Data Processing Agreement
Effective Date: April 7, 2026
Last Updated: April 7, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Jonah and Associates Pty Ltd, operating as Sendmux (“Processor”, “we”, “us”), and the customer agreeing to the Terms of Service (“Controller”, “you”, “your”).
This DPA applies where you, as a data controller, use the Sendmux Service to process personal data of third parties (such as email recipients) and Sendmux acts as a data processor on your behalf. This DPA is designed to meet the requirements of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and the Australian Privacy Act 1988.
1. Definitions
- Personal Data — Any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
- Processing — Any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
- Data Subject — The identified or identifiable natural person to whom Personal Data relates.
- Sub-Processor — A third party engaged by the Processor to process Personal Data on behalf of the Controller.
- Supervisory Authority — An independent public authority responsible for monitoring the application of data protection law.
2. Scope and Purpose of Processing
2.1 Subject Matter
The Processor processes Personal Data on behalf of the Controller in connection with the provision of the Sendmux email routing and orchestration Service.
2.2 Nature and Purpose
Processing includes the routing, temporary queuing, delivery, and logging of emails sent by or on behalf of the Controller through the Service, as well as the storage of inbound emails for customers using mailbox features.
2.3 Categories of Data Subjects
- Email recipients
- Email senders
- Individuals referenced in email content
2.4 Types of Personal Data
- Email addresses (sender and recipient)
- Names (where included in email headers or content)
- Email subject lines and body content (temporarily for routing; persistently for mailbox features)
- IP addresses
- Timestamps
- Any other personal data included by the Controller in email content
2.5 Duration
Processing continues for the duration of the Terms of Service. Upon termination, the Processor will delete or return Personal Data in accordance with Section 10 of this DPA.
3. Obligations of the Controller
The Controller:
- Ensures that it has a lawful basis for processing Personal Data and for instructing the Processor to process Personal Data on its behalf
- Is responsible for the accuracy, quality, and legality of Personal Data provided to the Processor
- Is responsible for providing any required notices to, and obtaining any required consents from, Data Subjects
- Will comply with all applicable data protection laws in its use of the Service
4. Obligations of the Processor
The Processor:
- Processes Personal Data only on documented instructions from the Controller, unless required by law to do otherwise (in which case, the Processor will inform the Controller before processing, unless prohibited by law)
- Ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 6
- Does not engage Sub-Processors without meeting the requirements of Section 7
- Assists the Controller, taking into account the nature of processing, in responding to requests from Data Subjects exercising their rights under applicable data protection law
- Assists the Controller in ensuring compliance with data breach notification obligations, data protection impact assessments, and prior consultations with supervisory authorities, where applicable
- Deletes or returns Personal Data upon termination, as described in Section 10
- Makes available to the Controller all information necessary to demonstrate compliance with this DPA and allows for and contributes to audits, as described in Section 9
5. Instructions
The Controller's instructions to the Processor are documented in this DPA and the Terms of Service. Any additional instructions must be agreed in writing. If the Processor considers that an instruction infringes applicable data protection law, the Processor will promptly inform the Controller.
6. Security Measures
The Processor implements the following technical and organisational measures:
- Encryption at rest — Provider credentials encrypted using AES-256-GCM
- Encryption in transit — TLS/SSL for all data transmission
- Access controls — Role-based access controls limiting access to Personal Data to authorised personnel only
- Infrastructure isolation — Services deployed on isolated Kubernetes clusters on Hetzner infrastructure within the European Union
- Password security — User passwords stored using industry-standard hashing algorithms
- Monitoring — System monitoring and logging for security events
- Data minimisation — Outbound email body content deleted after delivery; only metadata retained for operational purposes
- Credential management — API keys and SMTP credentials managed with encryption and scoped permissions
7. Sub-Processors
7.1 Current Sub-Processors
The Controller provides general authorisation for the Processor to engage the following Sub-Processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | CDN, edge compute, application hosting (Workers), KV/D1/R2 storage | Global |
| Hetzner Online GmbH | K8s cluster hosting, load balancer, email processing infrastructure | EU (Germany, Finland) |
| Stripe, Inc. | Payment processing and billing | As per Stripe's data processing terms |
| DigitalOcean, LLC | Occasional supplementary infrastructure | EU |
| Umami | Privacy-focused website analytics (no personal data processed) | Self-hosted / provider infrastructure |
7.2 Changes to Sub-Processors
The Processor will notify the Controller by email at least 30 days before engaging a new Sub-Processor or replacing an existing one. The Controller may object to a new Sub-Processor within 14 days of notification. If the Controller objects on reasonable data protection grounds and the Processor cannot reasonably accommodate the objection, either party may terminate the affected portion of the Service.
7.3 Sub-Processor Obligations
The Processor will impose data protection obligations on Sub-Processors that are no less protective than those set out in this DPA.
8. International Data Transfers
8.1 Primary Storage
Personal Data is primarily stored within the European Union on Hetzner infrastructure located in Germany and Finland.
8.2 Transfer Mechanisms
Where Personal Data is transferred outside the EEA (for example, through Cloudflare's global edge network or Stripe's payment processing), such transfers are protected by appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The receiving party's participation in recognised frameworks or certifications
- Other legally recognised transfer mechanisms under applicable data protection law
8.3 Australian Data
For Personal Data subject to the Australian Privacy Act 1988, the Processor ensures that overseas recipients of Personal Data are subject to obligations substantially similar to the Australian Privacy Principles, or that the Controller has consented to the transfer.
9. Audits
9.1 Information
The Processor will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA upon written request.
9.2 Audit Rights
The Controller may conduct an audit of the Processor's compliance with this DPA, subject to the following conditions:
- The Controller provides at least 30 days' written notice
- Audits are conducted during normal business hours
- Audits do not unreasonably disrupt the Processor's operations
- The Controller bears its own costs of the audit
- Audits are limited to once per 12-month period, unless required by a supervisory authority or following a data breach
9.3 Third-Party Audits
The Controller may engage a qualified, independent third-party auditor, subject to the auditor entering into appropriate confidentiality obligations.
10. Data Deletion and Return
10.1 Upon Termination
Upon termination of the Terms of Service, the Processor will:
- Delete all Personal Data within 30 days, unless retention is required by applicable law
- Upon request made before termination, provide the Controller with a copy of their data in a structured, machine-readable format via the API or dashboard export
10.2 Retention Exceptions
The Processor may retain Personal Data beyond the 30-day deletion period only where required by applicable law (such as billing records required by Australian tax law, retained for up to 7 years).
11. Data Breach Notification
11.1 Notification
The Processor will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Controller's Personal Data.
11.2 Content of Notification
The notification will include, to the extent available:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
- The name and contact details of the Processor's point of contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
11.3 Cooperation
The Processor will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
12. Liability
The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service.
13. Precedence
In the event of any conflict between this DPA and the Terms of Service, this DPA will prevail with respect to data protection matters.
14. Contact
For questions about this Data Processing Agreement, contact us at:
Jonah and Associates Pty Ltd
Trading as Sendmux
Email: contact@sendmux.ai
Website: sendmux.ai