Onsend

Data Processing Addendum (Template)

Last updated: 2026-05-20

This Data Processing Addendum (“DPA”) supplements the Onsend Terms of Service between Vandergrid Group (“Onsend”, the “Processor”) and the customer (the “Controller”).

1. Purpose

This DPA governs Onsend’s processing of Controller Personal Data in connection with the Service.

2. Definitions

“Personal Data”, “Processing”, “Data Subject”, “Controller”, and “Processor” have the meanings given to them in the GDPR (Regulation (EU) 2016/679).

3. Scope and duration

Onsend processes Personal Data only on documented instructions from the Controller, including for the duration of the Service subscription and until deletion or anonymisation per the Privacy Policy retention terms.

4. Security measures

  • Transport encryption (TLS 1.2+) for all data in transit.
  • At-rest encryption for Postgres + S3.
  • Principle-of-least-privilege access via tenant-scoped queries.
  • Audit logging of every admin mutation (1-year retention).
  • OFAC screening on wallet sign-in.
  • Anti-sybil engine with rate-limited score recompute + signal decay.

5. Sub-processors

Onsend uses the sub-processors listed in our Privacy Policy §5. Controller will be notified of additions with at least 30 days’ notice.

6. Data subject rights

Onsend provides self-serve endpoints for data export (POST /api/me/export-data) and deletion (POST /api/me/delete-account). Controllers may also issue right-to-be-forgotten requests via the admin user-detail page; each such request is audit-logged with the actor + reason.

7. Incident notification

Onsend will notify the Controller without undue delay (and in any case within 72 hours) on becoming aware of a Personal Data breach affecting the Controller’s data.

8. Cross-Tenant Anti-Sybil Network (Module V1.5-D addendum)

When the Controller opts in to Onsend’s cross-tenant anti-sybil network, this addendum applies in addition to the main DPA.

8.1 What is shared

  • SHA-256 hashes of IP addresses, device fingerprints, and social handles (platform-namespaced). Raw values are never shared.
  • End-user wallet addresses in plain. Wallet addresses are public on-chain and not considered Personal Data under most regulatory interpretations; hashing them would defeat the cross-tenant correlation that is the purpose of the network.
  • Sybil flag status (boolean) + sybil score (0–100 integer) per wallet, per contributing tenant.
  • Network-side counts (how many tenants observed a given hash, how many flagged a wallet).

8.2 What is NOT shared

  • End-user display names, emails, profile data.
  • Campaign-specific data (quest completions, XP, referrals).
  • The Controller’s identity. Tenants are pseudonymised at the network level via a stable random networkPseudoId; no other Controller ever sees the Controller’s real tenant identifier through the network.
  • Tenant-specific business data (revenue, plan tier, user counts).

8.3 Onsend’s role for the network

Onsend operates as Data Processor for the network data flow. The Controller’s contributed signal hashes are processed solely for the purpose of cross-tenant sybil detection and surfaced back to opted-in Controllers as anonymised aggregate counts.

8.4 Right-to-be-forgotten propagation

When an end user invokes data deletion (POST /api/me/delete-account or admin-triggered right-to-be-forgotten), Onsend propagates the deletion to the network tables: the user’s tenant attribution is removed and aggregate counts decrement accordingly. Where the user was the sole contributor of a hash from this Controller, the corresponding occurrence row is deleted.

Note: hashed signals contributed by other tenants’ users persist as part of the network’s aggregate intelligence. Only the Controller’s attribution to those hashes is scrubbed.

8.5 Network offboarding

If the Controller leaves the network (via/admin/settings/anti-sybil → “Leave network” or by archiving their Onsend tenant), the Controller’s networkPseudoId is replaced on all occurrence rows with an “unattributed tenant” sentinel value. Aggregate counts on the network are preserved (historical signal contribution remains for network-level analytics) but the contribution is no longer attributable to any specific Controller.

8.6 Consent

Network participation is opt-in. The Controller’s admin sees the choice clearly at first sign-in (the toggle defaults to enabled per Onsend’s product recommendation, but the Controller may decline before saving and may toggle at any time afterwards). The choice is recorded with an AuditLog entry referencing the admin identity and timestamp.

9. Contact

DPA execution: info@vandergrid.com.