Data Processing Addendum

Personal data, processing, controller, processor, and related terms have the meanings under applicable data protection law (including the GDPR). "Sub-processor" means a third party engaged by ZidiMail to process personal data on behalf of the Controller.

The Controller determines the purposes and means of processing personal data submitted to the Service (for example, recipient addresses and message metadata). ZidiMail processes such data only on documented instructions from the Controller (including via the Terms, this DPA, and settings in the dashboard/API), unless required otherwise by law.

• Subject matter: provision of transactional email delivery and related dashboard features.
• Duration: for the term of the agreement and as described in the Privacy Policy.
• Nature & purpose: sending email, logging delivery events, billing, security, and support.
• Categories of data subjects: end recipients of email and account users the Controller authorizes.
• Categories of personal data: typically contact data (email addresses), identifiers in headers, and metadata described in the Privacy Policy — not intended for special categories of data; the Controller must not submit such data without a lawful basis and our prior agreement.

The Controller authorizes ZidiMail to engage Sub-processors listed or updated on our Subprocessors page. We will provide notice of material changes where required by law.

ZidiMail implements appropriate technical and organizational measures to protect personal data, as described at a high level in the Privacy Policy.

Taking into account the nature of processing, ZidiMail will assist the Controller with reasonable requests regarding data subject rights, security incidents, and impact assessments where legally required and to the extent commercially reasonable.

ZidiMail will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, in line with legal requirements.

Upon termination, ZidiMail will delete or return personal data in accordance with the Privacy Policy and applicable law, except where retention is required by law.

The Controller may request information reasonably necessary to demonstrate compliance. Onsite audits may be agreed separately where required and subject to confidentiality and security constraints.

Where personal data is transferred outside the EEA, UK, or Switzerland, we use appropriate safeguards (such as standard contractual clauses) as required by applicable law.

privacy@zidimails.com