Data Processing Addendum
Last updated: July 11, 2026
This DPA forms part of the applicable Deadweight order or Terms between the merchant identified in that order ("Controller") and the Deadweight service provider identified in the same order ("Processor"). A countersigned copy with legal names, addresses, governing law, and signature blocks is available before paid processing. Request it at hello@deadweight.email.
Scope and roles
The Controller determines why and how Klaviyo subscriber data is used. The Processor handles that data only to provide the connected audit, controlled cleanup, rollback, verification, monitoring, security, and support services documented by the Controller's actions and order.
| Item | Description |
|---|---|
| Duration | For the connected workspace until disconnection, deletion, or termination, subject to required retention and backup cycles |
| Data subjects | Subscribers, customers, leads, and contacts represented in the Controller's Klaviyo workspace; authorized Controller users |
| Personal data | Klaviyo profile IDs and attributes available through authorized APIs, subscription state, event and order signals, segment membership, and related object and job IDs |
| Operations | Retrieve, compare, segment, count, snapshot, suppress, unsuppress, verify, log, secure, and delete as instructed |
| Purpose | Inactive-profile auditing, controlled suppression, rollback, billable-count verification, monitoring, and support |
Documented instructions
The Processor will process personal data only on documented instructions in the order, these terms, the published methodology, the Controller's OAuth grants, settings, and typed approvals, unless law requires otherwise. The Processor will inform the Controller if an instruction appears to violate applicable data-protection law, unless prohibited.
Processor duties
- Ensure authorized personnel are bound by confidentiality.
- Apply appropriate technical and organizational measures described on the Security page.
- Assist, taking into account the nature of processing, with data-subject requests, security, breach assessment, impact assessments, and regulator consultations.
- Notify the Controller without undue delay after confirming a personal-data breach affecting the Controller's data.
- Delete or return personal data at the end of services, at the Controller's choice, except where law requires retention.
- Make information reasonably necessary to demonstrate compliance available and support a proportionate audit subject to confidentiality, security, and cost arrangements.
Subprocessors
The Controller gives general authorization for the providers on the Subprocessors page. The Processor will impose materially equivalent data-protection obligations and remain responsible for their performance to the extent required by applicable law. Material additions will be posted before they begin processing where practicable. The Controller may object on reasonable data-protection grounds.
International transfers
Where GDPR or UK GDPR restricts a transfer and no adequacy decision applies, the parties incorporate the applicable 2021 EU Standard Contractual Clauses, normally Module Two, and the UK Addendum where required. The parties will complete the annexes with the order-specific legal identities, processing, transfer locations, and security measures.
Controller duties
The Controller warrants that it has a lawful basis, provides required notices, honors data-subject rights, configures Klaviyo lawfully, and is authorized to instruct Deadweight. The Controller must review the candidate segment and must not approve suppression where its own retention, consent, contractual, or legal obligations prohibit it.
Precedence
If this DPA conflicts with the service Terms on data processing, this DPA controls. Signed order-specific terms and mandatory data-protection law control over this public form.