Skip to content
SendByte Start sending

Updated Draft, June 2026

Data Processing Agreement

Draft. This document is a working draft pending review by qualified counsel and our Data Protection Compliance Organisation. It is not yet legally effective.

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Customer (“Controller”) and Echospectra Technology Limited (“Processor”, “we”), which operates SendByte. It governs our processing of personal data on the Controller’s behalf when the Controller sends email through SendByte. It is designed to meet the Nigeria Data Protection Act 2023 (NDPA) and, where the Controller has EU/UK data subjects, to support GDPR Article 28 obligations. Enterprise customers may request a countersigned copy.

1. Roles

The Controller determines the purposes and means of processing the personal data of its recipients. We process that data only as a Processor, on the Controller’s documented instructions, which include the Terms, this DPA, and the Controller’s use of the Service.

2. Subject matter, duration, nature, and purpose

We process personal data to provide email delivery and reporting: accepting messages, authenticating and routing them, delivering to recipients, handling bounces and complaints, and reporting delivery events. Processing lasts for the term of the Terms and any wind-down period.

3. Categories of data and data subjects

  • Data subjects: the Controller’s recipients and contacts.
  • Personal data: email addresses, names and other details in message headers and bodies as determined by the Controller, attachments, and delivery event data. The Controller must not send special-category data unless lawful and necessary, and acknowledges that email is not a suitable channel for highly sensitive data without additional safeguards.

4. Our obligations

We will:

  • Process personal data only on the Controller’s documented instructions, including for international transfers, unless required by law (in which case we notify the Controller where lawful).
  • Ensure personnel authorized to process data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (Annex A).
  • Respect the conditions for engaging sub-processors (section 5).
  • Assist the Controller, taking into account the nature of processing, in responding to data-subject rights requests.
  • Assist the Controller with security, breach notification, and data-protection impact assessments.
  • Notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller’s data.
  • At the Controller’s choice, delete or return personal data at the end of the service, subject to legal retention and to suppression-list data retained to honor recipients’ opt-outs.
  • Make available information needed to demonstrate compliance and allow for audits as described in section 6.

5. Sub-processors

The Controller authorizes us to engage sub-processors to deliver the Service. Current sub-processors:

Sub-processorPurposeLocation
Amazon Web ServicesInfrastructure, storageaf-south-1 (Cape Town)
CloudflareCDN, DDoS protection, email trackingGlobal edge
Paystack / FlutterwavePayment processing (billing data only)Nigeria

We impose data-protection terms on each sub-processor no less protective than this DPA, and remain responsible for their performance. We will give the Controller notice of any intended change to sub-processors and an opportunity to object.

6. Audits

We will make available the information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports when available (for example, SOC 2, which is on our roadmap). On reasonable notice and no more than once a year, the Controller may audit our compliance, subject to confidentiality and to not disrupting our operations or other customers’ security.

7. International transfers

Where personal data of EU/UK data subjects is transferred outside its region, the parties will put in place an appropriate transfer mechanism (such as standard contractual clauses), which are incorporated by reference where applicable.

8. Liability

Each party’s liability under this DPA is subject to the limitations of liability in the Terms.

9. Governing law

This DPA is governed by the laws of the Federal Republic of Nigeria, consistent with the Terms.

Annex A: Security measures

  • Encryption in transit (TLS 1.2 or higher) and at rest (AES-256).
  • Data residency in AWS af-south-1 (Cape Town).
  • Network isolation of delivery infrastructure; databases not publicly reachable.
  • Least-privilege access control and secret management.
  • API keys stored only as bcrypt hashes; webhook payloads signed (HMAC).
  • Audit logging of account and API actions.
  • Suppression handling for hard bounces, complaints, and unsubscribes.
  • Dependency scanning and regular security review; third-party penetration testing on the roadmap.