1. Parties and scope
This Data Protection Addendum forms part of the agreement between the customer using VueSend and VueSend. It applies to personal data processed by VueSend on behalf of the customer to provide the service.
If there is a conflict between this DPA and the Terms of Use regarding processing of customer personal data, this DPA controls for that processing.
2. Definitions
Controller, processor, data subject, personal data, processing, personal data breach and supervisory authority have the meanings given in GDPR or equivalent privacy laws where applicable.
Customer Personal Data means personal data that VueSend processes on behalf of the customer through the service, including subscriber data, campaign recipient data, form submissions, tracking events and preference data.
3. Roles
For Customer Personal Data, the customer is the controller, business or equivalent decision-making party, and VueSend is the processor, service provider or equivalent processing party.
For account administration, billing, security, legal compliance, abuse prevention, product analytics and VueSend business operations, VueSend may process personal data as an independent controller as described in the Privacy Policy.
4. Customer instructions
VueSend will process Customer Personal Data only to provide, secure, maintain, support, troubleshoot and improve the service, to comply with documented customer instructions, to fulfill legal obligations, and as otherwise permitted by this DPA.
The customer instructs VueSend to process Customer Personal Data as needed to send messages, host content, manage contacts, apply suppressions, record events, run automations, provide analytics, operate forms, support integrations and protect the platform from abuse.
5. Customer responsibilities
The customer is responsible for the lawfulness, transparency, accuracy, permissions and data minimization of Customer Personal Data. The customer must provide required notices, obtain required consents, respond to data subject requests and ensure that its use of VueSend complies with applicable laws.
6. Confidentiality
VueSend will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations or are subject to appropriate statutory confidentiality duties.
7. Security measures
VueSend will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. The measures are described in Annex 2.
The customer is responsible for using available security controls appropriately, including access management, workspace roles, API key protection and domain security.
8. Subprocessors
The customer authorizes VueSend to use subprocessors to provide the service. VueSend will impose data protection obligations on subprocessors that are materially no less protective than those in this DPA.
VueSend remains responsible for subprocessors to the extent required by applicable law. Subprocessor categories are listed in Annex 3. VueSend will provide reasonable notice of material subprocessor changes when required by law or contract.
9. International transfers
Where Customer Personal Data is transferred outside the EEA, UK, Switzerland or another jurisdiction with transfer restrictions, VueSend will use a lawful transfer mechanism such as an adequacy decision, Standard Contractual Clauses, the UK Addendum, a data privacy framework where applicable, or another valid mechanism.
10. Assistance
Taking into account the nature of the processing and information available to VueSend, VueSend will provide reasonable assistance for data subject requests, security obligations, DPIAs, prior consultations and other compliance obligations required by applicable data protection law.
11. Security incidents
VueSend will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notice will include information reasonably available to VueSend, and VueSend will take reasonable steps to mitigate known harmful effects.
12. Deletion and return
Upon termination or upon customer request, VueSend will delete or return Customer Personal Data in accordance with the service functionality, the agreement and applicable law, unless retention is required for legal, security, backup, dispute, abuse prevention or compliance purposes.
13. Audits
VueSend will make information reasonably necessary to demonstrate compliance with this DPA available to the customer where required by applicable law. Audits must be reasonable, limited in scope, protect other customers and VueSend security, and may be satisfied by documentation, summaries, certifications or third-party reports where available.
14. US state privacy terms
Where US state privacy laws apply, VueSend acts as a service provider or processor for Customer Personal Data. VueSend will not sell or share Customer Personal Data, retain, use or disclose it outside the business relationship except as permitted by law, or combine it with other data where prohibited by applicable law.
15. Annex 1 - Processing details
Subject matter: the provision of VueSend newsletter, contact management, automation, form, tracking, deliverability and analytics services.
Duration: for the term of the customer relationship and any retention period required or permitted by the agreement or applicable law.
Nature and purpose: hosting, storing, organizing, segmenting, sending, tracking, suppressing, analyzing, securing and supporting customer email and subscriber operations.
- Data subjects: subscribers, contacts, campaign recipients, form submitters, customer staff, workspace users and end users interacting with customer content.
- Data categories: email address, name, company, tags, segments, consent fields, preferences, subscription status, suppression status, IP address, user agent, location signals, opens, clicks, bounces, complaints, form responses, automation events, Smart Link events, revenue attribution events and related metadata.
- Sensitive data: VueSend is not designed for special category data unless a separate written agreement permits it and suitable safeguards are in place.
16. Annex 2 - Technical and organizational measures
VueSend maintains a security program designed for a newsletter and marketing platform handling customer subscriber data.
- Access control: role-based workspace access, administrative access restrictions and least-privilege practices.
- Encryption: HTTPS/TLS for data in transit and provider-supported protections for infrastructure and storage.
- Operational security: logging, monitoring, backups, patching, vulnerability handling and incident response procedures.
- Data protection: suppression handling, unsubscribe processing, segmentation controls, deletion workflows and customer export options where available.
- Vendor management: use of subprocessors selected for hosting, delivery, security, analytics, support, payments and operational reliability.
17. Annex 3 - Subprocessor categories
VueSend may use subprocessors in the following categories to provide the service.
- Cloud hosting, databases, storage, backup and infrastructure providers.
- Email delivery, bounce handling, complaint handling, reputation and DNS-related providers.
- Analytics, logging, monitoring, error tracking and security providers.
- Payment, billing, accounting, customer support and communication providers.
- Integrations and customer-configured services when enabled by the customer.
18. Contact
Data protection questions can be sent to privacy@vuesend.com. Security reports can be sent to security@vuesend.com. Legal notices can be sent to legal@vuesend.com.