PristineSend
Get started
Legal

Data Processing Agreement

Last updated: May 2026

01Overview

This Data Processing Addendum, including the Standard Contractual Clauses (as defined below) attached hereto (collectively, the “DPA” or “Addendum”), is made and entered into as of the effective date of the applicable customer’s (“Customer”) acceptance of the Terms of Service between PristineSend (“Company” or “PristineSend”) and Customer. This Addendum shall become legally binding upon Customer entering into the Agreement or upon execution of this Addendum.

02Definitions

  • Affiliate means an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, or an entity which is under common control with a party.
  • Data Subject means an identified or identifiable natural person who is in the EEA or whose rights are protected by EU Data Protection Laws; or a “Consumer” as defined in the CCPA.
  • Customer Data means any content, data, information or other materials (including Personal Information) submitted or shared by or for Customer to or through the Service.
  • Personal Information means information relating to a living individual who is, relates to, describes or can be, reasonably identified or linked, directly or indirectly from information within the Company’s or Customer’s control and which is stored, collected, processed or submitted to or via the Service as Customer Data.
  • Authorized Sub-Processor means a third-party who has a need to know or otherwise access Customer’s Personal Data to enable Company to perform its obligations under this DPA or the Agreement.
  • Company Account Data means personal data that relates to Company’s relationship with Customer, including names or contact information of individuals authorized by Customer to access Customer’s account.
  • Company Usage Data means Service usage data collected and processed by Company in connection with the provision of the Services, including activity logs and data used to optimize and maintain performance of the Services.
  • Data Exporter means Customer.
  • Data Importer means Company.
  • Data Protection Laws means any applicable laws and regulations relating to the use or processing of Personal Data including the CCPA, the GDPR, the Swiss Federal Act on Data Protection, and the UK Data Protection Act 2018.
  • Ex-EEA Transfer means the transfer of Personal Data from the Data Exporter to the Data Importer outside the European Economic Area.
  • Ex-UK Transfer means the transfer of Personal Data from the Data Exporter to the Data Importer outside the United Kingdom.
  • Standard Contractual Clauses means the EU SCCs and the UK SCCs.
  • EU SCCs means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021.
  • UK SCCs means the EU SCCs, as amended by the UK Addendum.

03Relationship of the Parties; Processing of Data

The parties acknowledge and agree that with regard to the processing of Personal Data, Customer may act either as a controller or processor and, except as expressly set forth in this DPA or the Agreement, Company is a processor. Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws.

Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Company by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Company regarding the processing of such Personal Data.

Company shall not process Personal Data for purposes other than those set forth in the Agreement, in a manner inconsistent with the terms and conditions set forth in this DPA, or in violation of Data Protection Laws.

Following completion of the Services, at Customer’s choice, Company shall return or delete Customer’s Personal Data, unless further storage of such Personal Data is required or authorized by applicable law.

CCPA

Except with respect to Company Account Data and Company Usage Data, the parties acknowledge and agree that Company is a service provider for the purposes of the CCPA and is receiving personal information from Customer in order to provide the Services, which constitutes a business purpose. Company shall not sell any such personal information.

04Confidentiality

Company shall ensure that any person it authorizes to process Personal Data has agreed to protect Personal Data in accordance with Company’s confidentiality obligations in the Agreement. Customer agrees that Company may disclose Personal Data to its advisers, auditors or other third parties as reasonably required in connection with the performance of its obligations under this DPA, the Agreement, or the provision of Services to Customer.

05Authorized Sub-Processors

Customer acknowledges and agrees that Company may (1) engage its Affiliates as well as Authorized Sub-Processors to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services. By way of this DPA, Customer provides general written authorization to Company to engage sub-processors as necessary to perform the Services.

A list of Company’s current Authorized Sub-Processors is available to Customer at pristinesend.com/legal/subprocessors. Company shall inform the Customer in writing of any intended changes to that list at least fourteen (14) days in advance, giving the Customer sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s).

Company will enter into a written agreement with the Authorized Sub-Processor imposing data protection obligations comparable to those imposed on Company under this DPA. In case an Authorized Sub-Processor fails to fulfill its data protection obligations, Company will remain liable to Customer for the performance of the Authorized Sub-Processor’s obligations.

06Security of Personal Data

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. Additional information about Company’s technical and organizational security measures is set forth in Exhibit C.

07Transfers of Personal Data

The parties agree that Company may transfer Personal Data processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Services. Customer acknowledges that Company’s primary processing operations take place in the United States, and that the transfer of Customer’s Personal Data to the United States is necessary for the provision of the Services to Customer.

Ex-EEA Transfers

The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into and incorporated into this DPA. The EU SCCs will be governed by Ireland law, and disputes will be resolved before the courts of Ireland.

Ex-UK Transfers

The parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this DPA by reference, and amended and completed in accordance with the UK Addendum.

Transfers from Switzerland

The parties agree that transfers from Switzerland are made pursuant to the EU SCCs with appropriate modifications to reflect the Federal Act on Data Protection and the authority of the Federal Data Protection and Information Commissioner (“FDPIC”).

Supplementary Measures

As of the date of this DPA, the Data Importer has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported. The Company will not voluntarily disclose Personal Data to any public authority in the absence of a valid and binding legal requirement.

08Rights of Data Subjects

Company shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making.

If Company receives a Data Subject Request in relation to Customer’s data, Company will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, the Company commits to resolve DPF Principles-related complaints. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF should first contact the Company at legal@pristinesend.com.

09Actions and Access Requests; Audits

Company shall, taking into account the nature of the processing and the information available to Company, provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under the GDPR.

Company shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA, and retain such records for a period of three (3) years after the termination of the Agreement.

Upon Customer’s written request at reasonable intervals, Company shall either (i) make available for Customer’s review copies of certifications or reports demonstrating Company’s compliance with prevailing data security standards, or (ii) allow Customer’s independent third party representative to conduct an audit or inspection of Company’s data security infrastructure and procedures. Any such audit shall occur no more than once per calendar year and shall be restricted to data relevant to Customer.

In the event of a Personal Data Breach, Company shall, without undue delay, inform Customer of the Personal Data Breach and take such steps as Company in its sole discretion deems necessary and reasonable to remediate such violation.

10Company's Role as a Controller

The parties acknowledge and agree that with respect to Company Account Data and Company Usage Data, Company is an independent controller, not a joint controller with Customer. Company will process Company Account Data and Company Usage Data as a controller to manage the relationship with Customer, carry out Company’s core business operations, monitor and prevent fraud, and to comply with legal or regulatory obligations. Any processing by the Company as a controller shall be in accordance with the Company’s privacy policy.

11Data Privacy Framework

The Company complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. The Company has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom.

The Company is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Under certain conditions, Customers have the right to invoke binding arbitration to address residual complaints that have not been resolved through other recourse mechanisms. This arbitration is conducted in accordance with the terms set forth in Annex I of the DPF Principles at no cost to the Customer.

In the context of onward transfers to third parties, the Company remains responsible for the processing of personal data it receives under the DPF and subsequently transfers to an agent on its behalf.

12Conflict

In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this DPA; (3) the Agreement; and (4) the Company’s privacy policy. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.

13Exhibit A — Details of Processing

Categories of data subjects

Data subjects are the recipients of emails the Customer sends using our Services — typically their customers. Where the Customer is a processor, data subjects are their customers and end users. PristineSend also transfers the personal data of the representatives of the Customer and those who enter into this agreement and anyone they allow to access their account.

Categories of personal data transferred

The categories of personal data transferred relate to the sending and receiving of email messages. At a minimum, this includes metadata, email address and message content. Message content may also include name and other information decided and added by the sender. The Customer also has the option to enable open/link tracking and other analytics, which could include IP address, location, operating system, browser, device, email client and spam complaints.

Sensitive data transferred

Not applicable.

Frequency of transfer

Continuous, until the agreement comes to an end.

Nature of the processing

Application emails sent through PristineSend are categorized as transactional or marketing electronic messages. The nature of the processing relates to facilitating sending and receiving such email messages, including hosting/storage of contact lists and message content, and analytics services.

Purpose of the data transfer

To allow the Customer to reliably deliver application emails to their users/customers.

Retention period

We process personal data on behalf of the Customer for as long as the Agreement is active. When the Customer terminates their use of the Services, we delete their user/customer data within 90 days of the account termination.

14Exhibit C — Technical and Organizational Security Measures

Security Governance

PristineSend maintains an information security program designed to: (a) help our customers secure their data against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access, and (c) minimize security risks, including through risk assessment and regular testing.

Access Control

  • Third party data hosting: We host our Service with third party cloud infrastructure providers and maintain contractual relationships with vendors to protect data processed or stored by these vendors.
  • Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers audited for SOC 2 Type II and ISO 27001 compliance.
  • Authentication: Customers are required to authenticate before accessing their non-public data. Authentication is managed by our identity provider (Clerk), which supports multi-factor authentication available to all users.
  • Authorization: Customer Content is stored in multi-tenant storage systems which are only accessible to Customers via application user interfaces and APIs.
  • API access: Public product APIs may be accessed using an API key or through OAuth authorization. Authorization credentials are stored encrypted.

Preventing Unauthorized Product Use

  • Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure.
  • Static code analysis: Automated security reviews of code stored in our source code repositories.
  • Penetration testing: We maintain relationships with industry-recognized penetration testing service providers for annual penetration tests.

Encryption Technologies

In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on all our interfaces. Our HTTPS implementation uses industry-standard algorithms and certificates.

At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.

Availability Controls

PristineSend products are designed to ensure redundancy and seamless failover. The server instances that support the products are architected with a goal to prevent single points of failure. PristineSend has designed and regularly plans and tests its business continuity planning/disaster recovery programs.

15Contact

Questions about this DPA: legal@pristinesend.com.
PristineSend, 7511 Greenwood Ave North Unit 4125, Seattle, WA 98103