Data Processing Agreement

Last Updated: February 18, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Data Controller") and Zenkai ("Processor", "we", "us") and governs the processing of Personal Data in accordance with GDPR requirements.

GDPR Requirement: This DPA is required under Article 28 of the GDPR. By using Zenkai's hosted service, you accept and agree to the terms of this DPA.

1. Definitions

Terms used in this DPA have the meanings set forth in the GDPR. Specifically:

  • "Personal Data" means any information relating to an identified or identifiable natural person processed via Zenkai
  • "Data Controller" means the Customer who determines the purposes and means of processing Personal Data
  • "Data Processor" means Zenkai, which processes Personal Data on behalf of the Data Controller
  • "Sub-processor" means any third party engaged by Zenkai to process Personal Data
  • "Data Subject" means the individuals whose Personal Data is processed (your contacts/subscribers)
  • "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation)

2. Scope & Applicability

Hosted Service Only

This DPA applies ONLY to customers using Zenkai's hosted service (email-site.ojogadorcaro.com). Self-hosted deployments are NOT covered by this DPA - you are solely responsible for GDPR compliance when self-hosting.

Agreement Hierarchy

This DPA supplements the Zenkai Terms of Service and Privacy Policy. In case of conflict regarding data processing:

  1. This DPA takes precedence
  2. Then the Terms of Service
  3. Then the Privacy Policy

Acceptance

By using Zenkai's hosted service, you acknowledge that you have read, understood, and agree to be bound by this DPA. This constitutes a legally binding agreement between Customer and Zenkai.

3. Processing Details

As required by GDPR Article 28(3), the following details describe the processing activities:

Subject Matter

Processing of Personal Data necessary to provide email automation, transactional email, marketing campaigns, and workflow automation services.

Duration

Processing occurs for the duration of your Zenkai subscription/account, plus 30 days for API logs (which are automatically deleted), and until you request account deletion.

Nature & Purpose

  • Storing and managing contact databases
  • Sending transactional, marketing, and workflow-triggered emails
  • Tracking email delivery, opens, clicks, bounces, and complaints (per your settings)
  • Managing email templates and automation workflows
  • Processing email events and webhooks
  • Providing analytics and reporting

Type of Personal Data

  • Email addresses (required)
  • Names and custom contact fields (optional, Customer-defined)
  • Email content (subject lines, message bodies, attachments)
  • Subscription status and preferences
  • Email activity data (opens, clicks, bounces, complaints)
  • Timestamps and metadata

Categories of Data Subjects

  • Customer's email subscribers and contacts
  • Recipients of transactional emails
  • Marketing campaign recipients
  • Workflow automation recipients

4. Data Processor Obligations

Zenkai commits to the following obligations as Data Processor:

Processing Instructions

  • Process Personal Data only on documented instructions from Customer (via API, dashboard, etc.)
  • Not process Personal Data for any other purpose without Customer's prior written consent
  • Immediately inform Customer if instructions violate GDPR or other EU data protection laws

Confidentiality

  • Ensure persons authorized to process Personal Data are bound by confidentiality obligations
  • Maintain confidentiality of all Personal Data processed via Zenkai
  • Not disclose Personal Data to third parties except as required by law or with Customer consent

Cooperation

  • Assist Customer in responding to Data Subject rights requests (see Section 7)
  • Assist Customer in ensuring compliance with GDPR security, breach notification, and impact assessment obligations
  • Provide information necessary to demonstrate compliance with Article 28

5. Security Measures

As required by GDPR Article 32, Zenkai implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

Technical Safeguards

  • Industry-standard password hashing (never stored in plaintext)
  • HTTPS-only API access (TLS 1.2+)
  • Database connections encrypted via TLS/SSL
  • HttpOnly, secure cookies with appropriate SameSite settings
  • Authentication tokens with limited expiration periods
  • Rate limiting to prevent brute force attacks

Organizational Safeguards

  • Access controls limiting personnel access to Personal Data
  • Automated bounce and complaint rate monitoring
  • Regular security updates and patching
  • Data segregation by project (multi-tenancy with isolation)

Data Residency

  • Primary data storage: EU/EEA (Hetzner infrastructure)
  • Database and file storage remain within EU/EEA
  • Email delivery may transit non-EU regions (see Section 9)

6. Sub-Processors

Customer authorizes Zenkai to engage the following sub-processors to process Personal Data:

Sub-ProcessorServiceLocationPurpose
Amazon Web Services (AWS SES)Email DeliveryGlobal (data in transit only)Sending emails to recipients
Stripe, Inc.Payment ProcessingUSA (PCI-DSS compliant)Billing for paid accounts
Hetzner Online GmbHInfrastructure HostingEU/EEA (Germany)Database and application hosting

Sub-Processor Obligations

  • All sub-processors are bound by data protection obligations equivalent to this DPA
  • Zenkai remains fully liable to Customer for sub-processor performance
  • Sub-processors have executed Data Processing Agreements with Zenkai

Changes to Sub-Processors

  • Zenkai will provide 30 days advance notice of new or replacement sub-processors via email
  • Notice will be sent to the email address associated with your account
  • If you object on reasonable grounds related to data protection, you may terminate your account within 30 days
  • Updated sub-processor list will be maintained on this page (check "Last Updated" date)

7. Data Subject Rights

Zenkai will assist Customer in fulfilling Data Subject rights requests under GDPR Articles 15-22:

Self-Service via API

Customer can fulfill most Data Subject requests independently via API:

  • Access (Art. 15): Retrieve contact data via GET /contacts/:id
  • Rectification (Art. 16): Update contact data via PATCH /contacts/:id
  • Erasure (Art. 17): Delete contact via DELETE /contacts/:id
  • Restriction (Art. 18): Update subscription status to "unsubscribed"
  • Portability (Art. 20): Use API to access data in JSON format

Assistance from Zenkai

If Customer cannot fulfill a request via API, contact legal@email-site.ojogadorcaro.com:

  • Provide Data Subject's email address and nature of request
  • Zenkai will respond within 10 business days with requested information or assistance
  • Customer remains responsible for verifying Data Subject identity before disclosing information

Email Activity Data

  • Email opens, clicks, bounces, and complaints are linked to contact records
  • Deleting a contact will cascade delete associated email activity
  • API logs (non-Personal Data) are automatically deleted after 30 days

8. Data Breach Notification

Notification Obligation

In the event of a Personal Data breach affecting Customer data, Zenkai will:

  • Notify Customer without undue delay and within 72 hours of becoming aware of the breach (per GDPR Art. 33)
  • Send notification to the primary email address associated with Customer's account
  • Provide information to enable Customer to meet any GDPR breach reporting obligations

Breach Information

Notifications will include (to the extent known):

  • Nature of the breach (what happened)
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate harm
  • Contact point for more information (legal@email-site.ojogadorcaro.com)

Customer Responsibility

  • Customer is responsible for notifying their supervisory authority if required by GDPR Art. 33
  • Customer is responsible for notifying affected Data Subjects if required by GDPR Art. 34
  • Zenkai's breach notification to Customer does NOT constitute legal or compliance advice

9. International Data Transfers

Primary Storage (EU/EEA)

  • All contact data, templates, workflows, and account data stored in EU/EEA (Hetzner, Germany)
  • No routine transfers of stored Personal Data outside EU/EEA

Data in Transit (Email Delivery)

When emails are sent to recipients, Personal Data may transit through non-EU regions:

  • AWS SES processes emails globally for delivery purposes
  • Data is in transit only (not stored long-term outside EU/EEA)
  • Protected by AWS Data Processing Agreement and Standard Contractual Clauses (SCCs)

Payment Data (Stripe)

  • Payment information (credit cards) processed by Stripe (USA-based)
  • Stripe is PCI-DSS Level 1 certified
  • Protected by Stripe's Data Processing Agreement and Standard Contractual Clauses
  • Zenkai does NOT store credit card numbers (tokenized by Stripe)

Standard Contractual Clauses

All sub-processors that process Personal Data outside EU/EEA have executed Standard Contractual Clauses (SCCs) approved by the European Commission, providing appropriate safeguards for international transfers per GDPR Article 46.

10. Audits & Compliance

Information Provision

Zenkai will make available to Customer information necessary to demonstrate compliance with GDPR Article 28 obligations, including:

  • This DPA (publicly available)
  • Privacy Policy describing processing activities
  • Sub-processor list (Section 6 above)
  • Security measures documentation (available upon reasonable request)

Audit Rights

Customer may audit Zenkai's compliance with this DPA, subject to the following:

  • Audits limited to once per year unless required by supervisory authority
  • Request must be submitted in writing to legal@email-site.ojogadorcaro.com with 30 days notice
  • Audits must be conducted by independent third-party auditors bound by confidentiality
  • Audits conducted during business hours with minimal disruption to operations
  • Customer bears all costs of audit
  • Audit scope limited to GDPR compliance (not general security assessments)

Alternative to Audits

In lieu of conducting a full audit, Customer may request and review sub-processor certifications and compliance documentation (SOC 2, ISO 27001, etc.) where available.

11. Data Deletion & Return

Account Deletion

When Customer deletes their Zenkai account (via dashboard or by request):

  • All Personal Data is immediately deleted from production systems
  • No grace period or recovery window (deletion is permanent)
  • Customer should access or backup data via API before deletion (Zenkai does NOT provide data export)
  • Deletion includes: contacts, emails, templates, workflows, campaigns, and email activity

Backup Retention

  • Deleted data may remain in encrypted backups for up to 30 days for disaster recovery purposes
  • Backup data is not accessible or restorable after account deletion
  • Backups are automatically overwritten after retention period

Legal Retention

Zenkai may retain certain data if required by law (e.g., accounting records, fraud prevention):

  • Billing records: Retained per tax/accounting laws (typically 7 years)
  • Fraud/abuse records: Retained for security purposes (email addresses of suspended accounts)
  • Legal requests: Data subject to legal holds retained as required by law

No Data Return

Zenkai does NOT provide data export or return upon termination. Customer must retrieve data via API before deleting account. Once deleted, data cannot be recovered.

12. Liability & Indemnification

Customer Responsibilities

Customer (Data Controller) is responsible for:

  • Ensuring lawful basis for processing under GDPR (consent, contract, legitimate interest, etc.)
  • Obtaining necessary consents from Data Subjects before adding them to Zenkai
  • Providing privacy notices to Data Subjects per GDPR Article 13/14
  • Complying with anti-spam laws (CAN-SPAM, CASL, GDPR, etc.)
  • Verifying Data Subject identity before fulfilling rights requests
  • Notifying supervisory authorities and Data Subjects of breaches where required

Zenkai's Liability

  • Zenkai is liable to Customer for compliance with this DPA and GDPR Article 28 obligations
  • Zenkai is liable for sub-processor acts/omissions to the same extent as its own acts
  • Liability limitations in Terms of Service apply, except where prohibited by GDPR (particularly Art. 82)

Indemnification

  • Customer indemnifies Zenkai for claims arising from Customer's violation of GDPR or data protection laws
  • Zenkai indemnifies Customer for claims arising solely from Zenkai's breach of this DPA or GDPR Article 28

GDPR Fines

Under GDPR Article 82(3), liability for damages is allocated between Controller and Processor based on fault. Each party is liable only for the damage caused by its own GDPR violation.

13. Term & Termination

Effective Date

This DPA is effective as of the date you first use Zenkai's hosted service and remains in effect for the duration of the Terms of Service.

Termination

This DPA terminates automatically when:

  • Customer deletes their Zenkai account
  • Terms of Service are terminated
  • All Personal Data has been deleted per Section 11

Survival

Obligations regarding confidentiality, data deletion, and liability survive termination to the extent necessary to fulfill their purpose.

DPA Updates

  • Zenkai may update this DPA to reflect changes in law, sub-processors, or processing activities
  • Material changes will be notified via email 30 days in advance
  • Continued use of Zenkai after changes constitutes acceptance
  • Check "Last Updated" date at top of page for version tracking

Questions or Requests?

For questions about this DPA, data processing activities, or to exercise audit rights:

Email: legal@email-site.ojogadorcaro.com

Response Time: Within 10 business days

For Data Subject rights requests, Customers should use the API (see Section 7) or contact legal@email-site.ojogadorcaro.com with Data Subject's email address and nature of request.