Data Processing Agreement

Last updated: May 7, 2026

Need a signed DPA?

Email hello@cadento.co with your company details and we'll send you a countersigned copy within 2 business days.

1. Definitions

In this Data Processing Agreement ("DPA"):

  • "Customer" means you, the entity or individual who has created a Cadento account and accepted our Terms of Service.
  • "Cadento," "we," or "us" means the provider of the Cadento service.
  • "Controller" means the entity that determines the purposes and means of processing Personal Data. In most cases, this is you (the Customer).
  • "Processor" means the entity that processes Personal Data on behalf of the Controller. Cadento acts as a Processor when it handles data from your Klaviyo account.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
  • "Data Protection Laws" means all applicable laws relating to data protection, privacy, and security, including GDPR, CCPA, and other regional regulations.
  • "Sub-processor" means any third party engaged by Cadento to process Personal Data on behalf of the Customer.

2. Scope and Role

This DPA applies to the processing of Personal Data by Cadento in connection with the Cadento service, including data synced from your Klaviyo account.

Cadento acts as a Processor. You (the Customer) act as the Controller. You determine what data to sync and how to use the Cadento service. Cadento processes that data only on your instructions and in accordance with this DPA.

3. Data We Process

When you connect Klaviyo, Cadento may process:

  • Campaign metadata: Campaign names, subject lines, send dates, status
  • Email creative content: HTML of sent emails (for preview)
  • Performance metrics: Aggregate counts (sends, opens, clicks, revenue) — no individual recipient data
  • Account identifiers: Klaviyo account ID and name

Cadento does NOT process:

  • Customer lists, profiles, or contact information
  • Individual email recipient data
  • Behavioral tracking data

Our OAuth scopes are read-only:

  • Klaviyo: accounts:read campaigns:read templates:read
  • Figma: file_content:read

4. Processing Instructions

Cadento will process Personal Data only on your documented instructions, which include:

  • Your use of the Cadento service in accordance with our Terms of Service
  • Your Klaviyo connection settings and sync preferences
  • Any other written instructions you provide that we agree to in writing

If we believe an instruction violates Data Protection Laws, we will inform you and may refuse to carry out that instruction.

5. Security Measures

Cadento implements appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption: All data in transit uses HTTPS. OAuth tokens are encrypted at rest using AES-256-GCM. Database is encrypted at rest.
  • Access controls: User data is isolated by account. Only you can access your data. All API routes are auth-gated.
  • Password security: Passwords are hashed with bcrypt. We never store plaintext passwords.
  • Infrastructure: Hosted on SOC 2 certified providers (Vercel, Neon).
  • Regular updates: We apply security patches promptly and conduct regular security reviews.

6. Sub-processors

Cadento engages the following sub-processors to provide the service:

Sub-processorPurposeLocation
Vercel Inc.Application hostingUnited States
Neon (Neon, Inc.)Database hostingUnited States (AWS)
ScreenshotOneEmail screenshot generationEurope
Klaviyo, Inc.Source of campaign dataUnited States
Figma, Inc.Design file screenshotsUnited States

Notice of changes: If we add a new sub-processor, we will update this list and notify you at least 30 days in advance. You may object to the new sub-processor by emailing hello@cadento.co within 30 days. If we cannot accommodate your objection, you may terminate your account and we will refund any prepaid fees.

7. Data Subject Rights

If you receive a request from a data subject (e.g., someone who received an email from you) to exercise their rights under Data Protection Laws (access, deletion, portability, etc.), you are responsible for responding.

Cadento will assist you to the extent reasonably necessary by:

  • Providing you with tools to access, export, or delete your data in the Cadento service
  • Responding to your requests for assistance within 10 business days

Note: Since Cadento does not store individual recipient data, most data subject requests should be directed to Klaviyo, where the underlying customer lists are stored.

8. Data Retention and Deletion

  • Active accounts: We retain your data for as long as your account is active.
  • Account deletion: When you delete your account, we permanently delete all your data within 30 days.
  • Klaviyo disconnection: When you disconnect Klaviyo, we delete OAuth tokens immediately. Campaign data remains unless you manually delete it or delete your account.
  • Screenshots: Email screenshots are cached by ScreenshotOne for 30 days, after which they are automatically purged.

9. Data Breach Notification

If Cadento becomes aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data ("Data Breach"), we will:

  • Notify you without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide you with information about the nature of the breach, affected data, and remediation steps
  • Take reasonable steps to mitigate the breach and prevent future occurrences

10. Audits and Compliance

Upon reasonable written request and with at least 30 days' notice, you may audit Cadento's compliance with this DPA, subject to:

  • Audits no more than once per year unless required by a Data Protection Authority
  • Execution of a reasonable confidentiality agreement
  • Reimbursement of our reasonable costs for facilitating the audit

Alternatively, we may provide you with a recent SOC 2 or ISO 27001 audit report from our sub-processors in lieu of a direct audit.

11. International Transfers

All data is stored in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the transfer of Personal Data to the U.S. is governed by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, which we incorporate by reference into this DPA
  • Supplementary measures as required by the Schrems II decision, including encryption and access controls

If you require a signed copy of the SCCs, email hello@cadento.co.

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations of liability set forth in our Terms of Service.

To the extent permitted by law, Cadento's total liability for any claims arising from or related to this DPA shall not exceed the amount you paid us in the twelve (12) months prior to the event giving rise to the claim.

13. Term and Termination

This DPA takes effect when you create a Cadento account and remains in effect until:

  • You delete your account, or
  • We terminate your account in accordance with our Terms of Service

Upon termination, Cadento will delete or return all Personal Data within 30 days, unless legally required to retain it.

14. Governing Law

This DPA is governed by the same law as our Terms of Service. In the event of a conflict between this DPA and our Terms of Service, this DPA shall prevail with respect to data processing matters.

Contact Us

Questions about this DPA or need a signed copy? Contact us:

Email: hello@cadento.co