SEND-SECURELY.COM
Request a demo
Legal

Data Processing Addendum

Effective June 1, 2026

Parties

This Data Processing Addendum ("DPA") is between Send-Securely.com, Inc. ("Processor") and the customer entity that has executed an applicable Order Form or Service Agreement ("Controller"). This DPA is incorporated into and forms part of the agreement between the parties.

Scope and subject matter

This DPA applies to the processing of personal data by the Processor on behalf of the Controller in connection with the SEND-SECURELY.COM enterprise file transfer service. It does not apply to personal data for which the Processor acts as a controller in its own right, which is addressed separately in the Privacy Notice.

Duration

This DPA remains in effect for the duration of the underlying service agreement and continues until all personal data processed under it has been returned or deleted in accordance with the Termination section below.

Nature and purpose

The Processor processes personal data for the purpose of providing the file transfer, audit logging, encryption, and related features of the service as described in the applicable documentation. Processing includes storage, transmission, access logging, and deletion of personal data as directed by the Controller through the service's administrative controls.

Data categories

Personal data processed under this DPA may include: names and work email addresses of end users provisioned by the Controller; authentication and access event records; transfer metadata (sender, recipient, timestamps, file names); and any personal data contained within files transmitted through the service, the categories of which are determined entirely by the Controller.

Controller and processor roles

The Controller determines the purposes and means of processing personal data submitted to the service. The Processor processes that data only on documented instructions from the Controller, except where applicable law requires otherwise. Processor personnel who access personal data are subject to confidentiality obligations.

Sub-processors

The Processor may engage sub-processors to assist in delivering the service. A current list of authorized sub-processors is maintained in the Controller's admin console. The Processor will provide advance notice before adding new sub-processors and will impose data protection obligations on sub-processors consistent with those in this DPA.

US-only processing locations

All processing of personal data under this DPA occurs within data centers located in the United States. Send-Securely.com, Inc. does not maintain processing infrastructure outside the United States and does not transfer personal data to servers or personnel located outside the United States in the course of providing the service.

Security measures

The Processor maintains technical and organizational security measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data in transit and at rest using industry-standard algorithms, role-based access controls with multi-factor authentication requirements for administrative access, and continuous monitoring and intrusion-detection capabilities. A summary of applicable security controls is available to Controllers on request.

Data subject requests

The Processor will promptly forward to the Controller any data subject request received that relates to personal data processed under this DPA. The Controller is responsible for responding to such requests. The Processor will provide reasonable assistance to the Controller in fulfilling its obligations to respond to data subject requests, taking into account the nature of the processing and the information available to the Processor.

Audit and assessment rights

No more than once per calendar year, the Controller may request a written assessment of the Processor's data protection practices. The Processor will respond to such requests by providing relevant documentation, including current third-party audit reports or certifications where available. On-site audits require at least thirty days advance written notice and are subject to reasonable confidentiality restrictions.

Termination

Upon expiration or termination of the service agreement, the Processor will, at the Controller's election and within thirty days of written request, either return or securely delete all personal data processed under this DPA, except where applicable law requires retention for a longer period.

Contact

Questions regarding this DPA should be directed to Send-Securely.com, Inc. · Cheyenne, Wyoming · legal@send-securely.com