Search
Ask AI
Terms & Privacy

Exhibit D — Sender Compliance and Subscriber List Certification

Sender Compliance and Subscriber List Certification

Effective as of the Effective Date of the Software as a Service Agreement

Last update: 05/18/2026

This Exhibit D (EU) forms part of, and is incorporated by reference into, the Software as a Service Agreement (the "SSA") between Maestra B.V. ("Provider") and the Customer identified in the Engagement Letter. Capitalized terms not defined in this Exhibit have the meanings given in the SSA.

This Exhibit applies whenever Customer uploads or causes to be uploaded any Subscriber List or uses the Services to transmit SMS, MMS, email, push notifications, or other electronic messages. This Exhibit takes effect as of the Effective Date of the SSA, the effective date of any Engagement Letter or order form that references messaging features, or the date Customer first uploads a Subscriber List, whichever occurs earliest. No separate signature is required; execution of the SSA or Engagement Letter, or use of the applicable features, constitutes Customer’s acceptance of this Exhibit.

1. Definitions

"Applicable Messaging Laws" means all applicable laws, rules, regulations, self-regulatory codes, carrier rules, and industry guidelines governing electronic marketing communications, including without limitation: (a) the General Data Protection Regulation (Regulation (EU) 2016/679) and Member State implementations thereof; (b) the ePrivacy Directive (Directive 2002/58/EC) and Member State implementations thereof, including national laws governing direct electronic marketing; (c) the United Kingdom General Data Protection Regulation (UK GDPR), the United Kingdom Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR); (d) Canada’s Anti-Spam Legislation (CASL), where applicable; (e) carrier rules, aggregator rules, and industry codes of practice applicable to SMS, MMS, push, and email delivery in any jurisdiction in which Customer sends messages through the Services; and (f) any other applicable laws governing electronic marketing communications, consumer protection, or telecommunications in any jurisdiction in which Customer sends messages through the Services. References to any Applicable Messaging Law include successor legislation and amendments.

"Consent" means valid, provable permission required under Applicable Messaging Laws for the specific type of message, channel, sender, and purpose, including any required disclosures, information notices, and records. Where consent is the lawful basis for Processing under Article 6(1)(a) of the GDPR, Consent must meet the requirements of Article 4(11) and Article 7 of the GDPR (freely given, specific, informed, unambiguous, demonstrable, and as easily withdrawable as given).

"Lawful Basis" means the basis on which Customer Processes Personal Data of End Customers under Article 6(1) of the GDPR (or, where applicable, the equivalent provision of UK GDPR), including consent, contract performance, legal obligation, vital interests, public interest, or legitimate interests, in each case as documented by Customer in accordance with Section 4 of this Exhibit.

"Subscriber List" means any list of mobile telephone numbers, email addresses, push notification tokens, or other contact identifiers, together with related data (including any associated End Customer Data), that Customer provides to Provider or uploads through the Services for the purpose of sending or facilitating messaging.

2. Certification Regarding Subscriber Lists

Customer certifies that:

  • Authority. The individual accepting or causing acceptance of this Exhibit on Customer’s behalf is duly authorized to do so.

  • Lawful collection. Each contact identifier in any Subscriber List uploaded to or processed through the Services was collected in compliance with all Applicable Messaging Laws, including (i) the establishment of a valid Lawful Basis for the Processing of Personal Data of End Customers, (ii) where the Lawful Basis is consent, the obtaining of Consent meeting the requirements of Article 4(11) and Article 7 of the GDPR (or equivalent provisions of other Applicable Messaging Laws), and (iii) the provision of all required information notices under Articles 13 and 14 of the GDPR (or equivalent provisions of other Applicable Messaging Laws) at the time of collection.

  • Exclusion of opt-outs and objections. Subscriber Lists exclude (i) contact identifiers of End Customers who have opted out, revoked Consent, or otherwise requested not to receive messages, and (ii) contact identifiers of End Customers who have exercised their right to object to direct marketing under Article 21 of the GDPR (or equivalent provisions of other Applicable Messaging Laws). Customer will promptly honor and propagate all opt-out requests, Consent revocations, and objections across its systems and uploads.

  • No purchased, rented, or scraped lists. Subscriber Lists will not include contact identifiers obtained from purchased, rented, generated, guessed, or scraped lists, nor contact identifiers collected without compliant marketing-purpose disclosures.

  • Ongoing hygiene. Contact identifiers of End Customers who have opted out, revoked Consent, or objected will be removed from any Subscriber List as soon as reasonably possible after Customer receives notice of such opt-out, revocation, or objection.

  • Use at Customer’s risk. Customer understands that Provider does not provide legal advice, does not review or verify Subscriber Lists for compliance with Applicable Messaging Laws, and that Customer uploads and uses Subscriber Lists at its own risk.

3. Representations and Warranties

Customer represents, warrants, and covenants that:

  1. it possesses and will continuously maintain all rights, Consents, and Lawful Bases necessary to use the Subscriber Lists and to send messages through the Services;

  2. all message content, cadence, targeting, frequency, segmentation, and campaign configuration are Customer’s sole responsibility and will comply with Applicable Messaging Laws;

  3. it will maintain accurate sender identification and required disclosures in all opt-in flows and messages, including brand identification, message frequency information, opt-out instructions (such as STOP/HELP keywords for SMS and a clear and easily accessible unsubscribe mechanism in emails as required by Article 13 of the ePrivacy Directive), and links to applicable terms and privacy notices;

  4. it will exclude from any Subscriber List any contact identifier appearing on (i) applicable national or regional do-not-call, do-not-contact, or marketing preference registries, (ii) Customer’s internal suppression lists, and (iii) any carrier, aggregator, or platform prohibitions, including by using Provider’s built-in suppression and opt-out features where available;

  5. it will maintain operational procedures to promptly capture, process, and propagate (i) revocations of Consent under Article 7(3) of the GDPR, and (ii) objections to direct marketing under Article 21 of the GDPR, in each case across all of Customer’s systems and any Subscriber Lists; and

  6. its Processing of Personal Data of End Customers through the Services complies with the GDPR (and, where applicable, UK GDPR), including in respect of the establishment and documentation of the Lawful Basis relied upon.

4. Recordkeeping and Audit Cooperation

Customer will retain contemporaneous records sufficient to demonstrate compliance with this Exhibit and with Applicable Messaging Laws. Such records shall include, at a minimum:

  1. proof of Consent where Consent is the Lawful Basis, including the opt-in source, the date and time of opt-in, and the mechanism used (e.g., web form, in-store sign-up, double opt-in);

  2. the Lawful Basis under Article 6(1) of the GDPR (or equivalent under UK GDPR or other Applicable Messaging Laws) relied upon for each category of Processing;

  3. where Consent is the Lawful Basis, the form of consent presented to the End Customer (granular versus bundled), the specific wording or language presented, and the privacy notice or information notice presented at the time of collection in accordance with Articles 13 and 14 of the GDPR;

  4. the disclosures, terms, and other information made available to the End Customer at the time of collection, and any subsequent updates;

  5. records of Consent revocations, opt-outs, and Article 21 objections, including the timestamp, channel through which the request was received, and the date the request was propagated to Provider and other systems; and

  6. records of any Lawful Basis re-assessment, balancing test (where legitimate interests are relied upon), or other compliance documentation reasonably required under Applicable Messaging Laws.

Customer shall retain such records for the duration of the SSA Term and for a period of three (3) years following termination or expiration of the SSA, or for such longer period as may be required by Applicable Messaging Laws. Upon Provider’s reasonable written request (including in response to a carrier or aggregator inquiry, regulator request, claim by a third party, or Provider’s investigation of suspected non-compliance), Customer shall provide relevant records within ten (10) business days, or sooner if required by the requesting authority.

5. Allocation of Responsibility; Sender of Record

As between the parties, Customer is the sender, originator, and advertiser for all messages initiated through Customer’s account on the Services. For the purposes of GDPR, Customer is the controller with respect to Personal Data of End Customers Processed through the Services, and Provider is the processor acting on Customer’s documented instructions. Customer is solely responsible for the Subscriber Lists, the message content, the call-to-action flows, the cadence and frequency of messaging, the segmentation and targeting of messages, and the management of suppression lists, opt-outs, and objections. Provider provides a platform and delivery orchestration only and does not originate messages independently of Customer’s instructions.

6. Indemnification; Fines and Pass-Through Costs

This Section 6 supplements (and does not limit) the indemnification provisions in Section 12 of the SSA. Customer shall indemnify, defend, and hold harmless Provider, its Affiliates, and their respective officers, directors, employees, agents, successors, and assigns from and against any and all Losses arising out of or related to:

  1. the Subscriber Lists (including any allegation that the Lawful Basis was insufficient, that Consent was not validly obtained, or that the data was collected, retained, or used in violation of Applicable Messaging Laws);

  2. Customer’s messaging practices, content, cadence, targeting, or failure to honor opt-out requests, Consent revocations, or Article 21 objections;

  3. any breach by Customer of this Exhibit or any other provision of the SSA related to messaging or Subscriber Lists; and

  4. any administrative fine, penalty, or regulatory action imposed on Provider or its Affiliates (including under the GDPR or UK GDPR) to the extent attributable to Customer’s messaging practices or Subscriber Lists.

In addition to the foregoing, Provider may pass through to Customer any carrier, aggregator, or platform penalties, fines, or charges attributable to Customer’s messaging traffic, including without limitation penalties imposed for excessive spam complaints, blocklisting, deliverability harm, or non-compliant content. Customer shall reimburse Provider for such pass-through amounts within fourteen (14) days of Provider’s invoice.

7. Suspension; Remediation

Notwithstanding any notice requirement set forth elsewhere in the SSA, Provider may, in its sole discretion, immediately (and without prior notice where reasonable under the circumstances) suspend, disable, or limit Customer’s access to the Services (including the ability to send messages), and/or terminate the SSA, if Provider reasonably determines that:

  1. Customer is sending or has sent spam or other unsolicited messages;

  2. Customer is using or has used purchased, scraped, harvested, generated, or third-party lists, or cannot promptly provide reasonable evidence of Consent or other Lawful Basis upon request;

  3. Customer’s sending practices are likely to cause, or have caused, excessive bounces, unsubscribe requests, spam complaints, blocklisting, degraded sender reputation, or other deliverability harm (including harm to Provider, other customers, or downstream carriers, aggregators, or email service providers); or

  4. Customer’s use of the Services creates a material risk to Provider, its infrastructure, downstream providers (including carriers, email service providers, SMS gateways, push notification services, or other third parties), or other customers of Provider.

Provider may require Customer to provide information reasonably necessary to verify Consent and compliance with this Exhibit. If Provider suspends messaging features under this Section 7, Customer must promptly cooperate with Provider’s remediation steps. Failure to cooperate or to remediate within the timeframe specified by Provider is grounds for termination of the SSA in accordance with Section 15.3 of the SSA. Suspension under this Section 7 does not relieve Customer of any payment obligation, and Customer remains responsible for any messaging charges incurred prior to suspension.

8. Order of Precedence; Conflicts

In the event of any conflict between this Exhibit and the body of the SSA or the Engagement Letter on the specific subject matter of Subscriber Lists or messaging compliance, this Exhibit shall prevail in accordance with Section 16.7 of the SSA. In the event of any conflict between this Exhibit and the applicable DPA on the specific subject matter of Personal Data Processing, the DPA shall prevail.

9. Updates; Survival

Provider may update this Exhibit in accordance with the SSA’s change-management or modification provisions. Where the SSA does not provide such a mechanism, changes will require mutual written agreement, except for updates mandated by Applicable Messaging Laws or by carrier, aggregator, or platform rules, which Provider may implement on reasonable notice to Customer. Customer’s obligations under Sections 2 through 6 of this Exhibit shall survive termination or expiration of the SSA in accordance with Section 15.5 of the SSA.

Exhibit D SSA | Maestra