2.1 In addition to all other obligations provided in Sections 1-6 of this DPA, the following shall apply to Personal Data subject to the VCDPA.

  • 8.2.2 Except with respect to Sendlane Account Data and Sendlane Usage Data (as defined in the DPA), the parties acknowledge and agree Sendlane is a Processor for the purposes of the VCDPA (to extent it applies).

  • 8.2.3 Sendlane shall adhere to Customer’s instructions with respect to the Processing of Customer Personal Data and shall assist Customer in meeting its obligations under the VCDPA by: (i) in the event of a data breach, providing information sufficient to enable Customer to meet its obligations pursuant to Virginia’s breach notification laws (Va. Code § 18.2-186.6); and (ii) Providing information sufficient to enable Customer to conduct and document data protection assessments to the extent required by VCDPA.

  • 8.2.4 Sendlane shall maintain the confidentiality of Personal Data provided by Customer and require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.

  • 8.2.5 Upon Customer’s written request, Sendlane shall delete or return all Personal Data provided by Customer under the Agreement, unless retention of such Personal Data is required or authorized by law or the DPA and/or Agreement. If return or destruction is impracticable or prohibited by law, rule or regulation, Sendlane shall take measures to block such Personal Data from any further Processing (except to the extent necessary for its continued hosting or Processing required by law, rule or regulation) and shall continue to appropriately protect such Personal Data remaining in its possession, custody, or control.

  • 8.2.6 Upon Customer’s written request at reasonable intervals, Sendlane shall, as set forth in Section 3 of this DPA, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Sendlane’s compliance with its obligations under the VCDPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the VCDPA and in conformance with Section 3 of this DPA.

9. Colorado-Specific Terms

9.1 Additional Definitions

  • 9.1.1 For purposes of this Section 9, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the CPA.

9.2 Obligations

  • 9.2.1 In addition to all other obligations provided in Sections 1-6 of this DPA, the following shall apply to Personal Data subject to the CPA.

  • 9.2.2 Except with respect to Sendlane Account Data and Sendlane Usage Data (as defined in the DPA), the parties acknowledge and agree that Sendlane is a Processor for the purposes of the CPA (to extent it applies).

  • 9.2.3 Sendlane shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.

  • 9.2.4 Upon Customer’s written request, Sendlane shall delete or return all Personal Data provided by Customer.

  • 9.2.5 Upon Customer’s written request at reasonable intervals, Sendlane shall, as set forth in Section 3 of this DPA, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Sendlane’s compliance with its obligations under the CPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the CPA and in conformance with Section 3 of this DPA.

10. Connecticut-Specific Terms

10.1 Additional Definitions

  • 10.1.1 For purposes of this Section 10, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the CTDPA.

10.2 Obligations

  • 10.2.1 In addition to all other obligations provided in Sections 1-6 of this DPA, the following shall apply to Personal Data subject to the CTDPA.

  • 10.2.2 Except with respect to Sendlane Account Data and Sendlane Usage Data (as defined in the DPA), the parties acknowledge and agree that Sendlane is a Processor for the purposes of the CTDPA (to extent it applies).

  • 10.2.3 Sendlane shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.

  • 10.2.4 Upon Customer’s written request, Sendlane shall delete or return all Personal Data provided by Customer.

  • 10.2.5 Upon Customer’s written request at reasonable intervals, Sendlane shall, as set forth in Section 3 of this DPA, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Sendlane’s compliance with its obligations under the CTDPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the CTDPA and in conformance with Section 3 of this DPA.

11. Utah-Specific Terms

11.1 Additional Definitions

  • 11.1.1 For purposes of this Section 11, the terms “Consumer,” “Controller,” “Personal data,” “Processing,” and “Processor” shall have the meanings set forth in the UCPA.

11.2 Additional Definitions

  • 11.2.1 In addition to all other obligations provided in Sections 1-6 of this DPA, the following shall apply to Personal Data subject to the UCPA.

  • 11.2.2 Except with respect to Sendlane Account Data and Sendlane Usage Data (as defined in the DPA), the parties acknowledge and agree that Sendlane is a Processor for the purposes of the UCPA (to extent it applies).

  • 11.2.3 Sendlane shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.

See it for yourself

Get in touch with one of our experts and take a personal tour of Sendlane.
Request a Demo

Products

Features

Resources

Compare

Why Sendlane?

About

Copyright © 2024, Sendlane — built in San Diego, CA