Data Processing Agreement

Data Processing Agreement (DPA)

Last Updated: 9 May 2025

This Data Processing Agreement ("DPA") is entered into by and between:

The Client ("Controller" or "You"), the entity or individual that has subscribed to the Services provided by AhaSend;

and

TakTek GmbH, a company registered in Austria with company number FN 451613 m, having its registered office at Siebensterngasse 42/3, 1070 Vienna, Austria, operating as AhaSend.com ("Processor," "AhaSend," "We," "Us," or "Our").

This DPA is incorporated into and forms an integral part of the AhaSend Terms of Use ("Terms") available at https://ahasend.com/terms, and applies to the extent that Processor processes Personal Data on behalf of Controller in the course of providing the Services.

Controller and Processor are hereinafter collectively referred to as the "Parties" and individually as a "Party."

By using the Services, Controller accepts this DPA.

1. Definitions

For the purposes of this DPA:

1. "Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), and any national implementing legislation (including the Austrian Datenschutzgesetz - DSG).

2. "Controller" has the meaning given to it in the GDPR, and for the purpose of this DPA, refers to the Client.

3. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Processor or its Sub-processors in connection with the provision of the Services.

4. "Data Subject" has the meaning given to it in the GDPR, and for the purpose of this DPA, refers primarily to the Recipients.

5. "Personal Data" has the meaning given to it in the GDPR, and for the purpose of this DPA, means any Personal Data Processed by Processor on behalf of Controller in relation to the Services, as further described in Annex 1.

6. "Processing" (and its cognates "Process" and "Processed") has the meaning given to it in the GDPR.

7. "Processor" has the meaning given to it in the GDPR, and for the purpose of this DPA, refers to AhaSend (TakTek GmbH).

8. "Recipient" means an end-user or subscriber of the Controller to whom the Controller sends emails using the Services.

9. "Services" means the transactional email services provided by AhaSend to the Controller under the Terms.

10. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as adopted by the European Commission.

11. "Sub-processor" means any third-party data processor engaged by Processor to Process Personal Data in connection with the Services.

12. "Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to Article 51 GDPR.

2. Scope and Purpose of Processing

1. Processor shall Process Personal Data on behalf of Controller solely for the purpose of providing the Services as described in the Terms and this DPA, and in accordance with Controller's documented lawful instructions.
2. The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects, are further specified in Annex 1 (Details of Processing) to this DPA. 

3. Obligations of the Processor

Processor agrees and warrants that it shall:

1. Processing Instructions: Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest (Article 28(3)(a) GDPR). The Controller's instructions are generally documented in the Terms, this DPA, and through the Controller's configuration and use of the Services.
2. Confidentiality: Ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).
3. Security of Processing: Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR and as further detailed in Annex 2 (Technical and Organizational Security Measures) to this DPA (Article 28(3)(c) GDPR).
4. Sub-processing: Comply with the conditions referred to in Sections 6 and Article 28(2) and 28(4) GDPR for engaging another Processor (Sub-processor).
5. Data Subject Rights: Taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR (Article 28(3)(e) GDPR). If Processor receives a request directly from a Data Subject, Processor will promptly notify Controller and will not respond to the Data Subject directly, unless otherwise instructed by Controller or required by Applicable Data Protection Law.
6. Assistance to Controller: Assist the Controller in ensuring compliance with its obligations pursuant to Articles 32 to 36 GDPR (Security of Processing, Data Breach notification, Data Protection Impact Assessment, and Prior Consultation), taking into account the nature of Processing and the information available to the Processor (Article 28(3)(f) GDPR). Processor may charge a reasonable fee for such assistance, except where such assistance is required due to Processor's breach of this DPA.
7. Deletion or Return of Data: At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of Services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data (Article 28(3)(g) GDPR). The process for deletion or return will be initiated upon termination of the Controller's account as per the Terms. Specific retention periods may apply as outlined in the Terms or Processor's standard data retention policies for backup and operational continuity, provided such retention is compliant with Applicable Data Protection Law.
8. Information and Audits: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Article 28(3)(h) GDPR).
   1. Processor shall provide Controller with information reasonably requested by Controller to verify Processor's compliance with this DPA.
   2. Audits shall be conducted during reasonable times, with reasonable advance notice to Processor, and in a manner that does not unreasonably interfere with Processor's business operations. Controller shall bear its own costs for such audits. If an audit reveals a material breach of this DPA by Processor, Processor shall bear the reasonable costs of the audit, in addition to any other rights or remedies Controller may have.
   3. Processor may satisfy audit requests by providing relevant third-party audit reports or certifications (e.g., ISO 27001, SOC 2) where available.

4. Obligations of the Controller

Controller agrees and warrants that it shall:

1. Comply with all Applicable Data Protection Laws in its use of the Services and its own Processing of Personal Data.
2. Be solely responsible for the accuracy, quality, and legality of the Personal Data and the means by which it acquired the Personal Data.
3. Ensure it has a lawful basis for Processing the Personal Data provided to Processor (e.g., consent from Data Subjects, contractual necessity).
4. Provide Processor with lawful, documented instructions regarding the Processing of Personal Data, and ensure such instructions comply with Applicable Data Protection Law.
5. Be responsible for providing all necessary privacy notices to Data Subjects and for obtaining any necessary consents from Data Subjects as required by Applicable Data Protection Law.

5. Security Measures

Processor will implement and maintain the technical and organizational security measures specified in Annex 2 to this DPA to protect Personal Data against Data Breaches. Processor may update or modify these measures from time to time, provided that such updates and modifications do not result in a material degradation of the overall security of the Services.

6. Sub-processors

1. Controller provides a general written authorization to Processor to engage Sub-processors to Process Personal Data on Controller's behalf in connection with the provision of the Services (Article 28(2) GDPR).
2. Processor shall maintain an up-to-date list of its Sub-processors. This list is detailed in Annex 3 (List of Sub-processors) to this DPA and is also available for ongoing review at https://ahasend.com/dpa. The online list shall be considered the most current version.
3. Processor shall inform Controller of any intended changes concerning the addition or replacement of other Sub-processors by updating the online list and Annex 3 (where feasible for static updates to the DPA document itself, though the online list is primary for changes) and providing Controller with a mechanism to subscribe to notifications of such updates (if available), or by other written means (e.g., email), thereby giving the Controller the opportunity to object to such changes.
4. Controller may object to the engagement of a new Sub-processor in writing within 14 days of being informed of the change, provided such objection is based on reasonable grounds relating to data protection. If Controller objects, Processor will use reasonable efforts to make available to Controller a change in the Services or recommend a commercially reasonable change to Controller’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor. If Processor is unable to make available such change within a reasonable period, which shall not exceed 30 days, Controller may terminate the applicable Service subscription with respect to those Services which cannot be provided by Processor without the use of the objected-to new Sub-processor by providing written notice to Processor.
5. Where Processor engages a Sub-processor, it shall do so by way of a written contract which imposes on the Sub-processor the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR (Article 28(4) GDPR).
6. Processor shall remain fully liable to the Controller for the performance of that Sub-processor's data protection obligations.

7. Data Breach Notification

1. Processor shall notify Controller without undue delay after becoming aware of a Data Breach affecting Personal Data Processed on behalf of Controller (Article 33(2) GDPR).
2. Such notification shall, as far as possible, include:
   1. A description of the nature of the Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
   2. The name and contact details of the data protection officer or other contact point where more information can be obtained;
   3. A description of the likely consequences of the Data Breach;
   4. A description of the measures taken or proposed to be taken by Processor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
3. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
4. Processor shall cooperate with Controller and take such reasonable commercial steps as are directed by Controller to assist in the investigation, mitigation, and remediation of each such Data Breach.
5. Controller is solely responsible for complying with any third-party notification obligations applicable to it in connection with a Data Breach.

8. International Data Transfers

1. Personal Data Processed under this DPA may be transferred to and Processed in countries outside the European Economic Area (EEA) by Processor or its Sub-processors, including where Controller opts for Services utilizing infrastructure in such third countries (e.g., optional US-based servers provided by Hetzner Online GmbH).
2. Any transfer of Personal Data outside the EEA shall be made in compliance with the requirements of Chapter V of the GDPR. This may include transfers:
   1. To a country recognized by the European Commission as providing an adequate level of data protection;
   2. To a recipient in the United States that is certified under the EU-U.S. Data Privacy Framework (DPF);
   3. Subject to appropriate safeguards, such as the Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by a transfer impact assessment and any necessary supplementary measures to ensure that the data enjoys a level of protection essentially equivalent to that guaranteed within the EEA.
3. Where Standard Contractual Clauses are used as the transfer mechanism for Personal Data under this DPA from the European Economic Area (EEA) to third countries not covered by an adequacy decision, the following terms shall apply:
   1. Module Two (Controller to Processor Transfers): These terms will apply where the Controller is a data exporter and the Processor is a data importer processing Personal Data on the Controller's behalf, and such processing involves a transfer of Personal Data to the Processor in a third country, or to a Sub-processor in a third country on behalf of the Controller. For the purposes of Module Two of the SCCs:
      1. Clause 7 (Docking Clause) will not apply.
      2. Clause 9(a) (Use of sub-processors) Option 2 (General written authorisation) will apply, and the time period for prior notice of Sub-processor changes will be as set out in Section 6(d) of this DPA.
      3. Clause 11(a) (Redress) The optional language regarding independent dispute resolution will not apply.
      4. Clause 17 (Governing law) Option 1 will apply, and the SCCs shall be governed by the law of Austria.
      5. Clause 18(b) (Choice of forum and jurisdiction) Disputes arising from the SCCs shall be resolved before the courts of Vienna, Austria.
      6. Annex I.A (List of Parties), I.B (Description of Transfer), I.C (Competent supervisory authority), and Annex II (Technical and Organisational Measures) of the SCCs shall be deemed completed with the information set out in Annex 1 and Annex 2 of this DPA respectively.
   2. Module Three (Processor to Processor Transfers): These terms will apply where the Processor (AhaSend) is a data exporter and engages a Sub-processor (as data importer) located in a third country to process Personal Data on behalf of the Controller. AhaSend commits to entering into Module Three of the SCCs (or an equivalent transfer mechanism compliant with Chapter V GDPR) with any such Sub-processor. For the purposes of such Module Three SCCs between AhaSend and its Sub-processor:
      1. Clause 7 (Docking Clause) will not apply.
      2. Clause 9(a) (Use of sub-processors) Option 2 (General written authorisation) will apply. AhaSend will inform the Controller of any intended changes concerning the addition or replacement of Sub-processors as per Section 6(c) and 6(d) of this DPA.
      3. Clause 11(a) (Redress) The optional language regarding independent dispute resolution will not apply.
      4. Clause 17 (Governing law) The SCCs shall be governed by the law of Austria (or another EU Member State law that permits third-party beneficiary rights, as appropriate).
      5. Clause 18(b) (Choice of forum and jurisdiction) Disputes shall be resolved before the courts of Vienna, Austria (or another EU Member State, as appropriate).
      6. The Annexes of such Module Three SCCs will be completed with relevant details reflecting the specific sub-processing activities, ensuring a level of protection consistent with this DPA and Applicable Data Protection Law.

9. Liability and Indemnity

1.  The liability of each Party under this DPA shall be subject to the limitations and exclusions of liability set out in the Terms.
2. Controller shall indemnify and hold Processor harmless against all claims, actions, third-party claims, losses, damages, and expenses incurred by Processor or its Sub-processors arising from any breach of this DPA or Applicable Data Protection Law by Controller, or from any instruction given by Controller that infringes Applicable Data Protection Law.

10. Term and Termination

1. This DPA shall commence on the date Controller agrees to the Terms and shall continue in effect as long as Processor Processes Personal Data on behalf of Controller under the Terms.
2. Termination or expiration of the Terms shall automatically terminate this DPA.
3. Obligations that by their nature are intended to survive termination (such as confidentiality, return or deletion of data, liability) shall survive.

11. Governing Law and Jurisdiction

This DPA and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of Austria. The Parties irrevocably agree that the competent courts in Vienna, Austria shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this DPA.

12. Miscellaneous

1.  Notices: Any notices under this DPA shall be given in accordance with the notice provisions in the Terms. Notices to Processor concerning this DPA should be sent to [email protected].
2. Severability: If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable, or illegal, the other provisions shall remain in force.
3. Entire Agreement: This DPA, together with the Terms and the Privacy Policy, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements and discussions.
4. Amendments: Processor may amend this DPA from time to time by posting the amended version on its website and, where changes are material, by providing notice to Controller as set forth in the Terms. Continued use of the Services after such amendment will constitute Controller’s acceptance of the changes.

Annex 1: Details of Processing

This Annex 1 forms part of the DPA and describes the Processing of Personal Data.

A. List of Parties

Data exporter (Controller):

• Name: The Client, as defined in the AhaSend Terms of Use.
• Address: As provided by the Client during account registration or for billing purposes, if applicable. If no address is collected, this field is not applicable for that Client.
• Contact person’s name, position, and contact details: As provided by the Client.
• Activities relevant to the data transferred under these Clauses: Using AhaSend's Services to send transactional emails to its Recipients.
• Signature and date: By agreeing to the Terms and this DPA, the Client is deemed to have signed this Annex.
• Role (controller/processor): Controller

Data importer (Processor):

• Name: TakTek GmbH (operating as AhaSend.com)
• Address: Siebensterngasse 42/3, 1070 Vienna, Austria
• Contact person’s name, position, and contact details: DPO, [email protected]
• Activities relevant to the data transferred under these Clauses: Provision of transactional email services as described in the Terms.
• Signature and date: By publishing this DPA, TakTek GmbH is deemed to have signed this Annex.
• Role (controller/processor): Processor

B. Description of Transfer / Processing

• Categories of Data Subjects whose Personal Data is Processed:
  • Recipients of emails sent by the Controller through the Services (e.g., Controller's customers, users, subscribers).
• Categories of Personal Data Processed:
  • Contact Information of Recipients: Primarily email addresses. May also include names if provided by Controller.
  • Email Content: The content of the transactional emails sent by the Controller to Recipients (if Controller enables storage of content; this can be disabled by Controller).
  • Email Metadata and Engagement Data: Information related to the sending of emails, such as email subject lines, sender/recipient information, delivery logs (deliveries, deferrals, bounces), spam complaints (from Feedback Loops), timestamps, (and if tracking is requested by the Controller) IP addresses of Recipients interacting with emails, user agent strings, and engagement metrics (e.g., opens, clicks).
• Sensitive Data Processed (if applicable) and applied restrictions or safeguards:
  • Processor does not intend to Process Sensitive Data (as defined in Article 9 GDPR). Controller agrees not to use the Services to send or store Sensitive Data, unless explicitly agreed otherwise in writing with Processor and subject to any additional safeguards that may be required. If Controller does include Sensitive Data in email content, Controller is solely responsible for ensuring it has a lawful basis for such Processing and for implementing appropriate safeguards.
• Frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
  • Continuous basis, as Controller uses the Services.
• Nature of the Processing:
  • Collection, storage, use, transmission, analysis (for deliverability and engagement reporting), and deletion of Personal Data as necessary to provide the Services, including sending emails, providing reporting and analytics to the Controller, troubleshooting, and preventing abuse. Processing occurs primarily within the European Economic Area (EEA), unless Controller opts for specific services utilizing infrastructure in third countries (e.g., USA), as detailed in Annex 3 and subject to the international transfer safeguards outlined in Section 8 of this DPA.
• Purpose(s) of the data transfer and further Processing:
  • To enable Controller to send emails to its Recipients.
  • To provide Controller with analytics and reporting regarding email delivery and engagement.
  • To maintain and improve the Services, including deliverability and security.
  • To comply with legal obligations and prevent misuse of the Services.
• Period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
  • Personal Data will be retained for the duration of the Controller's use of the Services and as necessary to fulfill the purposes outlined in this DPA and the Terms.
  • Upon termination of the Controller's account, Personal Data processed on behalf of the Controller will be deleted in accordance with Section 3(g) of this DPA and the Processor's data retention policies, typically within a maximum of 90 days from the effective termination date, unless otherwise required by law or for legitimate operational needs (e.g., backup retention for a limited period). Controller can request deletion of their data at any time.
  • Email engagement data (opens, clicks, bounces) may be retained in an aggregated or anonymized form for longer periods for statistical and service improvement purposes.
• For transfers to (Sub-)processors, also specify subject matter, nature, and duration of the Processing:
  • As specified in Processor's Sub-processor list (detailed in Annex 3). Sub-processors are engaged for purposes such as cloud hosting, infrastructure provision, security services (CDN/WAF), email delivery infrastructure (if applicable) and analytics. The nature of Processing by Sub-processors is limited to what is necessary for them to provide their services to Processor to enable Processor to provide the Services to Controller. Duration is for as long as Processor uses the Sub-processor's services.

C. Competent Supervisory Authority

• The competent supervisory authority shall be the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), unless otherwise determined by Applicable Data Protection Law based on Controller's establishment.

Annex 2: Technical and Organizational Security Measures

This Annex 2 forms part of the DPA and describes the technical and organizational security measures implemented by the Processor.

Processor has implemented and will maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures shall ensure a level of security appropriate to the risk, considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Measures include, but are not limited to:

1. Access Control (Physical and Logical):
   1. Measures to prevent unauthorized persons from gaining access to data processing systems where Personal Data is Processed (e.g., secure data centers with restricted access, office security).
   2. Measures to prevent data processing systems from being used without authorization (e.g., strong passwords, multi-factor authentication (MFA) where appropriate for privileged access, role-based access controls, automatic screen locks).
   3. Measures to ensure that persons entitled to use a data processing system have access only to the Personal Data to which they have a right of access, and that Personal Data cannot be read, copied, modified, or removed without authorization during Processing, use, and after storage (e.g., granular permissions, access logging).
2. Data Confidentiality (Pseudonymization and Encryption):
   1. Encryption of Personal Data in transit (e.g., using TLS/SSL for data transmitted over public networks).
   2. Encryption of Personal Data at rest where appropriate and feasible (e.g., for database backups, sensitive configuration files).
   3. Consideration of pseudonymization techniques where appropriate.
3. Data Integrity:
   1. Measures to ensure that Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport, and that it is possible to verify and establish to which entities a transfer of Personal Data by means of data transmission facilities is envisaged (e.g., use of secure protocols, integrity checks).
   2. Measures to ensure that it is possible to verify and establish whether and by whom Personal Data has been input into data processing systems, modified, or removed (e.g., logging of system access and significant operations).
4. Availability and Resilience:
   1. Measures to ensure that Personal Data is protected against accidental destruction or loss (e.g., regular backups, geographically redundant storage for critical data where feasible).
   2. Measures to ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident (e.g., disaster recovery and business continuity plans).
   3. Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
5. Data Minimization and Purpose Limitation:
   1. Processes to ensure that Personal Data Processed is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is Processed.
6. Personnel Security and Training:
   1. Ensuring that personnel authorized to Process Personal Data are subject to confidentiality obligations.
   2. Providing data protection and security awareness training to relevant personnel.
7. Incident Management and Data Breach Response:
   1. Processes for detecting, responding to, and reporting Data Breaches in accordance with Section 7 of this DPA.
8. Sub-processor Management:
   1. Due diligence processes for selecting Sub-processors and contractual obligations to ensure they meet equivalent data protection standards.
9. Secure Software Development: Processor incorporates security considerations into its software development lifecycle. Standard measures include, but are not limited to:
   1. Security by Design and Default: Integrating security considerations from the initial design and architecture phases of new features or system modifications.
   2. Secure Coding Practices: Adherence to industry-recognized secure coding guidelines (e.g., OWASP Top 10 recommendations, SANS Top 25) to prevent common software vulnerabilities.
   3. Input Validation: Implementing robust validation for all user inputs and data received from external or untrusted sources to prevent injection attacks (e.g., SQL injection, XSS) and other input-related vulnerabilities.
   4. Output Encoding: Properly encoding output data displayed to users or passed to other systems to prevent cross-site scripting (XSS) and similar vulnerabilities.
   5. Authentication and Authorization Controls: Implementing strong authentication mechanisms for access to development, testing, and production environments, and ensuring proper authorization checks are performed for all actions and data access within the application.
   6. Session Management: Utilizing secure session management techniques, including secure cookie handling, session timeouts, and protection against session fixation or hijacking.
   7. Dependency Management: Regularly reviewing, updating, and patching third-party libraries, frameworks, and other software dependencies to address known vulnerabilities.
   8. Vulnerability Scanning and Testing: Conducting regular automated vulnerability scans of the application and infrastructure. Periodic manual security assessments or penetration tests may be performed based on risk and scale.
   9. Security Patch Management: Maintaining a process for the timely evaluation and application of security patches for underlying operating systems, web servers, databases, and other software components.
   10. Logging and Monitoring for Security Events: Implementing sufficient logging of security-relevant events within the application and infrastructure to enable detection, investigation, and response to potential security incidents.
   11. Change Management: Following a defined change management process that includes security review and testing for significant code or infrastructure changes before deployment to production.
   12. Developer Training: Providing ongoing security awareness and secure coding training to development personnel involved in building and maintaining the Services.

Annex 3: List of Sub-processors

This Annex 3 forms part of the DPA and provides information about the Sub-processors engaged by AhaSend (TakTek GmbH) to Process Personal Data on behalf of the Controller in connection with the Services.

The most current and comprehensive list of Sub-processors, including any updates, is maintained in the online version of this appendix at https://ahasend.com/dpa

The list below provides an indicative overview of Sub-processors used by AhaSend as of the "Last Updated" date of this DPA. Controller acknowledges that Processor may use the following categories of Sub-processors and specific entities: