DEADWEIGHTdeadweight.email
← Back to Deadweight

Data Processing Addendum

Last updated: July 11, 2026

This DPA forms part of the applicable Deadweight order or Terms between the merchant identified in that order ("Controller") and the Deadweight service provider identified in the same order ("Processor"). A countersigned copy with legal names, addresses, governing law, and signature blocks is available before paid processing. Request it at hello@deadweight.email.

Scope and roles

The Controller determines why and how Klaviyo subscriber data is used. The Processor handles that data only to provide the connected audit, controlled cleanup, rollback, verification, monitoring, security, and support services documented by the Controller's actions and order.

ItemDescription
DurationFor the connected workspace until disconnection, deletion, or termination, subject to required retention and backup cycles
Data subjectsSubscribers, customers, leads, and contacts represented in the Controller's Klaviyo workspace; authorized Controller users
Personal dataKlaviyo profile IDs and attributes available through authorized APIs, subscription state, event and order signals, segment membership, and related object and job IDs
OperationsRetrieve, compare, segment, count, snapshot, suppress, unsuppress, verify, log, secure, and delete as instructed
PurposeInactive-profile auditing, controlled suppression, rollback, billable-count verification, monitoring, and support

Documented instructions

The Processor will process personal data only on documented instructions in the order, these terms, the published methodology, the Controller's OAuth grants, settings, and typed approvals, unless law requires otherwise. The Processor will inform the Controller if an instruction appears to violate applicable data-protection law, unless prohibited.

Processor duties

  • Ensure authorized personnel are bound by confidentiality.
  • Apply appropriate technical and organizational measures described on the Security page.
  • Assist, taking into account the nature of processing, with data-subject requests, security, breach assessment, impact assessments, and regulator consultations.
  • Notify the Controller without undue delay after confirming a personal-data breach affecting the Controller's data.
  • Delete or return personal data at the end of services, at the Controller's choice, except where law requires retention.
  • Make information reasonably necessary to demonstrate compliance available and support a proportionate audit subject to confidentiality, security, and cost arrangements.

Subprocessors

The Controller gives general authorization for the providers on the Subprocessors page. The Processor will impose materially equivalent data-protection obligations and remain responsible for their performance to the extent required by applicable law. Material additions will be posted before they begin processing where practicable. The Controller may object on reasonable data-protection grounds.

International transfers

Where GDPR or UK GDPR restricts a transfer and no adequacy decision applies, the parties incorporate the applicable 2021 EU Standard Contractual Clauses, normally Module Two, and the UK Addendum where required. The parties will complete the annexes with the order-specific legal identities, processing, transfer locations, and security measures.

Controller duties

The Controller warrants that it has a lawful basis, provides required notices, honors data-subject rights, configures Klaviyo lawfully, and is authorized to instruct Deadweight. The Controller must review the candidate segment and must not approve suppression where its own retention, consent, contractual, or legal obligations prohibit it.

Precedence

If this DPA conflicts with the service Terms on data processing, this DPA controls. Signed order-specific terms and mandatory data-protection law control over this public form.

Deadweight is an independent service and is not affiliated with or endorsed by Klaviyo, Inc. Contact: hello@deadweight.email.