zend.shzend.sh
Legal
This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer", the data controller) and zend.sh ("Processor"). It governs the processing of personal data zend.sh carries out on your behalf.
Last updated: 2026-06-19
Contents
Customer is the data controller in respect of personal data uploaded to or generated within the Service (contact lists, lead data, campaign recipient information). zend.sh is the data processor, processing that data only on Customer's documented instructions.
This DPA covers personal data processed by zend.sh when providing the sending, warmup, deliverability, and analytics features of the Service.
zend.sh processes personal data solely to: (a) deliver emails per your instructions via the connected sending providers; (b) operate the warmup network using synthetic inboxes (no real recipient personal data is used in warmup); (c) provide deliverability analytics; and (d) support and maintain the Service.
Customer is responsible for identifying and relying on a valid legal basis (consent, legitimate interest, or other) for each recipient before instructing zend.sh to process their data.
zend.sh engages sub-processors to assist in providing the Service. These are listed on our Sub-processors page. Key sub-processors that may process Customer personal data include Supabase (encrypted credential and lead data storage), Microsoft Azure / ACS (email dispatch), Railway (application hosting), and Inngest (job scheduling).
zend.sh will notify Customers of material changes to the sub-processor list by updating the Sub-processors page and notifying registered users with at least 14 days' notice before the new sub-processor processes personal data, unless emergency circumstances require a shorter period.
Customer may object to a new sub-processor with legitimate grounds within the notice period; if the parties cannot resolve the objection, Customer may terminate the affected Services.
zend.sh implements the following technical and organizational measures to protect personal data:
Where Customer receives a request from a data subject to exercise their rights (access, rectification, erasure, portability), zend.sh will assist Customer in fulfilling that request within the scope of data controlled by zend.sh on Customer's behalf, using reasonable technical means.
Customer is responsible for maintaining suppression lists and honoring opt-outs. zend.sh provides a GDPR suppression API to help manage this.
Personal data may be transferred to and processed in countries outside the EEA/UK by zend.sh's sub-processors. Where applicable, these transfers rely on Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement, as implemented in the relevant sub-processor agreements.
zend.sh does not itself maintain SCCs directly with each Customer but can provide sub-processor DPAs and transfer documentation upon request.
Upon termination of the Service or upon Customer's written request, zend.sh will delete or return Customer personal data within 30 days, except where retention is required by applicable law.
Backups may retain data for up to 30 additional days after the deletion window.
zend.sh will provide information reasonably necessary for Customer to demonstrate compliance with applicable data protection laws, including responding to questionnaires and providing access to relevant policies.
zend.sh will notify Customer without undue delay upon becoming aware of a personal data breach affecting Customer data.
Questions about this document? Contact legal@zend.sh.