Data Processing Agreement

Published: Jul 2nd, 2026
Stealth Black Oy (FI31383892)
Last reviewed: Jul 2nd, 2026

This Data Processing Agreement (“DPA”) forms an integral part of the agreement between Stealth Black Oy (“Supplier”) and the customer (“Customer”) concerning the use of the Zefram service (“Service”), such as an order confirmation or the Service’s terms of service (together the “Agreement”). This DPA applies automatically to the extent the Supplier processes personal data on behalf of the Customer, and no separate signature is required.

1. Roles of the Parties

For personal data processed on behalf of the Customer in the Service (“Customer Data”), the Customer acts as the data controller and the Supplier as the data processor within the meaning of the EU General Data Protection Regulation (2016/679, “GDPR”).

For the avoidance of doubt, the Supplier acts as an independent data controller for (i) its business contact database, as described in the Database Privacy Policy, and (ii) aggregated or pseudonymised data described in Section 7.

2. Subject Matter and Nature of Processing

The Supplier processes Customer Data in order to provide the Service’s sales automation functionalities on the Customer’s behalf, including: identifying and retrieving contact details of prospects selected on the basis of criteria defined by the Customer; composing and sending messages from the Customer’s own mailbox via the mailbox provider’s interfaces; processing replies and bounces in order to manage messaging sequences; and recording delivery and engagement events related to sent messages.

3. Categories of Data and Data Subjects

Data subjects: the Customer’s users, and prospects and message recipients.

Categories of personal data:

  • Contact and role information of prospects (e.g. name, title, email, phone),
  • Message content and related correspondence,
  • Delivery and engagement events of sent messages, including timestamps and technical metadata (such as IP address, device, operating system and client information),
  • User account information of the Customer’s users.

4. Customer’s Responsibilities

The Customer is responsible, as the data controller, for the lawfulness of the processing carried out on its behalf. In particular, the Customer is responsible for:

  • ensuring that it has a valid legal basis under the GDPR for the outreach it initiates through the Service,
  • the lawfulness of the instructions it gives to the Supplier; the Customer’s use of the Service and its settings constitute the Customer’s documented instructions,
  • deciding whether, how and to what extent message recipients are informed of the processing of their personal data. The Supplier recommends that the Customer provide recipients with appropriate transparency information, but the manner of communication remains in the Customer’s discretion and responsibility as controller,
  • compliance with electronic direct marketing and ePrivacy rules applicable in the recipients’ jurisdictions,
  • ensuring that the persons it chooses to contact through the Service may lawfully be contacted and that their contact details are valid and appropriate for the intended outreach, and honouring opt-outs and objections received. Contact data made available in the Service is compiled from public sources and provided as is, without warranty of accuracy or completeness.

5. Supplier’s Obligations

The Supplier shall:

  • process Customer Data only on the Customer’s documented instructions,
  • ensure that persons authorised to process Customer Data are bound by confidentiality,
  • implement appropriate technical and organisational security measures in accordance with Article 32 of the GDPR,
  • taking into account the nature of the processing, reasonably assist the Customer in fulfilling its obligations concerning data subject rights and Articles 32–36 of the GDPR; the Supplier may charge a reasonable fee for assistance exceeding what is required by law,
  • notify the Customer without undue delay after becoming aware of a personal data breach concerning Customer Data,
  • upon termination of the Agreement, delete the Customer Data in accordance with the Agreement, unless applicable law requires its retention,
  • make available information reasonably necessary to demonstrate compliance with this DPA. The audit right under Article 28(3)(h) of the GDPR is in the first instance satisfied by the Supplier making available relevant documentation. On-site inspections may be conducted only where such documentation is demonstrably insufficient, are limited to once in any 12-month period, require 30 days’ prior written notice, take place during normal business hours without disrupting the Supplier’s operations, and are conducted at the Customer’s expense.

6. Sub-processors

The Customer grants the Supplier a general authorisation to use sub-processors. The current sub-processors are listed in Clause 6 of the Database Privacy Policy. The Supplier informs of changes to sub-processors by updating said list. If the Customer objects to a new sub-processor on reasonable data protection grounds, the Customer may, as its exclusive remedy, discontinue the use of the feature concerned.

7. Aggregated Data

The Supplier may use usage and engagement data generated in connection with the Service in an aggregated or pseudonymised form to maintain, secure, develop and improve the Service. The Supplier acts as an independent data controller for such data.

8. Data Transfers

Customer Data is primarily processed within the European Economic Area. Where a sub-processor processes personal data outside the EEA, the transfer is based on an adequacy decision of the European Commission (including the EU–U.S. Data Privacy Framework) or on standard contractual clauses.

9. Liability

The limitations of liability of the Agreement apply to this DPA. Each party is responsible for the obligations imposed on it as controller or processor under the GDPR.

10. Term

This DPA remains in force for as long as the Supplier processes Customer Data on behalf of the Customer.