This is a draft outline, not the executable agreement.
Our DPA is being prepared by qualified UK counsel ahead of Nullsend's Q3 2026 public launch. The final document will be executable at signup on every pricing tier, including bespoke versions for Enterprise customers with their own paper.
The DPA we publish at launch will incorporate UK GDPR, EU GDPR, the UK International Data Transfer Addendum (IDTA), and EU Standard Contractual Clauses (SCCs) where the legal basis for international data flow requires them.
Need the DPA for procurement review now?
If you're in active vendor evaluation and your procurement team needs to review the current DPA draft, request a copy by emailing hello@nullsend.io with subject prefix [legal].
We aim to respond within one business day. The draft we send is the working document we expect to finalise pre-launch — material changes from that point will be communicated to recipients.
What the final DPA will cover
- Scope and the GDPR roles
- Subject matter, duration, and nature of processing
- Categories of data and data subjects
- Processor obligations
- Documented instructions from the controller
- Confidentiality and personnel
- Technical and organisational measures
- Sub-processors and prior authorisation
- International transfers and SCC modules
- Personal data breach notification
- Assistance to the controller
- Audit rights
- Return or deletion of data on termination
- Liability allocation
1. Scope and the GDPR roles
The DPA will apply whenever Nullsend processes personal data on behalf of Customer in the course of providing the Service. Roles:
- Customer is the data controller: they determine the purposes and means of processing.
- Nullsend Ltd is the data processor: we process personal data only on Customer's documented instructions.
- The DPA forms part of, and is governed by, the main Nullsend Terms of Service.
2. Subject matter, duration, and nature of processing
The final DPA will set out, in the schedules required by Article 28:
- Subject matter: the provision of Nullsend's encrypted file transfer service to Customer.
- Duration: for the term of Customer's active subscription, plus the post-termination retention window defined in the Terms.
- Nature of processing: storage of encrypted ciphertext, processing of account metadata, transactional email delivery, audit log maintenance.
- Purpose: to enable Customer to send and receive file transfers and to administer their tenant.
3. Categories of data and data subjects
| Category of data subject | Categories of personal data processed |
|---|---|
| Customer's authorised users (admins, senders, viewers) | Email address, password hash, name, role, IP address (truncated), timestamps of activity |
| Customer's billing contact | Billing email, billing address, VAT registration number, payment method metadata (handled by Stripe) |
| Recipients of transfers (when branded delivery is used) | Email address, transfer metadata (count, timestamp, file count, ciphertext size, expiry) |
| Anonymous transfer recipients (link-only delivery) | Truncated IP address (audit-only), timestamp of download |
Critically, the DPA will note that the plaintext contents of files are not processed by Nullsend because they are encrypted in the sender's browser before upload. Nullsend has no technical capability to decrypt them. This is documented in our security page.
4. Processor obligations
The DPA will commit Nullsend to the standard Article 28 processor obligations, including:
- Processing personal data only on Customer's documented instructions
- Ensuring authorised personnel are under appropriate confidentiality obligations
- Implementing appropriate technical and organisational security measures (set out in detail in a schedule)
- Engaging sub-processors only as permitted by the DPA and notifying Customer of changes
- Assisting Customer in responding to data subject requests
- Assisting Customer with breach notification, data protection impact assessments, and supervisory authority engagement where required
- Returning or deleting personal data at the end of the engagement
5. Documented instructions from the controller
The final DPA will state that Customer's use of the Service constitutes their general written instruction to Nullsend to process personal data for the purpose of providing that Service. Specific written instructions can be provided in addition where Customer wishes to vary the default.
6. Confidentiality and personnel
The DPA will require that all Nullsend personnel with access to Customer's personal data are:
- Under written confidentiality obligations (employment contracts or NDAs)
- Trained on data protection requirements
- Granted access on a need-to-know basis only
7. Technical and organisational measures
A detailed schedule will set out the security measures Nullsend implements. Indicatively this will include:
- Encryption in transit: TLS 1.3 with HSTS preload
- Encryption at rest: end-to-end AES-256-GCM in the user's browser (file content); separate server-side encryption for sensitive metadata
- Access controls: hardware MFA for all production access; least-privilege role assignments
- Sub-processor isolation: file ciphertext stored separately from any plaintext metadata
- Monitoring: production access logs, change-management logs, security event alerting
- Personnel: confidentiality agreements, security training, no production data access for routine support
- Incident response: documented plan with 72-hour notification target per GDPR Article 33
The full set of measures is described on our security page and will form Schedule 2 of the final DPA.
8. Sub-processors and prior authorisation
The DPA will operate on a general authorisation model: Customer pre-approves the sub-processors listed on our public sub-processor list at signup. Changes are notified to Customer at least 30 days before they take effect; Customer has a right to object, which is treated as a request to terminate without penalty.
Nullsend's current sub-processors are:
- Cloudflare — DNS, CDN, WAF (global PoPs, EU residency contractual)
- Backblaze B2 — object storage for encrypted ciphertext (EU-Central, Amsterdam)
- Stripe — payment processing (EU/UK)
- Postmark — transactional email (EU region)
- Anthropic — AI onboarding assistance only (subject to ZDR; no file content)
9. International transfers and SCC modules
The final DPA will include the SCC modules required for any data flows that need them:
- Module 2 (controller-to-processor) is the primary SCC module that applies between Customer and Nullsend where one of you is in the UK/EEA and the other is in a third country.
- Module 3 (processor-to-processor) applies between Nullsend and any sub-processor in a third country.
- UK IDTA (or UK Addendum to EU SCCs) is included for UK-side international transfers.
For Customers and processing within the UK and EEA, SCCs are not required — UK→EU and EU→UK transfers are covered by mutual adequacy decisions in force until at least 2027.
10. Personal data breach notification
The DPA will require Nullsend to:
- Notify Customer without undue delay (and in any event within 24 hours of becoming aware) of any personal data breach affecting Customer's data
- Provide Customer with the information needed to comply with their own 72-hour notification obligation to the supervisory authority under Article 33
- Assist Customer with any subsequent notification to data subjects
- Maintain documented records of breaches and their handling
11. Assistance to the controller
Nullsend will provide reasonable assistance to Customer (taking into account the nature of processing and information available) for:
- Responding to data subject access requests under Articles 15–22
- Conducting data protection impact assessments under Article 35
- Engaging with supervisory authority consultations under Article 36
Assistance with routine requests will be included in the subscription fee. Material engagements (e.g., facilitating complex DSARs, on-site audits) may incur reasonable additional costs, as permitted by Article 28(3)(h).
12. Audit rights
The DPA will provide Customer with audit rights, exercisable on reasonable notice, by means of:
- Reasonable written information requests
- Provision of independent audit reports (SOC 2, when available — see our compliance posture)
- For Enterprise customers, on-site audits with reasonable notice and at the Customer's cost, subject to mutually agreed scope
13. Return or deletion of data on termination
On termination of the Service, Customer can choose either:
- Return of data: we provide a structured export of audit logs and account metadata (file plaintext is not returnable, as we don't have it)
- Deletion of data: all Customer personal data deleted within 30 days of the final transfer expiry, subject to retention required by law (e.g., billing records)
Hard deletion requests under Article 17 are honoured within 30 days of receipt.
14. Liability allocation
The DPA will allocate liability between Customer and Nullsend in accordance with Article 82 GDPR — each party is liable for the damage they caused by their own non-compliance, with the right of recourse against any joint or shared liability. Liability under the DPA is subject to the overall liability limitations in the main Terms of Service.
Contact
For DPA copies, SCC questions, or to begin negotiation of bespoke DPA terms for an Enterprise deployment:
Nullsend Ltd — Legal & procurement
Email: hello@nullsend.io
Subject prefix: [legal] for DPA, SCCs, or vendor onboarding
Response target: one business day