Data Processing Addendum
Last updated: June 8, 2026 Version: 1.0
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Kyuzo Corporation d/b/a Senders ("Senders," "Processor") and the customer ("Customer," "Controller"). It governs Senders' processing of personal data on Customer's behalf. Where Senders processes personal data as a controller (for example, Customer account and billing data), the Privacy Policy applies. By accepting the Terms, both parties accept this DPA.
If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA controls.
1. Definitions
Terms such as "controller," "processor," "personal data," "processing," "data subject," and "personal data breach" have the meanings given under applicable data protection law, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable U.S. state privacy laws ("Data Protection Laws"). "Customer Personal Data" means personal data Senders processes on Customer's behalf under the Terms.
2. Roles and scope
2.1 For Customer Personal Data, Customer is the controller and Senders is the processor. Where Customer is itself a processor for a third party, Senders is a sub-processor.
2.2 Senders processes Customer Personal Data only to provide the Service, in accordance with the Terms, this DPA, and Customer's documented instructions, including as set out in Annex A. Senders will inform Customer if, in its opinion, an instruction violates Data Protection Laws.
2.3 Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and for having a lawful basis for the processing, including for contacting recipients, and for any required notices and consents. Senders does not provide notices to or obtain consent from recipients.
3. Senders' obligations
3.1 Instructions. Senders processes Customer Personal Data only on Customer's documented instructions, including regarding transfers, unless required by law (in which case Senders will notify Customer where permitted).
3.2 Confidentiality. Senders ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
3.3 Security. Senders implements and maintains appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex C.
3.4 Assistance. Taking into account the nature of the processing, Senders will assist Customer, by appropriate measures, in responding to data subject requests and in meeting Customer's obligations regarding security, breach notification, and data protection impact assessments.
3.5 Data subject requests. If Senders receives a request from a data subject regarding Customer Personal Data, it will refer the request to Customer and not respond directly except on Customer's instruction or as required by law.
3.6 Breach notification. Senders will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to assist Customer's own obligations.
3.7 Deletion or return. On termination of the Service, Senders will delete Customer Personal Data in accordance with the retention schedule in the Privacy Policy, except for suppression and opt-out records (retained indefinitely to honor opt-outs) and data Senders must retain by law. On Customer's request before deletion, Senders will make Customer Personal Data available for export where technically feasible.
4. Sub-processors
4.1 Customer authorizes Senders to engage the sub-processors listed in Annex B and to add or replace sub-processors as the Service evolves.
4.2 Senders imposes data protection obligations on its sub-processors substantially similar to those in this DPA and remains responsible for their performance.
4.3 Senders will provide notice of intended changes to its sub-processors (for example, by updating Annex B or the Privacy Policy). Customer may object on reasonable data protection grounds within thirty (30) days; the parties will work in good faith to resolve the objection, and if they cannot, Customer may terminate the affected Service.
5. International transfers
5.1 Where Senders transfers Customer Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses (Module Two, controller-to-processor, or Module Three, processor-to-processor, as applicable), which are incorporated by reference, together with the UK International Data Transfer Addendum and the Swiss amendments as applicable.
5.2 The parties agree that for the purposes of the Clauses: the data exporter is Customer; the data importer is Senders; the governing law and forum are as provided in the Clauses; and Annexes A, B, and C of this DPA populate the corresponding annexes of the Clauses.
6. U.S. state privacy laws
6.1 To the extent the California Consumer Privacy Act (as amended) or similar U.S. state laws apply, Senders acts as a "service provider" (or "processor") and not as a "third party." Senders will not sell or share Customer Personal Data, will not retain, use, or disclose it except as necessary to provide the Service or as permitted by law, and will not combine it with personal data from other sources except as permitted for a service provider. Senders certifies that it understands and will comply with these restrictions.
7. Audit
Senders will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including by providing relevant documentation or third-party reports, subject to reasonable confidentiality and security conditions.
8. Liability
Each party's liability under this DPA is subject to the limitations of liability in the Terms.
Annex A — Details of processing
Subject matter: Provision of outbound email infrastructure and related services.
Duration: For the term of the Service plus the retention periods in the Privacy Policy.
Nature and purpose: Sending email on Customer's behalf; connecting to and reading replies from Customer's mailboxes; sourcing, verifying, importing, and managing recipient contact data; generating AI-assisted content at Customer's request; tracking delivery and engagement; and reporting.
Types of personal data: Business contact information (name, job title, employer, business email address, phone where provided); email content and replies; sending and engagement events (delivery, open, click, bounce, unsubscribe) including IP address and user-agent for tracking events; mailbox content for the activity run through the Service; and Customer account and user data.
Categories of data subjects: Customer's personnel and Authorized Users; and the recipients (prospects and contacts) that Customer chooses to contact through the Service.
Special-category data: None intended. Customer must not submit special-category or sensitive data.
Annex B — Sub-processors
The following sub-processors process personal data in connection with the Service. Roles are stated as implemented in the Service. Locations marked for confirmation are subject to verification with infrastructure records.
Sending and mailbox pipeline (process recipient/Prospect Data):
| Sub-processor | Role | Location |
|---|---|---|
| SendGrid (Twilio) | Outbound email delivery for managed and SMTP sending | United States |
| Unipile | Mailbox connection (Google/Microsoft) for sending and reading replies | European Union (confirmation pending) |
| Nylas | Legacy mailbox connection during migration to Unipile; to be removed on cutover | United States |
| Postmark | System and billing email (transactional) | United States |
| Apollo | Business contact (prospect) data sourcing | United States |
| MillionVerifier | Email address verification | European Union (confirmation pending) |
| MailReach | Inbox warmup and placement testing | European Union |
| OpenAI | AI Sequence Builder and certain internal AI processing | United States |
Infrastructure and operations:
| Sub-processor | Role | Location |
|---|---|---|
| Senders hosting infrastructure | Application hosting, database, daily on-server backups (14-day retention) | European Union (Lithuania) |
| Stripe | Payment processing | United States |
| Anthropic | Internal administrative AI tooling only (not the customer send pipeline) | United States |
| Postmaster Tools and, where connected, mailbox access | United States | |
| Sentry | Application error monitoring (enabled in production) | United States (region confirmation pending) |
| Slack | Internal operational notifications | United States |
| PandaDoc, TL;dv, Calendly | Sales and operations tooling (account/relationship data only; not the send pipeline) | United States |
| Zapier | Internal automation (account/relationship data only) | United States |
Nylas will be removed from this Annex once the Unipile cutover is complete and the Nylas code path is removed.
Annex C — Technical and organizational security measures
-
Encryption in transit: TLS for data transmitted to and from the Service.
-
Encryption of credentials/tokens: Stored OAuth and access tokens, and other sensitive credentials, are encrypted at rest at the application layer using AES-256.
-
Authentication: Passwords hashed with a strong one-way algorithm; access controls on accounts.
-
Access control: Production access restricted to authorized personnel on a need-to-know basis.
-
Network and host controls: Encrypted connections; maintained operating systems and dependencies.
-
Suppression and opt-out controls: Global and per-account suppression enforced in the send pipeline.
-
Monitoring and logging: Operational logging and, where enabled, error monitoring.
-
Data minimization and retention: Retention enforced per the Privacy Policy schedule.
-
Backups: Daily automated database backups (compressed dumps) with 14-day retention, stored on the production infrastructure.
-
At-rest encryption scope: Application-level AES-256 encryption of sensitive credentials and access tokens. Full-disk encryption is not currently enabled on the database host.
-
Breach response: A breach-notification process supported by error monitoring (Sentry) and operational logging; Customer is notified within seventy-two (72) hours per Section 3.6.