Data Processing Agreement
Last updated July 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (the “Controller”) and Noria Technologies LTD (“SendStack”, the “Processor”) and applies where SendStack processes personal data on your behalf to provide the service.
Roles and scope
You determine the purposes and means of processing the personal data contained in the messages you send and are the Controller. SendStack processes that data only to deliver your email, SMS and WhatsApp messages, generate the delivery and engagement events you request, prevent abuse, and provide support - and acts as your Processor for those purposes.
Nature of the data
The personal data processed typically includes recipient identifiers (email addresses and phone numbers), message content and metadata you submit, and the resulting delivery events. You are responsible for having a lawful basis to send to your recipients and for the content you transmit.
Our obligations
SendStack processes personal data only on your documented instructions (including through your use of the API), ensures that personnel with access are bound by confidentiality, and applies appropriate technical and organisational measures - including encryption in transit, tenant isolation and access controls - to protect the data.
Subprocessors
You authorise SendStack to engage subprocessors to deliver your messages, including Amazon Web Services (SES) for email and Noria SMS together with the mobile networks for SMS, and Meta for WhatsApp. Each subprocessor is bound by data-protection terms consistent with this DPA. We will make reasonable efforts to inform you of material changes to our subprocessors.
International transfers
Where personal data is transferred across borders in the course of delivering your messages, we and our subprocessors rely on appropriate safeguards for such transfers as required by applicable law.
Data subject requests and assistance
Taking into account the nature of the processing, SendStack will assist you with reasonable measures to respond to data-subject requests and to meet your security, breach-notification and impact-assessment obligations. We will notify you without undue delay after becoming aware of a personal-data breach affecting your data.
Retention and deletion
We retain message metadata and events only as long as needed to provide the service and meet legal obligations, after which they are deleted or anonymised. On termination or account erasure, we delete or anonymise the personal data we process on your behalf, except where retention is required by law.
Contact
For data-protection questions or to formalise this DPA, email [email protected].