Data Processing Agreement

Last updated: June 30, 2026

This Data Processing Agreement ("DPA") forms part of and is incorporated into the agreement, terms of service, order, or other customer agreement (the "Principal Agreement") between Nic Tech Solutions, LLC, a Delaware limited liability company operating the Sequenzy service ("Sequenzy," "Processor," "we," or "us"), and the customer identified in the Principal Agreement ("Customer," "Controller," or "you").

This DPA governs the processing of personal data by Sequenzy on behalf of Customer in connection with the Service. It applies to the extent data protection laws, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and other applicable privacy laws, apply to that processing. If this DPA conflicts with the Principal Agreement on data protection matters, this DPA prevails.

By signing up for or using Sequenzy, you agree to this DPA as part of the Principal Agreement.

1. Definitions

Capitalized terms not defined in this DPA have the meaning given in the Principal Agreement or applicable data protection laws.

  • Data Protection Laws means all laws and regulations applicable to processing personal data under this DPA, including the GDPR, UK GDPR, and any implementing or successor legislation.
  • Personal Data means information relating to an identified or identifiable natural person processed by Sequenzy on behalf of Customer.
  • Processing means any operation performed on personal data, including collection, storage, use, disclosure, transmission, erasure, or similar activity.
  • Sub-processor means a third party engaged by Sequenzy to process personal data on Customer's behalf.
  • Personal Data Breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
  • Standard Contractual Clauses or SCCs means the standard contractual clauses approved by the European Commission and, for UK transfers, the UK International Data Transfer Addendum.
  • Service means the Sequenzy email marketing, automation, and related services provided under the Principal Agreement.

2. Roles and Scope of Processing

As between the parties, Customer determines the purposes and means of processing personal data and acts as controller. Sequenzy processes personal data only as a processor acting on Customer's behalf. Where Customer is itself a processor acting for a third-party controller, Customer warrants that it is authorized to instruct Sequenzy on that controller's behalf.

The subject matter, duration, nature, purpose, categories of personal data, and categories of data subjects are described in Annex 1. Customer is responsible for the lawfulness of the personal data it provides and the instructions it gives, including obtaining required consents, establishing a valid legal basis for processing, and honoring data subject rights and opt-outs.

3. Processing Instructions

Sequenzy will process personal data only on Customer's documented instructions, including with respect to international transfers, unless applicable law requires otherwise. The Principal Agreement, this DPA, and Customer's configuration and use of the Service constitute Customer's complete documented instructions. Additional or alternate instructions must be agreed in writing.

Sequenzy will promptly inform Customer if, in its opinion, an instruction infringes Data Protection Laws. Sequenzy is not required to perform a legal review of Customer's instructions.

4. Confidentiality

Sequenzy will ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations and are subject to access controls limiting processing to what is necessary to perform their duties.

5. Security

Taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, and the risks to data subjects, Sequenzy will implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, as further described in Annex 2.

Sequenzy may update its security measures from time to time, provided that updates do not materially reduce the overall level of protection for personal data.

6. Sub-processors

Customer provides general authorization for Sequenzy to engage sub-processors to process personal data, subject to this DPA. Sequenzy will impose written data protection obligations on each sub-processor that are no less protective than those in this DPA to the extent applicable to the sub-processor's services. Sequenzy remains liable to Customer for each sub-processor's performance.

Sequenzy will notify Customer of intended additions or replacements of sub-processors, for example by updating Annex 3 or a public sub-processor page and/or by email, and will provide Customer a reasonable opportunity to object on reasonable data-protection grounds before the new sub-processor begins processing. If the parties cannot resolve a timely, reasonable objection, Customer may terminate the affected part of the Service as its sole remedy.

7. Data Subject Rights

Taking into account the nature of the processing, Sequenzy will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to data subject rights requests under Data Protection Laws. If Sequenzy receives such a request directly, it will, unless legally prohibited, promptly forward it to Customer and will not respond except on Customer's instructions.

8. Personal Data Breach

Sequenzy will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting personal data processed under this DPA. The notice will, to the extent then known and reasonably available, describe the nature of the breach, likely consequences, and measures taken or proposed to address it. Information may be provided in phases as it becomes available.

9. DPIAs and Prior Consultation

Taking into account the nature of the processing and information available to Sequenzy, Sequenzy will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities that Customer reasonably considers required under Data Protection Laws for processing under this DPA.

10. International Data Transfers

To the extent processing involves a transfer of personal data from the European Economic Area, United Kingdom, or Switzerland to a country without an adequacy decision, the parties agree that the applicable SCCs, including the UK Addendum and any Swiss amendments, are incorporated into this DPA by reference. Sequenzy acts as data importer and Customer acts as data exporter.

The relevant SCC module is Module Two (controller to processor) where Customer is a controller, or Module Three (processor to processor) where Customer acts as a processor. Information required to complete the SCC annexes is taken from Annexes 1, 2, and 3 of this DPA. Where the SCCs conflict with this DPA, the SCCs prevail for the relevant transfer.

11. Audits and Information

Sequenzy will make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. Sequenzy will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable notice, confidentiality obligations, frequency limits of no more than once per year absent a Personal Data Breach or regulator requirement, and protection of other customers' data and Sequenzy security. Sequenzy may satisfy audit requests by providing then-current third-party certifications, reports, or summaries where available.

12. Return and Deletion

Upon termination or expiry of the Principal Agreement, and at Customer's choice, Sequenzy will delete or return all personal data processed on Customer's behalf and delete existing copies, unless retention is required by applicable law. Sequenzy may retain personal data in routine backups for a limited period consistent with its backup and retention practices, during which the personal data remains protected by this DPA and is not actively processed.

13. Liability, Term, and General Terms

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability in the Principal Agreement. Nothing in this DPA limits liability that cannot be limited under applicable law.

This DPA takes effect when Customer accepts the Principal Agreement or signs up for the Service and continues for as long as Sequenzy processes personal data on Customer's behalf. Provisions that by their nature should survive termination, including confidentiality, transfers, liability, and deletion, survive.

In case of conflict on data protection matters, the SCCs prevail over this DPA, and this DPA prevails over the Principal Agreement. This DPA is governed by the law and jurisdiction stated in the Principal Agreement, defaulting to the State of Delaware, USA, except that the SCCs are governed as specified within them. Data protection notices to Sequenzy may be sent to privacy@sequenzy.com.

Annex 1 - Details of the Processing

Subject matter: Provision of the Sequenzy email marketing and automation Service to Customer.

Duration: For the term of the Principal Agreement, plus any period required for return or deletion of personal data.

Nature and purpose: Hosting, storing, organizing, sending, and analyzing email and related communications and automations on behalf of Customer; managing subscriber lists, segments, and campaigns; and providing analytics, deliverability, and support.

Categories of data subjects: Customer's subscribers, contacts, leads, and customers; Customer's own personnel and authorized account users.

Categories of personal data: Contact identifiers, marketing and engagement data, technical data such as IP address and user agent, approximate location derived from email engagement, and account-user data for authorized users.

Special categories: Not intended. Customer must not upload special-category data under Article 9 GDPR unless separately agreed in writing and is responsible for any additional safeguards required by law.

Frequency of transfer: Continuous for the duration of the Service.

Annex 2 - Technical and Organizational Measures

Sequenzy maintains a security program including, where applicable to the Service, the measures below. Specific measures may evolve provided the overall level of protection is not materially reduced.

  • Access control, including role-based access controls, least privilege, unique user accounts, and multi-factor authentication for administrative production access.
  • Encryption of personal data in transit using TLS and encryption at rest for the primary database and object storage.
  • Network and infrastructure security using reputable cloud providers, environment segregation, firewalls or security groups, and restricted production access.
  • Data minimization and pseudonymization, including collection limited to data necessary to provide the Service and hashing of identifiers where supported.
  • Resilience and availability measures, including managed redundant hosting, automated backups, and procedures to restore availability and access after an incident.
  • Logging and monitoring, including application error monitoring, administrative audit logs, and alerting on anomalous activity.
  • Vulnerability management through dependency and platform updates and risk-prioritized remediation.
  • Personnel confidentiality obligations and access limited to those who need access to perform their duties.
  • Sub-processor management through written data-protection terms and review of security posture.
  • Incident response procedures for detecting, investigating, and notifying Customer of Personal Data Breaches without undue delay.

Annex 3 - Authorized Sub-processors

Sequenzy engages the sub-processors below to process personal data in connection with the Service. Feature-dependent sub-processors process personal data only where Customer uses or enables the corresponding feature. Customer may request the full legal name, registered address, and contact details of any sub-processor.

Core sub-processors

  • PlanetScale: Primary database hosting for Customer account data and subscriber contact records.
  • Railway: Redis hosting for queues, cache, and transient email-processing data.
  • Cloudflare: Object storage, DNS, CDN, custom tracking domains, asset storage, exported data, and routing.
  • Amazon Web Services (AWS): Outbound email transmission and processing of inbound mail and delivery or engagement events.
  • Stripe: Billing, subscriptions, and payment events. Stripe acts as an independent controller for cardholder data.
  • PostHog: Product and usage analytics relating to the Service.
  • Sentry: Error monitoring and diagnostics, which may incidentally contain personal data.
  • Google: OAuth login, AI features, and Ads conversion tracking where enabled by Customer.

Feature-dependent sub-processors

  • Zernio: Meta custom audience sync, typically involving hashed subscriber email addresses for audience matching.
  • Meta Platforms: Pixel, Conversions API, and custom-audience data where the relevant feature is enabled.
  • fal.ai: AI image generation prompts and Customer-supplied content submitted to image generation.
  • Brand.dev / Context.dev: Brand and logo enrichment from Customer-supplied domains.
  • Pexels: Stock image search prompts submitted by Customer.
  • Vercel: Frontend and application hosting where production is deployed on this provider.
  • Telegram: Internal operational alerts where alerts may include personal data.

Several sub-processors operate globally. Where a sub-processor processes personal data outside the EEA or UK, transfers are made subject to the safeguards in Section 10, including the SCCs. Specific hosting regions can be provided on request.

Related Documents

This DPA should be read together with our Terms of Service and Privacy Policy.