All legal documents Download PDF
Version 2026-06-v1 · Updated 6/19/2026

Data Processing Addendum

This Addendum forms part of the agreement between SelleSend ("Processor")

and the merchant ("Controller") for the processing of Personal Data on

behalf of the Controller.

1. Subject matter and duration

SelleSend processes Personal Data on behalf of the Controller for the

purpose of providing the Service for the term of the Agreement.

2. Nature and purpose of processing

  • Generating shipping labels and tracking events
  • Verifying recipients (KYC, OFAC screening, address validation)
  • Billing, payment processing and reconciliation
  • Fraud detection and security monitoring
  • Customer support

3. Categories of data

  • Identification: name, email, phone, company.
  • Contact: shipping and billing addresses.
  • Transactional: shipments, rates, payments, claims.
  • Technical: IP, device, browser, audit logs.

4. Sub-processors

SelleSend uses approved sub-processors (carriers, payment processors,

hosting providers, analytics). The current list is published at

/legal/sub-processors and updated on material change with at least 30

days' notice. Controller may object to a new sub-processor by written

notice; if the objection cannot be resolved, the Controller may

terminate the affected portion of the Service.

5. Security

SelleSend implements appropriate technical and organisational measures

including encryption in transit and at rest, role-based access controls,

MFA, vulnerability management, and security incident response.

6. International transfers

For Personal Data transferred from the EEA/UK/Switzerland, the parties

incorporate the EU Standard Contractual Clauses (Module 2) and the UK

International Data Transfer Addendum by reference.

7. Data subject rights

SelleSend will assist the Controller in responding to data-subject

requests within statutory timeframes.

8. Breach notification

SelleSend will notify the Controller of a confirmed Personal Data Breach

without undue delay and in any event within 72 hours of confirmation.

9. Audit

The Controller may, upon reasonable notice and at its own cost, audit

SelleSend's compliance with this DPA no more than once per year, subject

to confidentiality and security restrictions.

10. Return / deletion

On termination, SelleSend will, at the Controller's choice, return or

delete all Personal Data within 30 days, except where retention is

required by law.

Contact: privacy@sellesend.com

Questions? Contact legal@sellesend.com.