Data Processing Addendum
Last updated: 3 January 2026
Overview
This Data Processing Addendum ("DPA") forms part of the agreement between Redlio Designs ("Sendlio", "Processor") and the Subscriber ("Controller") for the use of the Sendlio Service. It sets out how Sendlio processes personal data on behalf of the Controller and reflects the parties' obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and India's Digital Personal Data Protection Act, 2023 (DPDP Act).
1. Definitions
Capitalized terms used but not defined here have the meanings given in Sendlio's Terms of Service or the applicable data-protection law. "Subscriber Data" means personal data contained in contact lists, messages, replies, and engagement metadata that the Controller submits to the Service. "Sub-processor" means any third party engaged by Sendlio to process Subscriber Data.
2. Roles of the parties
The Controller is the "controller" (or "business" under CCPA) of Subscriber Data. Sendlio is the "processor" (or "service provider" under CCPA) that processes Subscriber Data solely on the documented instructions of the Controller, except where otherwise required by law.
3. Scope and purpose
Sendlio processes Subscriber Data to provide the Service, including: storing contact lists and message templates; sending and warming up email on the Controller's behalf; detecting replies and bounces; generating analytics dashboards; and providing technical support. Sendlio will not use Subscriber Data for its own marketing, nor sell, rent, or share it for advertising.
4. Categories of data and data subjects
Data subjects include the Controller's staff, contacts, leads, customers, prospects, and message recipients. Personal data categories include: name, business contact details, job title, company, email content, email metadata, IP address, open/click/reply events, and any other data the Controller chooses to upload.
5. Sub-processors
The Controller authorizes Sendlio to engage sub-processors to deliver the Service. A current list is available on request via privacy@sendlio.com and covers infrastructure (AWS, Cloudflare), email delivery (Postmark, SendGrid), payment processing (Stripe), analytics (Plausible / PostHog), and support tooling (Intercom, Crisp). Sendlio gives at least 30 days' notice of any new sub-processor; the Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith on a remedy, or the Controller may terminate the affected Service.
6. Confidentiality
Sendlio ensures that personnel authorized to process Subscriber Data are bound by written confidentiality obligations and are trained on data-protection responsibilities.
7. Security
Sendlio applies technical and organizational measures appropriate to the risk, including: encryption in transit (TLS 1.2+) and at rest (AES-256); role-based access control and least-privilege; multi-factor authentication for administrative access; centralized audit logging; encrypted storage of mailbox credentials and OAuth tokens; network segmentation; routine vulnerability scanning; and incident-response procedures.
8. Personal data breaches
Sendlio will notify the Controller without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting Subscriber Data. The notice will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed.
9. Data subject requests
Sendlio will, to the extent legally permitted, promptly notify the Controller of any request received directly from a data subject and will assist the Controller in responding to access, rectification, deletion, portability, objection, and restriction requests, using appropriate technical and organizational measures.
10. International transfers
Subscriber Data may be transferred to, and processed in, countries outside the Controller's jurisdiction, including the United States and the European Union. Where such transfers involve personal data subject to GDPR or UK GDPR, the parties rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) or the UK International Data Transfer Addendum, each incorporated by reference into this DPA. Sendlio applies additional safeguards where required.
11. Audits
The Controller may audit Sendlio's compliance with this DPA, at its own cost, no more than once per 12-month period and on reasonable advance notice, by reviewing a current third-party audit report (where available) or, where necessary, by on-site audit scheduled during business hours and subject to Sendlio's confidentiality and security requirements.
12. Deletion and return
On termination or expiration of the Service, or at the Controller's earlier written request, Sendlio will delete or return all Subscriber Data within 30 days from production systems and within 90 days from backups, except where retention is required by law.
13. California (CCPA/CPRA) specifics
With respect to personal information of California residents, Sendlio acts as a "service provider" and will not (a) sell or share the personal information; (b) retain, use, or disclose it for any purpose other than the business purposes specified in the Terms; (c) retain, use, or disclose it outside the direct business relationship with the Controller; or (d) combine it with personal information from other sources except as permitted by the CCPA.
14. India (DPDP Act) specifics
For personal data of Indian data principals, the Controller acts as the "Data Fiduciary" and Sendlio acts as a "Data Processor" under the DPDP Act. Sendlio will process such data only on the Controller's instructions and will assist the Controller in fulfilling its obligations under the Act.
15. Order of precedence
If there is any conflict between the Terms of Service, the Privacy Policy, and this DPA, the order of precedence is: (1) this DPA, (2) the Terms of Service, (3) the Privacy Policy — solely with respect to the processing of personal data on the Controller's behalf.
16. Contact
To execute a signed copy of this DPA, request an SCC copy, or ask any data-protection question: privacy@sendlio.com. Postal: Redlio Designs, 12 Krishna Complex, Janta Fatak, Jamnagar, Gujarat, India – 361006.