Data Processing Addendum
The Article 28 terms that govern Zerokit's processing of personal data on behalf of customers.
Last updated · May 16, 2026
This Data Processing Addendum ("DPA") supplements the Terms of Servicebetween you ("Customer", the data controller) and Zerokit (the data processor) and applies whenever Zerokit processes personal data on Customer's behalf in connection with the Service. In case of conflict between the Terms and this DPA, this DPA controls for matters of personal-data processing.
Capitalized terms not defined here have the meanings given in Article 4 of Regulation (EU) 2016/679 (the "GDPR") or in equivalent local law.
1. Scope and roles
Customer is the controller of the Personal Data it transmits through the Service (typically recipient names, email addresses, IP addresses, and any personal information contained in message bodies or templates). Zerokit acts as a processor of that Personal Data and as a controller for limited account-administration data described in the Privacy Policy.
2. Subject matter, duration, and processing details
| Subject matter | Provision of a transactional email API, SMTP relay, webhooks, templates, domain authentication, and event tracking. |
|---|---|
| Duration | For the term of the Agreement, plus any post-termination retention required by law or expressly permitted by the Customer. |
| Nature and purpose | Hosting, routing, transmitting, and logging email and related events; protecting against abuse and security incidents; providing customer support and billing. |
| Categories of data subjects | Recipients designated by Customer (typically Customer's end-users, employees, or partners) and Customer's own representatives (administrators and developers). |
| Categories of Personal Data | Identification and contact data (name, email, phone), technical identifiers (IP address, user agent), message content, attachments, and event metadata (delivery, bounce, complaint, open, click). |
| Special categories | Not processed by default. Customer must not transmit special categories (Article 9 GDPR) or criminal-conviction data through the Service without first contacting Zerokit and obtaining written acknowledgement that the relevant safeguards are in place. |
3. Customer instructions
Zerokit will process Personal Data only on documented instructions from Customer, as set out in the Agreement, this DPA, the dashboard configuration, and API calls made by Customer. Zerokit will inform Customer if an instruction infringes applicable data-protection law.
4. Confidentiality
Personnel authorised to process Personal Data are bound by written confidentiality obligations (or appropriate statutory duties) that survive the end of their engagement with Zerokit.
5. Security measures
Zerokit will implement and maintain technical and organisational measures appropriate to the risk, including:
- Encryption of data in transit (TLS 1.2+) and at rest where supported.
- Strong authentication for staff access (passwordless or MFA), least-privilege role-based access control, and time-bound short-lived credentials.
- Logging and monitoring of administrative access.
- Regular backup and restore testing of the primary databases.
- Vulnerability scanning, dependency review, and patching cadence.
- A documented incident-response process with on-call coverage and post-incident review.
- Vendor due diligence for sub-processors, with data-protection terms passed through.
The current state of these measures is described on the Security page and may be updated as the threat landscape evolves, provided that the overall level of protection is not degraded.
6. Sub-processors
Customer authorises Zerokit to engage the sub-processors listed at Sub-processors to process Personal Data for the purposes described above. Zerokit will:
- Impose contractual obligations on each sub-processor that are materially equivalent to the protections in this DPA.
- Remain liable to Customer for the acts and omissions of its sub-processors with respect to Personal Data.
- Notify Customer at least thirty (30) days before adding or replacing a sub-processor, either by email to the address on file or by updating the sub-processors page. Customer may object on reasonable data-protection grounds; if the objection cannot be resolved, either party may terminate the affected portion of the Service.
7. International transfers
Where transfers of Personal Data outside the European Economic Area are necessary to provide the Service, the parties enter into the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, with the appropriate module (Controller to Processor) and the optional Clause 7 docking clause. The technical appendices (Annex I, II, III) are populated by reference to this DPA, the Security page, and the Sub-processors page. The parties will perform transfer impact assessments where required and implement supplementary measures (encryption, contractual, organisational) where appropriate.
8. Data subject rights
Taking into account the nature of the processing, Zerokit will assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR. Where a data subject contacts Zerokit directly, Zerokit will refer them to Customer (the controller) and, where it can identify the relevant Customer, notify Customer without undue delay.
9. Personal data breaches
Zerokit will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer's Personal Data, and will provide information reasonably necessary for Customer to meet its own notification obligations under Articles 33 and 34 GDPR. "Without undue delay" means promptly, and in any event within 72 hours of confirming the breach.
10. Assistance with DPIA and prior consultation
Zerokit will provide Customer with reasonable assistance, on request and at Customer's expense for non-routine effort, in carrying out data-protection impact assessments and consulting with supervisory authorities under Articles 35 and 36 GDPR.
11. Audit
Zerokit will make available to Customer information necessary to demonstrate compliance with its obligations under Article 28 GDPR and this DPA, primarily through the Security page, written responses to reasonable questionnaires, and (where available) third-party attestations. Customer may, at its own cost and no more than once per twelve-month period (unless required by a supervisory authority), conduct an audit with at least sixty (60) days' written notice, during business hours, under reasonable confidentiality obligations, and without disrupting other customers' operations.
12. Return and deletion
On termination or expiry of the Agreement, Zerokit will, at Customer's choice, delete or return Customer's Personal Data, and delete existing copies, unless retention is required by law. Customer may export available Personal Data through the dashboard or API prior to deletion. Deletion routines complete within a reasonable period taking into account backups and restoration windows.
13. Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits the rights of data subjects under applicable law.
14. Order of precedence
In the event of any inconsistency among the documents that make up the parties' agreement, the order of precedence is: (1) the Standard Contractual Clauses (where applicable), (2) this DPA, (3) the Acceptable Use Policy, (4) the Terms of Service. Headings are for convenience and have no legal effect.
15. Contact
Privacy and DPA-related inquiries can be directed to [email protected].