Data Processing Agreement
Version 2.0 | Effective: January 10, 2026
📄 Enterprise Feature: This DPA is automatically included with Business and Enterprise plans. Contact
legal@sndo.app to execute a signed copy.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Sendo ("Processor") and Customer ("Controller") and governs the processing of Personal Data in compliance with GDPR.
1. Definitions
| Term |
Definition |
| Personal Data |
Click analytics data including IP addresses, device information, and user behavior data processed by Sendo on Customer's behalf |
| Data Subject |
End users who click on Customer's shortened links |
| Controller |
Customer (you) - determines purposes and means of processing |
| Processor |
Sendo - processes Personal Data on Controller's behalf |
2. Scope and Applicability
- Applies to Business and Enterprise plan customers
- Covers processing of click analytics and link data
- Complies with GDPR Articles 28 and 32
- Includes Standard Contractual Clauses for international transfers
3. Processing Details
3.1 Subject Matter
Provision of link management and analytics services.
3.2 Duration
For the duration of the subscription agreement.
3.3 Nature and Purpose
- URL shortening and redirection
- Click tracking and analytics
- Geographic and device information collection
- Link performance reporting
3.4 Types of Personal Data
- IP addresses (pseudonymized)
- User agent strings
- Device type and operating system
- Geographic location (country/city)
- Referrer URLs
- Timestamps
3.5 Categories of Data Subjects
- End users clicking on shortened links
- Website visitors redirected through Sendo
4. Processor Obligations
4.1 Instructions
Sendo processes Personal Data only on documented instructions from the Controller, except where required by law.
4.2 Confidentiality
All personnel with access to Personal Data are bound by confidentiality obligations.
4.3 Security Measures
- TLS/SSL encryption in transit
- AES-256 encryption at rest
- Regular security audits and penetration testing
- Access controls and authentication
- Incident response procedures
4.4 Sub-Processors
Sendo may engage the following sub-processors:
| Sub-Processor |
Service |
Location |
| Stripe, Inc. |
Payment processing |
United States |
| Cloudflare, Inc. |
CDN and security |
United States / EU |
| Railway |
Cloud hosting |
United States / EU |
Controller will be notified of any sub-processor changes with 30 days' notice.
4.5 Data Subject Rights
Sendo will assist Controller in responding to Data Subject requests:
- Access requests
- Rectification and deletion
- Data portability
- Restriction and objection
4.6 Data Breach Notification
- Notification within 48 hours of becoming aware
- Details of the breach and affected data
- Mitigation measures taken
- Recommendations for Controller action
4.7 Audits
- Enterprise customers may audit once annually
- SOC 2 Type II reports provided upon request
- 30 days' notice required for on-site audits
5. Controller Obligations
- Ensure legal basis for processing
- Provide clear privacy notices to Data Subjects
- Comply with GDPR and applicable data protection laws
- Not instruct Sendo to process data unlawfully
6. International Data Transfers
6.1 Standard Contractual Clauses
For transfers outside the EU/EEA, Sendo relies on:
- EU Standard Contractual Clauses (2021/914)
- Module Two: Controller to Processor transfers
- Incorporated by reference in this DPA
6.2 Additional Safeguards
- Encryption in transit and at rest
- Pseudonymization of IP addresses
- Access controls limiting data access
- Regular security assessments
7. Data Retention and Deletion
7.1 Retention Periods
- Active Links: While link is active
- Analytics Data: Per plan (12-24 months, unlimited for Enterprise)
- Deleted Accounts: 30-day grace period, then permanent deletion
7.2 Return or Deletion
Upon termination or Controller request:
- 30-day period to export data
- Permanent deletion within 60 days
- Certification of deletion provided upon request (Enterprise)
8. Limitation of Liability
Sendo's liability under this DPA is subject to the limitations in the Terms of Service, except where prohibited by law.
9. Term and Termination
- Effective while subscription is active
- Survives termination for data retention obligations
- Sections 7 (Data Deletion) and 8 (Liability) survive termination
10. Governing Law
This DPA is governed by Swedish law and GDPR.
11. Contact for DPA Matters
12. Executing the DPA
For Business and Enterprise customers requiring a signed copy:
- Contact legal@sndo.app
- Provide company details and contact information
- We'll send a PDF for signature within 5 business days
- Countersigned copy returned within 48 hours
