This Data Processing Addendum forms part of the agreement between Codestormx (Sendiee) and the Customer. It governs Sendiee's processing of Customer Personal Data on behalf of Customer in connection with the Services. Where required, it includes the EU Standard Contractual Clauses by reference.
Definitions
Capitalised terms not defined here have the meaning given in the Sendiee Master Services Agreement (“MSA”). For convenience:
- Customer Personal Data — any Personal Data processed by Sendiee on behalf of Customer in connection with the Services.
- Data Protection Laws — DPDPA 2023, GDPR, UK GDPR, CCPA/CPRA, LGPD, PDPL — as applicable to the Customer.
- Sub-processor — any third party engaged by Sendiee to process Customer Personal Data.
- Standard Contractual Clauses — the EU SCCs adopted by Decision 2021/914.
Roles of the parties
For Customer Personal Data, Customer is the Controller and Sendiee is the Processor. For account-level data of Customer's authorised users (admins, billing contacts), Sendiee is an independent Controller and processes such data per its Privacy Policy.
Subject matter & nature
| Subject matter | Provision of the Sendiee messaging-automation platform. |
|---|---|
| Duration | Term of the MSA, plus deletion period. |
| Nature | Storage, transmission, AI inference, analytics on Customer Personal Data. |
| Purpose | To enable Customer to send and receive messages on third-party platforms (WhatsApp, Instagram, Messenger). |
| Categories of data subjects | Customer's end users, employees, contacts, leads. |
| Categories of personal data | Identifiers, contact data, message content, media, conversation metadata. |
| Special categories | Only if Customer chooses to send them; not collected by default. |
Customer instructions
Sendiee processes Customer Personal Data only on the documented instructions of Customer, including the MSA, this DPA, the Services configuration, and any explicit written instruction. Sendiee will inform Customer if, in its opinion, an instruction violates Data Protection Laws.
Security measures
Sendiee implements the technical and organisational measures listed in Annex II of this DPA, including:
- AES-256 encryption at rest, TLS 1.2+ in transit.
- Role-based access control with mandatory 2FA.
- Network segmentation, WAF, DDoS protection (CloudFront).
- Annual third-party penetration testing.
- Logging, monitoring, and 24/7 on-call security team.
- SOC2 Type II program (Type I attested 2025).
- ISO 27001 audit in progress (target Q3 2026).
Sub-processors
Customer authorises Sendiee to engage Sub-processors. Sendiee maintains the list below and updates it at least 30 days before adding a new Sub-processor. To object, email [email protected] within 30 days; if not resolved, you may terminate the affected Services.
| Name | Purpose | Location |
|---|---|---|
| Amazon Web Services | Primary hosting · storage · DB | India · Singapore · EU |
| Google Cloud | DR · object storage | Singapore · EU |
| OpenAI | AI inference · zero-retention | USA |
| Anthropic | AI inference · zero-retention | USA |
| Google (Gemini) | AI inference · zero-retention | USA · EU |
| ElevenLabs | Voice synthesis | USA |
| Meta | WhatsApp · IG · Messenger APIs | USA · IE |
| Twilio | Telephony · SMS fallback | USA |
| Razorpay · Stripe | Payments | India · USA |
| PostHog (self-hosted) | Product analytics | India (own VPC) |
| Plain | Customer support | UK · EU |
International transfers
For transfers of Customer Personal Data from the EEA, UK or Switzerland to a third country without an adequacy decision, the parties shall be deemed to have entered into the Standard Contractual Clauses (Module Two: Controller-to-Processor), Module Three (Processor-to-Processor) where applicable, with Annex IB filled in by reference to this DPA.
For UK transfers, the UK International Data Transfer Addendum to the SCCs applies. For Swiss transfers, references to the GDPR are read as references to the FADP and to the FDPIC as the supervisory authority.
Breach notification
Sendiee will notify Customer without undue delay and in any case within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include: nature of the breach, categories and approximate number of data subjects, likely consequences, and measures taken or proposed.
Data subject requests
Sendiee provides Customer with self-service tooling to fulfill access, rectification, deletion, restriction, portability and objection requests directly. Where such tools are insufficient, Sendiee will, upon Customer's reasonable instruction, assist in fulfilling the request within 14 days.
Audits
Customer may, no more than once per year, request an audit of Sendiee's compliance with this DPA. Sendiee may satisfy this obligation by providing its current SOC2 report and a completed CAIQ. On-site audits at Sendiee facilities require 60 days' notice and are at Customer's cost.
Return & deletion
Upon termination or expiry of the MSA, Sendiee will, at Customer's option, return or delete all Customer Personal Data within 30 days, except where retention is required by law. Encrypted backups are purged within 90 days.
Liability
The liability of each party under or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the MSA. Nothing in this DPA limits liability for breach of confidentiality, indemnification obligations, or where law prohibits such limitation.
Execution
This DPA is automatically incorporated into and forms part of the MSA when the Customer signs the MSA. Customers requiring a counter-signed copy may request one at [email protected] — we co-sign within 5 business days.
Email our DPO at [email protected] or write to Codestormx (Sendiee), Attn: Privacy, 1/106/C, Velangkattu Thottam, Tiruppur, Tamil Nadu 641665, India.