Search
Ask AI
Terms & Privacy

Exhibit D — Subscriber List Certification

Effective as of the Effective Date of the Software as a Service Agreement

Last update: 05/22/2026

This Exhibit D forms part of, and is incorporated by reference into, the Software as a Service Agreement (the "SSA") between Maestra.io LLC ("Provider") and the Customer identified in the Engagement Letter. Capitalized terms not defined in this Exhibit have the meanings given in the SSA.

This Exhibit applies whenever Customer uploads or causes to be uploaded any Subscriber List or uses the Services to transmit SMS, MMS, email, push notifications, or other electronic messages. This Exhibit takes effect as of the Effective Date of the SSA, the effective date of any Engagement Letter or order form that references messaging features, or the date Customer first uploads a Subscriber List, whichever occurs earliest. No separate signature is required; execution of the SSA or Engagement Letter, or use of the applicable features, constitutes Customer’s acceptance of this Exhibit.

1. Definitions

"Applicable Communications Laws" means all applicable U.S. federal, state, and local laws, rules, regulations, self-regulatory codes, carrier rules, and industry guidelines governing electronic marketing communications and electronic communications more generally, including without limitation: (a) the Telephone Consumer Protection Act of 1991 (47 U.S.C. § 227) and all implementing regulations adopted by the Federal Communications Commission (collectively, the "TCPA"); (b) the CAN-SPAM Act of 2003 (15 U.S.C. §§ 7701-7713) and all implementing regulations (collectively, "CAN-SPAM"); (c) the Telemarketing Sales Rule (16 C.F.R. Part 310) (the "TSR"); (d) the Communications Act of 1934, as amended (47 U.S.C. § 151 et seq.); (e) the Federal Trade Commission Act (15 U.S.C. §§ 41-58); (f) all state "mini-TCPA" statutes, telemarketing laws, consumer protection laws, and state privacy laws (including the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable state privacy laws); (g) the CTIA Messaging Principles and Best Practices; and (h) all carrier, aggregator, and wireless industry standards and rules applicable to SMS, MMS, push notifications, and email delivery in the United States. References to any Applicable Communications Law include successor legislation, amendments, implementing regulations, and authoritative agency guidance.

"Consent" means, as applicable to the specific communication type, channel, sender, and purpose: (a) Prior Express Written Consent (as defined in the SSA) where required under the TCPA and applicable state law (for example, telemarketing calls or text messages using an automatic telephone dialing system or an artificial or prerecorded voice); (b) Prior Express Consent (as defined in the SSA) where Prior Express Written Consent is not specifically required by Law (for example, certain informational or transactional communications); and (c) any additional or different form of permission required by other Applicable Communications Laws or by carrier or aggregator rules. Consent must satisfy all "one-to-one" consent and disclosure requirements applicable under current FCC rulings and must be supported by Consent Records (as defined in the SSA).

"Lawful Basis" means the legal basis under Applicable Communications Laws on which Customer relies to send each electronic communication through the Services, including Consent, an existing business relationship recognized under the TSR or TCPA, transactional/relationship-based communication recognized under CAN-SPAM, or any other legally cognizable basis.

"Subscriber List" means any list of mobile telephone numbers, email addresses, push notification tokens, or other contact identifiers, together with related data (including any associated End Customer Data), that Customer provides to Provider or uploads through the Services for the purpose of sending or facilitating messaging.

2. Certification Regarding Subscriber Lists

Customer certifies that:

  • Authority. The individual accepting or causing acceptance of this Exhibit on Customer’s behalf is duly authorized to do so.

  • Lawful collection. Each contact identifier in any Subscriber List uploaded to or processed through the Services was collected in compliance with all Applicable Communications Laws, including (i) the establishment of a valid Lawful Basis for each electronic communication, (ii) where the Lawful Basis is Consent, the obtaining of Consent meeting the applicable standard under the TCPA, CAN-SPAM, the TSR, and other Applicable Communications Laws (including Prior Express Written Consent where the TCPA so requires), and (iii) the provision of all required disclosures (including, for telemarketing communications, all disclosures required under 47 C.F.R. § 64.1200, and, for commercial emails, all disclosures required under CAN-SPAM) at the time of collection and prior to dispatch.

  • Exclusion of opt-outs and revocations. Subscriber Lists exclude (i) contact identifiers of End Customers who have opted out, revoked Consent, unsubscribed, or otherwise requested not to receive messages, and (ii) telephone numbers that appear on the National Do-Not-Call Registry except where a valid exemption applies (such as an existing business relationship or Prior Express Written Consent). Customer will promptly honor and propagate all opt-out requests, Consent revocations, and do-not-call requests across its systems and uploads, consistent with the timelines required by Applicable Communications Laws.

  • No purchased, rented, or scraped lists. Subscriber Lists will not include contact identifiers obtained from purchased, rented, generated, guessed, or scraped lists, nor contact identifiers collected without compliant marketing-purpose disclosures.

  • Ongoing hygiene. Contact identifiers of End Customers who have opted out, revoked Consent, or objected will be removed from any Subscriber List as soon as reasonably possible after Customer receives notice of such opt-out, revocation, or objection.

  • Use at Customer’s risk. Customer understands that Provider does not provide legal advice, does not review or verify Subscriber Lists for compliance with Applicable Communications Laws, and that Customer uploads and uses Subscriber Lists at its own risk.

3. Representations and Warranties

Customer represents, warrants, and covenants that:

  1. it possesses and will continuously maintain all rights, Consents, and Lawful Bases necessary to use the Subscriber Lists and to send messages through the Services;

  2. all message content, cadence, targeting, frequency, segmentation, and campaign configuration are Customer’s sole responsibility and will comply with Applicable Communications Laws;

  3. it will maintain accurate sender identification and required disclosures in all opt-in flows and messages, including brand identification, message frequency information, opt-out instructions (such as STOP/HELP keywords for SMS), CAN-SPAM-compliant headers, subject lines, physical postal address, and a functioning unsubscribe mechanism for emails, and links to applicable terms and privacy notices;

  4. it will exclude from any Subscriber List any contact identifier appearing on (i) applicable national or regional do-not-call, do-not-contact, or marketing preference registries, (ii) Customer’s internal suppression lists, and (iii) any carrier, aggregator, or platform prohibitions, including by using Provider’s built-in suppression and opt-out features where available;

  5. it will maintain operational procedures to promptly capture, process, and propagate (i) revocations of Consent and unsubscribe requests, (ii) do-not-call requests, and (iii) requests to cease communications, in each case across all of Customer’s systems and any Subscriber Lists, within the timelines required by Applicable Communications Laws; and

  6. its messaging practices through the Services comply with the TCPA, CAN-SPAM, the TSR, applicable state laws, and all other Applicable Communications Laws, including in respect of the establishment, documentation, and ongoing maintenance of the Lawful Basis relied upon for each category of communication.

4. Recordkeeping and Audit Cooperation

Customer will retain contemporaneous records sufficient to demonstrate compliance with this Exhibit and with Applicable Communications Laws. Such records shall include, at a minimum:

  1. proof of Consent where Consent is the Lawful Basis, including the opt-in source, the date and time of opt-in, and the mechanism used (e.g., web form, in-store sign-up, double opt-in);

  2. the Lawful Basis (and, where applicable, the type of Consent obtained, including Prior Express Written Consent or Prior Express Consent) relied upon for each category of communication;

  3. where Consent is the Lawful Basis, the form of consent presented to the End Customer (granular versus bundled), the specific wording or language presented, the time and channel through which the consent was obtained, and the privacy notice or disclosure presented at the time of collection as required under 47 C.F.R. § 64.1200, CAN-SPAM, and applicable state laws;

  4. the disclosures, terms, and other information made available to the End Customer at the time of collection, and any subsequent updates;

  5. records of Consent revocations, opt-outs, unsubscribe requests, and do-not-call requests, including the timestamp, channel through which the request was received, and the date the request was propagated to Provider and other systems; and

  6. records of any Lawful Basis re-assessment, balancing test (where legitimate interests are relied upon), or other compliance documentation reasonably required under Applicable Communications Laws.

Customer shall retain such records for the duration of the SSA Term and for a period of three (3) years following termination or expiration of the SSA, or for such longer period as may be required by Applicable Communications Laws. Upon Provider’s reasonable written request (including in response to a carrier or aggregator inquiry, regulator request, claim by a third party, or Provider’s investigation of suspected non-compliance), Customer shall provide relevant records within ten (10) business days, or sooner if required by the requesting authority.

5. Allocation of Responsibility; Sender of Record

As between the parties, Customer is the sender, originator, advertiser, and (where applicable) "seller" under the TSR for all messages initiated through Customer’s account on the Services. Customer is solely responsible for the Subscriber Lists, the message content, the call-to-action flows, the cadence and frequency of messaging, the segmentation and targeting of messages, and the management of suppression lists, opt-outs, do-not-call requests, and Consent revocations. Provider provides a platform and delivery orchestration only and does not originate messages independently of Customer’s instructions.

6. Indemnification; Fines and Pass-Through Costs

This Section 6 supplements (and does not limit) the indemnification provisions in Section 12 of the SSA. Customer shall indemnify, defend, and hold harmless Provider, its Affiliates, and their respective officers, directors, employees, agents, successors, and assigns from and against any and all Losses arising out of or related to:

  1. the Subscriber Lists (including any allegation that the Lawful Basis was insufficient, that Consent was not validly obtained, or that the data was collected, retained, or used in violation of Applicable Communications Laws);

  2. Customer’s messaging practices, content, cadence, targeting, or failure to honor opt-out requests, Consent revocations, unsubscribe requests, or do-not-call requests;

  3. any breach by Customer of this Exhibit or any other provision of the SSA related to messaging or Subscriber Lists; and

  4. any administrative fine, penalty, or regulatory action imposed on Provider or its Affiliates by any federal, state, or local agency or court (including the Federal Communications Commission, the Federal Trade Commission, state attorneys general, or any other applicable enforcement authority) to the extent attributable to Customer’s messaging practices, Subscriber Lists, or breach of this Exhibit.

In addition to the foregoing, Provider may pass through to Customer any carrier, aggregator, or platform penalties, fines, or charges attributable to Customer’s messaging traffic, including without limitation penalties imposed for excessive spam complaints, blocklisting, deliverability harm, or non-compliant content. Customer shall reimburse Provider for such pass-through amounts within fourteen (14) days of Provider’s invoice.

7. Suspension; Remediation

Notwithstanding any notice requirement set forth elsewhere in the SSA, Provider may, in its sole discretion, immediately (and without prior notice where reasonable under the circumstances) suspend, disable, or limit Customer’s access to the Services (including the ability to send messages), and/or terminate the SSA, if Provider reasonably determines that:

  1. Customer is sending or has sent spam or other unsolicited messages;

  2. Customer is using or has used purchased, scraped, harvested, generated, or third-party lists, or cannot promptly provide reasonable evidence of Consent or other Lawful Basis upon request;

  3. Customer’s sending practices are likely to cause, or have caused, excessive bounces, unsubscribe requests, spam complaints, blocklisting, degraded sender reputation, or other deliverability harm (including harm to Provider, other customers, or downstream carriers, aggregators, or email service providers); or

  4. Customer’s use of the Services creates a material risk to Provider, its infrastructure, downstream providers (including carriers, email service providers, SMS gateways, push notification services, or other third parties), or other customers of Provider.

Provider may require Customer to provide information reasonably necessary to verify Consent and compliance with this Exhibit. If Provider suspends messaging features under this Section 7, Customer must promptly cooperate with Provider’s remediation steps. Failure to cooperate or to remediate within the timeframe specified by Provider is grounds for termination of the SSA in accordance with Section 15.2 of the SSA. Suspension under this Section 7 does not relieve Customer of any payment obligation, and Customer remains responsible for any messaging charges incurred prior to suspension.

8. Order of Precedence; Conflicts

In the event of any conflict between this Exhibit and the body of the SSA or the Engagement Letter on the specific subject matter of Subscriber Lists or messaging compliance, this Exhibit shall prevail in accordance with Section 16.7 of the SSA.

9. Updates; Survival

Provider may update this Exhibit in accordance with the SSA’s change-management or modification provisions. Where the SSA does not provide such a mechanism, changes will require mutual written agreement, except for updates mandated by Applicable Communications Laws or by carrier, aggregator, or platform rules, which Provider may implement on reasonable notice to Customer. Customer’s obligations under Sections 2 through 6 of this Exhibit shall survive termination or expiration of the SSA in accordance with Section 15.4 of the SSA.

Exhibit D – Maestra SSA | Maestra