Skip to content

Processing purposes + lawful basis — ZevSend

The purposes ZevSend processes personal data for. Lawful bases under NDPA §25.

Account access + authentication

What. Customers sign in to console.zevsend.com via ZevID OAuth. ZevSend receives the identity token + accountId and creates the corresponding team-membership rows if not yet present.

Lawful basis. Contract (necessary to provide the messaging service the customer signed up for).

Automated decisions / profiling. None.

Team + collaboration management

What. Adding / removing team members, role assignment, API-key issuance + revocation, domain ownership claims, brand identity submission, display-name registration, sender-id applications.

Lawful basis. Contract.

Automated decisions. None.

Domain verification + brand identity approval

What. Registering a customer-owned domain with the active sending carrier (AWS SES today), publishing required DNS records back to the customer, running continuous health checks, gating live-mode sending behind admin review of the team's brand identity.

Lawful basis. Contract (the customer wants their own domain to send from) + legitimate interest (the brand-approval gate is an anti-abuse / anti-impersonation control balanced against the customer's interest in self-service).

Automated decisions. The DomainHealthService cron auto-flips a previously verified domain to temporary_failure on missed DNS checks and to failed after the 48-hour grace window. The send pipeline refuses sends from failed domains; this is a documented service rule, not a decision affecting the customer's rights. The customer can re-publish records and click Verify to recover at any time.

Outbound transactional dispatch

What. Accepting send requests through /v1/emails, /v1/sms, /v1/whatsapp, /v1/verify, validating the from-domain ownership + verification + approval state + API-key scope, composing the wire-format message, dispatching via the active carrier, persisting the resulting message row.

Lawful basis. Contract (the customer is using the service they signed up for).

Note. For the recipient address + message body the customer dispatches, ZevSend is a processor — the customer is the controller and decides who to message. Processor obligations sit in the terms of service and (where requested) a DPA between ZevSend and the customer.

Bounce + complaint feedback ingestion

What. Receiving Delivery / Bounce / Complaint events from the carrier (SES via SNS, SMS / WhatsApp carrier callbacks), updating the message row, populating the team's suppression list on hard bounces and complaints, fanning the event out to the customer's webhook endpoints.

Lawful basis. Contract (operational delivery reporting the customer relies on) + legitimate interest (suppression-list maintenance is necessary to protect platform-level deliverability + comply with anti-spam regimes).

Automated decisions. Permanent bounces automatically add the recipient to the team's suppression list. Subsequent sends to the same recipient on the same team are refused until the customer manually removes the address. The customer can review + remove suppressions from the dashboard.

OTP verify (Verify channel)

What. Generating, hashing, storing, and dispatching one-time codes via SMS / email / WhatsApp on customer demand. Comparing a submitted code against the stored hash on check.

Lawful basis. Contract (the customer is using the service).

Plaintext storage. The plaintext OTP is never stored — only its hash. The hash is irreversibly deleted at expiry by the VerifyJanitorService cron.

Automated decisions. Expired codes are marked failed. No further automated decisions.

Billing + invoicing

What. Generating invoices, taking payments via ZevPay, recording subscription state, applying Zev Credit, processing scheduled plan changes.

Lawful basis. Contract + legal obligation (financial-record retention).

Automated decisions. None that affect data-subject rights. Auto-renewal of subscriptions is contract-driven; the customer can disable it or schedule a downgrade from the dashboard.

Audit + abuse response

What. Logging admin actions against customer resources, capturing source IP + user-agent on auth flows and admin actions, recording every cross-product (ZPIP) token issued or consumed.

Lawful basis. Legitimate interest — operational forensics + fraud / abuse response, balanced against the data subject's privacy interest.

Automated decisions. Per-team abuse signals can lead to a team being suspended (admin-permission-gated). Decisions are taken by a human admin reading the audit trail + bounce / complaint rates; no automated suspension is in place today.

Transactional notifications (customer-facing)

What. Account / billing / domain-lifecycle emails (domain approved, plan renewal pending, payment failed, etc.) sent to the customer's team owner / admin. Delivered through ZevSend's own send pipeline using the platform's own approved sending identity.

Lawful basis. Contract (operational notifications necessary to deliver the service).

Automated decisions. None. Marketing emails are explicitly not sent.


Notes

  • We do not run marketing email, behavioural analytics, profiling, or fraud-scoring on ZevSend data subjects. If we ever do, that's a new purpose requiring its own row here + a fresh consent UI before any data is processed for it.
  • No special-category (NDPA Sensitive) data is processed. See data-inventory.md.
  • The recipient addresses customer applications dispatch to are processor-side data; the controller is the customer, not ZevSend.