Last updated: June 30, 2026
This Data Processing Agreement ("DPA") forms part of and is incorporated into the agreement, terms of service, order, or other customer agreement (the "Principal Agreement") between Nic Tech Solutions, LLC, a Delaware limited liability company operating the Sequenzy service ("Sequenzy," "Processor," "we," or "us"), and the customer identified in the Principal Agreement ("Customer," "Controller," or "you").
This DPA governs the processing of personal data by Sequenzy on behalf of Customer in connection with the Service. It applies to the extent data protection laws, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and other applicable privacy laws, apply to that processing. If this DPA conflicts with the Principal Agreement on data protection matters, this DPA prevails.
By signing up for or using Sequenzy, you agree to this DPA as part of the Principal Agreement.
Capitalized terms not defined in this DPA have the meaning given in the Principal Agreement or applicable data protection laws.
As between the parties, Customer determines the purposes and means of processing personal data and acts as controller. Sequenzy processes personal data only as a processor acting on Customer's behalf. Where Customer is itself a processor acting for a third-party controller, Customer warrants that it is authorized to instruct Sequenzy on that controller's behalf.
The subject matter, duration, nature, purpose, categories of personal data, and categories of data subjects are described in Annex 1. Customer is responsible for the lawfulness of the personal data it provides and the instructions it gives, including obtaining required consents, establishing a valid legal basis for processing, and honoring data subject rights and opt-outs.
Sequenzy will process personal data only on Customer's documented instructions, including with respect to international transfers, unless applicable law requires otherwise. The Principal Agreement, this DPA, and Customer's configuration and use of the Service constitute Customer's complete documented instructions. Additional or alternate instructions must be agreed in writing.
Sequenzy will promptly inform Customer if, in its opinion, an instruction infringes Data Protection Laws. Sequenzy is not required to perform a legal review of Customer's instructions.
Sequenzy will ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations and are subject to access controls limiting processing to what is necessary to perform their duties.
Taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, and the risks to data subjects, Sequenzy will implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, as further described in Annex 2.
Sequenzy may update its security measures from time to time, provided that updates do not materially reduce the overall level of protection for personal data.
Customer provides general authorization for Sequenzy to engage sub-processors to process personal data, subject to this DPA. Sequenzy will impose written data protection obligations on each sub-processor that are no less protective than those in this DPA to the extent applicable to the sub-processor's services. Sequenzy remains liable to Customer for each sub-processor's performance.
Sequenzy will notify Customer of intended additions or replacements of sub-processors, for example by updating Annex 3 or a public sub-processor page and/or by email, and will provide Customer a reasonable opportunity to object on reasonable data-protection grounds before the new sub-processor begins processing. If the parties cannot resolve a timely, reasonable objection, Customer may terminate the affected part of the Service as its sole remedy.
Taking into account the nature of the processing, Sequenzy will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to data subject rights requests under Data Protection Laws. If Sequenzy receives such a request directly, it will, unless legally prohibited, promptly forward it to Customer and will not respond except on Customer's instructions.
Sequenzy will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting personal data processed under this DPA. The notice will, to the extent then known and reasonably available, describe the nature of the breach, likely consequences, and measures taken or proposed to address it. Information may be provided in phases as it becomes available.
Taking into account the nature of the processing and information available to Sequenzy, Sequenzy will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities that Customer reasonably considers required under Data Protection Laws for processing under this DPA.
To the extent processing involves a transfer of personal data from the European Economic Area, United Kingdom, or Switzerland to a country without an adequacy decision, the parties agree that the applicable SCCs, including the UK Addendum and any Swiss amendments, are incorporated into this DPA by reference. Sequenzy acts as data importer and Customer acts as data exporter.
The relevant SCC module is Module Two (controller to processor) where Customer is a controller, or Module Three (processor to processor) where Customer acts as a processor. Information required to complete the SCC annexes is taken from Annexes 1, 2, and 3 of this DPA. Where the SCCs conflict with this DPA, the SCCs prevail for the relevant transfer.
Sequenzy will make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. Sequenzy will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable notice, confidentiality obligations, frequency limits of no more than once per year absent a Personal Data Breach or regulator requirement, and protection of other customers' data and Sequenzy security. Sequenzy may satisfy audit requests by providing then-current third-party certifications, reports, or summaries where available.
Upon termination or expiry of the Principal Agreement, and at Customer's choice, Sequenzy will delete or return all personal data processed on Customer's behalf and delete existing copies, unless retention is required by applicable law. Sequenzy may retain personal data in routine backups for a limited period consistent with its backup and retention practices, during which the personal data remains protected by this DPA and is not actively processed.
Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability in the Principal Agreement. Nothing in this DPA limits liability that cannot be limited under applicable law.
This DPA takes effect when Customer accepts the Principal Agreement or signs up for the Service and continues for as long as Sequenzy processes personal data on Customer's behalf. Provisions that by their nature should survive termination, including confidentiality, transfers, liability, and deletion, survive.
In case of conflict on data protection matters, the SCCs prevail over this DPA, and this DPA prevails over the Principal Agreement. This DPA is governed by the law and jurisdiction stated in the Principal Agreement, defaulting to the State of Delaware, USA, except that the SCCs are governed as specified within them. Data protection notices to Sequenzy may be sent to privacy@sequenzy.com.
Subject matter: Provision of the Sequenzy email marketing and automation Service to Customer.
Duration: For the term of the Principal Agreement, plus any period required for return or deletion of personal data.
Nature and purpose: Hosting, storing, organizing, sending, and analyzing email and related communications and automations on behalf of Customer; managing subscriber lists, segments, and campaigns; and providing analytics, deliverability, and support.
Categories of data subjects: Customer's subscribers, contacts, leads, and customers; Customer's own personnel and authorized account users.
Categories of personal data: Contact identifiers, marketing and engagement data, technical data such as IP address and user agent, approximate location derived from email engagement, and account-user data for authorized users.
Special categories: Not intended. Customer must not upload special-category data under Article 9 GDPR unless separately agreed in writing and is responsible for any additional safeguards required by law.
Frequency of transfer: Continuous for the duration of the Service.
Sequenzy maintains a security program including, where applicable to the Service, the measures below. Specific measures may evolve provided the overall level of protection is not materially reduced.
Sequenzy engages the sub-processors below to process personal data in connection with the Service. Feature-dependent sub-processors process personal data only where Customer uses or enables the corresponding feature. Customer may request the full legal name, registered address, and contact details of any sub-processor.
Several sub-processors operate globally. Where a sub-processor processes personal data outside the EEA or UK, transfers are made subject to the safeguards in Section 10, including the SCCs. Specific hosting regions can be provided on request.
This DPA should be read together with our Terms of Service and Privacy Policy.