Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between McKit Solutions LLC (“we,” “Zeke”) and you (“Customer”). It governs how we process personal data on your behalf when you use Zeke.

This DPA is aligned with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA / CPRA). If your jurisdiction has additional requirements, email privacy@usezeke.com and we'll work with you on a jurisdiction-specific addendum.

When Customer uploads documents, connects ad accounts, or otherwise submits content to Zeke, Customer is the data controller and Zeke is the data processor for that content.

When Zeke collects information directly (account sign-up, payment details, usage telemetry), Zeke is the data controller for that information. That processing is governed by the Privacy Policy.

Categories of data subjects:Customer's team members, Customer's clients (agencies), Customer's clients' end-customers (contact-level attribution data, when synced from Meta), authors of documents Customer uploads.

Categories of personal data: names, email addresses, phone numbers (where present in uploaded documents or synced contact records), business titles, advertising performance data tied to identifiable campaigns.

Processing purposes: generating client actions and briefs, producing reports, enabling search over uploaded content, responding to user actions, audit logging, backup.

Processing duration:for the term of the Customer's subscription, plus 30 days post-cancellation for export purposes. Backup retention up to 90 days rolling.

Zeke implements the following technical and organizational measures:

• Encryption at rest (AES-256) and in transit (TLS 1.2+).
• Row-level security in the database — every customer's data is isolated at the query level.
• MFA required for all employee access to production systems.
• Audit logs for all production access, retained 1 year minimum.
• Least-privilege access policy — engineers only see customer data when responding to a support request the customer initiates.
• Annual penetration testing (starting year 2 of operations).
• Quarterly security posture reviews.
• Incident response plan with 72-hour breach notification per GDPR Article 33.

Zeke uses the following sub-processors to deliver the service. Each is bound by a written agreement requiring data-protection terms at least as stringent as this DPA.

Changes to sub-processors:we'll notify Customer by email at least 30 days before adding or replacing a sub-processor. Customer may object in writing; if we can't accommodate the objection, Customer may terminate the subscription with pro-rated refund.

Customer content sent to Anthropic and OpenAI is governed by their enterprise / API terms, which prohibit training on Customer data and require deletion within a bounded window:

• Anthropic API: customer-submitted inputs are not used to train models; retention for abuse monitoring up to 30 days, then deleted.
• OpenAI API (embeddings): API content is not used to train models; retention up to 30 days for abuse monitoring.

We pass through the strongest available data-protection option each provider offers. Enterprise customers on the Scale or Custom tier can request a zero-retention configuration where supported.

Zeke is operated from the United States. Where Customer or Customer's data subjects are in the EU, UK, Switzerland, or other jurisdictions with data-transfer rules, data is transferred to the US under:

• EU Commission Standard Contractual Clauses (SCCs) — Module 2 (controller-to-processor) incorporated by reference into this DPA.
• UK Addendum to the EU SCCs.
• Swiss Federal Data Protection Act amendments to the SCCs.

Customers on the Scale or Custom tier may elect to host their Supabase instance in the EU region for GDPR data residency.

Zeke provides tools for Customer to respond to data subject access, correction, deletion, and portability requests:

• Export all Customer data in JSON + CSV format via Settings → Data & Privacy.
• Delete specific records, documents, or the entire workspace from the same panel.
• Restrict processing (pause sync, pause action generation) without losing data.

If Customer receives a data-subject request that requires our assistance, email privacy@usezeke.com. We respond within 10 business days.

We notify Customer without undue delay, and in any case within 72 hoursof confirming a personal data breach affecting Customer's data. Notifications include:

• Nature of the breach and categories + approximate volume of data affected.
• Likely consequences.
• Measures taken or proposed to address the breach.
• Contact for follow-up.

Customer may audit Zeke's compliance with this DPA by requesting our most recent SOC 2 Type II report (when available; targeted for year 2 of operations) or, for Scale+ customers, by scheduling an on-site or virtual audit with 30 days' notice, limited to once per 12 months.

Within 30 days of termination or at Customer's written request, Zeke will either (a) return all Customer data in a machine-readable export, or (b) delete all Customer data including from backups (next backup cycle). Customer chooses. We'll certify completion in writing.

Data Protection Officer (acting): Connor McKit, Founder
privacy@usezeke.com
McKit Solutions LLC. Mailing address available on request.

For EU-specific privacy concerns, Customer may also contact its local Data Protection Authority.