Data Processing Addendum (DPA)

Last updated: December 19, 2025

This Data Processing Addendum (“DPA”) is incorporated into and made part of the Cerkl Terms of Service (the “Agreement”) between Cerkl, Inc. (“Cerkl”) and the customer agreeing to the Terms of Service (“Customer”).

This DPA applies to all Plans, including free and paid, and governs Cerkl’s processing of Customer Data on behalf of Customer in providing the Service.

Definitions

  • “Customer Data” means all electronic data or information submitted by Customer to the Service, including data relating to Subscribers and Users.
  • “Personal Data” means any information relating to an identified or identifiable natural person as defined by applicable Data Protection Laws.
  • “Data Protection Laws” means all laws and regulations relating to data protection, privacy, and security, including, but not limited to, the GDPR, UK GDPR, and CCPA.
  • “Processing” has the meaning given in Data Protection Laws, and “process” will be interpreted accordingly.
  • “Subprocessor” means any third party engaged by Cerkl to process Personal Data on behalf of Customer.
  • “Standard Contractual Clauses (SCCs)” means the EU Commission-approved clauses for international data transfers, as updated from time to time.

Capitalized terms not defined in this DPA have the meanings given in the Agreement.

Roles of the Parties

  • Customer is the controller of Personal Data.
  • Cerkl is the processor of Personal Data, processing it only on behalf of and under the instructions of Customer.
  • For CCPA, Cerkl acts as a service provider.

Scope of Processing

  • Cerkl processes Personal Data only to provide the Service, as described in the Agreement and Privacy Policy, and in accordance with Customer’s documented instructions.
  • Categories of data subjects: Subscribers and Users.
  • Categories of data: Personal Data included in Customer Data (e.g., names, emails, preferences, interaction history).
  • Duration: For the term of the Agreement plus any retention period described in the "Data Retention and Deletion" section below.

Customer Responsibilities

Customer is responsible for ensuring its instructions to Cerkl comply with Data Protection Laws. Customer is responsible for providing appropriate privacy notices to data subjects and obtaining all necessary consents.

Cerkl Obligations

Cerkl will:

  • Process Personal Data only on documented instructions from Customer.
  • Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
  • Implement appropriate technical and organizational measures to protect Personal Data.
  • Notify Customer without undue delay after becoming aware of a Personal Data Breach.
  • Assist Customer with responding to data subject requests, data protection impact assessments, and breach notifications, as required by law.
  • Delete or return all Customer Data at the end of the Agreement, unless retention is required by law.

Subprocessors

Customer authorizes Cerkl to engage Subprocessors to provide the Service. Cerkl maintains a current list of Subprocessors (available upon request). Cerkl will impose data protection obligations on Subprocessors equivalent to those in this DPA.

International Transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, Cerkl will ensure such transfers are subject to appropriate safeguards under Data Protection Laws, such as SCCs. By agreeing to this DPA, Customer enters into the SCCs with Cerkl as incorporated herein.

Data Retention and Deletion

Cerkl retains Customer Data for as long as the Customer account remains active. Upon termination, Cerkl will delete or return Customer Data within 30 days (per Cerkl’s data retention policy), unless otherwise required by law.

Data Subject Rights

Data Subject RightsCerkl will assist Customer in responding to data subject requests under Data Protection Laws (e.g., access, rectification, erasure, portability).

Cerkl shall not respond to such communication directly from Subscribers except as appropriate (for example, to direct the data subject to contact (Customer) or legally required, without Customer’s prior authorization.

Audits and Certifications

Upon written request, Cerkl will provide Customer with information reasonably necessary to demonstrate compliance with this DPA.

To the extent required by law, Customer may conduct audits (at its expense) limited to once per year, during normal business hours, and without disrupting Cerkl’s operations.

Liability

The limitations of liability in the Agreement apply to this DPA.

Order of Precedence

In the event of conflict, the following order applies:

  1. SCCs (if applicable),
  2. this DPA,
  3. the Agreement.

Miscellaneous

This DPA is governed by the same law and jurisdiction as the Agreement. This DPA applies to all Customers, regardless of Plan.

Annex I - Details of Processing

Controller (Customer): The entity identified in the Agreement.

Processor (Cerkl): Cerkl, Inc., 11126 Kenwood Road, Suite 201, Blue Ash OH 45242

Data subjects: Subscribers and Users.

Categories of data: Contact details, preferences, engagement history, communications, and other Customer Data.

Processing activities: Hosting, transmitting, analyzing, and generating communications and insights.

Duration: For the term of the Agreement and any applicable retention period.

Annex II - Technical and Organizational Measures

Cerkl implements industry-standard measures to protect Personal Data, including:

  • Encryption in transit and at rest.
  • Access controls and authentication.
  • Network and infrastructure security.
  • Regular security testing and monitoring.
  • Incident response procedures.