Data Processing Addendum — Delivery Zone
Version: 1.1 Last updated: 2026-05-17 Effective date: 2026-05-13
This Data Processing Addendum ("DPA") forms part of and is incorporated by reference into the Delivery Zone Terms of Service between:
- Customer — the entity or individual that has agreed to the Delivery Zone Terms of Service
("Controller"); and
- Gn-projects — the operator of the Delivery Zone service ("Processor").
Where the Terms of Service and this DPA conflict, this DPA takes precedence with respect to personal data processing matters.
1. Definitions
- "Customer" means the entity that has agreed to the Terms of Service and is acting as data
controller for end-customer personal data submitted via the API.
- "Delivery Zone" / "Processor" means Gn-projects, the operator of the Delivery Zone
service.
- "Personal Data" has the meaning given in GDPR Article 4(1).
- "Processing" has the meaning given in GDPR Article 4(2).
- "GDPR" means EU Regulation 2016/679 (General Data Protection Regulation).
- "Sub-processor" means any third party engaged by Delivery Zone to process Personal Data
on behalf of the Customer.
- "Data Subject" means any natural person whose Personal Data is processed under this DPA.
- "Supervisory Authority" means the competent data protection supervisory authority, being
the Finnish Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto).
- "SCCs" means the EU Standard Contractual Clauses for the transfer of personal data to
third countries, as approved by the European Commission.
2. Roles
The Customer is the data controller for personal data of its end customers (e.g., postcode values linked to identifiable delivery addresses) submitted to Delivery Zone via the API.
Delivery Zone is the data processor acting solely on the Customer's documented instructions for that data.
Delivery Zone is separately the data controller for its own account, billing, and security data — that processing is described in the Privacy Policy.
Scope of this DPA. This DPA applies only to Customer Personal Data processed by Delivery Zone as processor on behalf of the Customer through the Delivery Zone API. Delivery Zone's processing of account, billing, authentication, security, audit, and business contact data as an independent controller is described in the Privacy Policy and is outside the processor scope of this DPA.
3. Subject Matter and Duration of Processing
Subject matter: Delivery Zone processes Customer's end-customer data solely to perform postcode-based delivery availability checks as instructed by the Customer via the API.
Duration: Processing continues for the duration of the Customer's active subscription. On termination or expiry of the subscription, processing of new Personal Data under this DPA ceases. Data retention obligations are described in Section 8.
4. Nature and Purpose of Processing
Delivery Zone processes the following data submitted by the Customer via the API:
- Finnish postcode values (e.g., "00100").
- Basket value in cents (where submitted; used for delivery rule calculations).
- Timestamp, HTTP headers, and IP address of the API caller's server for security and billing
audit purposes.
Purpose: Solely to evaluate whether the postcode falls within a configured delivery zone and to return a delivery check result to the Customer. API usage logs may be used for billing, security, rate limiting, troubleshooting, abuse prevention, and detection of prohibited bulk extraction, scraping, or dataset reconstruction.
We do not:
- Use end-customer data to build profiles or derive insights beyond the immediate API request.
- Share end-customer data with other customers.
- Train machine learning models on end-customer data.
- Use end-customer data for any purpose other than providing the Delivery Zone service.
5. Categories of Data and Data Subjects
Categories of Personal Data processed:
- Postcode values (potentially linkable to identifiable addresses when combined with other data
held by the Customer).
- IP addresses of the Customer's server or integration (not the end customer's IP address in
typical usage).
Categories of Data Subjects:
- The Customer's end customers or employees whose postcodes are submitted via the API.
6. Customer Obligations (Controller)
The Customer shall:
- Have a valid, documented lawful basis under GDPR for submitting Personal Data to the
Delivery Zone API.
- Provide appropriate transparency to its end customers about how their data is processed,
including via the Customer's own privacy policy.
- Submit only the minimum necessary Personal Data. The standard API is designed to operate
with postcode-level input. Customers must not submit names, full street addresses, phone numbers, email addresses, payment card data, special-category data, or other unnecessary personal data to the API.
- Ensure that API keys are kept confidential and are not exposed publicly.
- Provide Delivery Zone with written instructions if the Customer wishes Delivery Zone to
process data in a manner beyond the standard service delivery described in this DPA.
- Notify its end customers of their data subject rights and facilitate the exercise of those
rights (see Section 10).
7. Delivery Zone's Obligations as Processor (GDPR Article 28)
Delivery Zone shall:
- Process only on instructions. Process Personal Data only on the Customer's documented
instructions, which are set out in this DPA and the standard operation of the API. If Delivery Zone believes an instruction would infringe GDPR, it will notify the Customer.
- Confidentiality. Ensure that persons authorised to process Personal Data are under
appropriate contractual confidentiality obligations and are trained accordingly.
- Security. Implement appropriate technical and organisational security measures as
described in the Security Policy and GDPR Article 32, including encryption in transit (TLS), access controls, and secure API key storage.
- Sub-processors. Engage sub-processors only as described in Section 9, and impose
equivalent data protection obligations on sub-processors by contract.
- Data subject assistance. Assist the Customer in responding to data subject requests
(access, erasure, portability, etc.) to the extent technically feasible and within the scope of data Delivery Zone processes.
- Breach notification. Notify the Customer without undue delay after becoming aware of a
confirmed or suspected Personal Data breach affecting Customer Personal Data. Where reasonably practicable, this initial notification will be made within 72 hours. Where initial notification cannot include full details, Delivery Zone will provide further information as it becomes available.
- DPIA assistance. Provide reasonable assistance to the Customer in carrying out data
protection impact assessments where required under GDPR Article 35.
- Deletion / return on termination. Delete or return all Customer Personal Data on
termination of the service, subject to the retention periods in Section 8. Confirm deletion in writing on request.
- Audit rights. Make available information reasonably necessary to demonstrate compliance
with this DPA, such as relevant policies, summaries, certifications, security documentation, and written responses. Any audit must be subject to reasonable prior notice, confidentiality obligations, normal business hours, security restrictions, and must not unreasonably disrupt Delivery Zone's operations. On-site audits may be limited where equivalent documentation or third-party assurance is reasonably sufficient.
8. Data Retention and Deletion
API request logs containing postcode data and associated metadata are retained for up to 12 months for billing audit, security monitoring, and abuse investigation purposes, then deleted.
Upon termination or expiry of the subscription, Customer Personal Data processed by Delivery Zone as processor under this DPA will be deleted or anonymised within 90 days, except where retention is required by applicable law, necessary for security, abuse prevention, billing disputes, legal claims, or where Delivery Zone acts as an independent controller as described in the Privacy Policy.
9. Sub-processors
Delivery Zone engages the sub-processors listed at /legal/subprocessors. Delivery Zone will:
- Provide at least 30 days' prior written notice (via email to the Customer's registered
email address and by updating the Subprocessors page) before engaging a new sub-processor that will process Customer Personal Data.
- Give the Customer the opportunity to object to the new sub-processor.
- If the Customer objects and the parties cannot resolve the issue, the Customer may terminate
the service with a pro-rata refund for any prepaid period remaining after the effective date of the new sub-processor.
10. International Transfers
Delivery Zone aims to process all Personal Data within the EU/EEA. Where a sub-processor operates globally or processes Personal Data outside the EU/EEA, Delivery Zone ensures appropriate transfer safeguards are in place, such as:
- Standard Contractual Clauses approved by the European Commission, including the applicable module(s), where required.
- The EU-U.S. Data Privacy Framework where applicable.
- The sub-processor's binding corporate rules (BCRs), where applicable.
- A valid adequacy decision by the European Commission for the destination country.
Details of transfer mechanisms for each sub-processor are available in the Subprocessors list.
11. Security Measures (GDPR Article 32)
Delivery Zone implements the following measures appropriate to the nature and risk of the processing:
- Encryption in transit: TLS 1.2+ for all API and dashboard connections.
- Access controls: Role-based access control (RBAC); API keys scoped to organisations;
platform admin access separately gated.
- Pseudonymisation: API logs reference an organisation ID and key prefix rather than
personal identifiers of end customers.
- Data minimisation: Only technically necessary data is retained from API requests.
- Monitoring: Structured security logging and rate limiting on authentication endpoints.
- Vulnerability management: Internal security review processes; responsible disclosure
channel (security@deliveryzone.fi).
- Incident response: Internal procedures for assessing and responding to suspected
security incidents and personal data breaches; breach notification without undue delay where legally or contractually required.
12. Breach Notification
In the event of a confirmed or suspected Personal Data breach (as defined in GDPR Article 4(12)) affecting Customer Personal Data, Delivery Zone will:
- Notify the Customer without undue delay after becoming aware of the breach. Where
reasonably practicable, this initial notification will be made within 72 hours. Where full details are not available at the time of initial notification, Delivery Zone will provide further information as it becomes available.
- Include in its notification, to the extent known: the nature of the breach, approximate
number of data subjects affected, categories and approximate volume of Personal Data involved, likely consequences, and measures taken or proposed.
- Cooperate reasonably with the Customer to support any notification obligations the
Customer may have to the supervisory authority or to Data Subjects.
13. Annex A — Processing Details
| Field | Description |
|---|---|
| Subject matter | Postcode-based delivery availability validation via the Delivery Zone API |
| Duration | Active subscription term plus retention period in Section 8 |
| Nature and purpose | API validation; billing and security logging; abuse prevention and detection |
| Categories of personal data | Postcode; basket value where submitted; timestamp; HTTP metadata; API caller IP address; organisation ID; API key prefix |
| Categories of data subjects | Customer's end customers or employees whose postcodes are submitted via the API |
14. Annex B — Technical and Organisational Measures
Delivery Zone implements the following measures appropriate to the risk of the processing:
- Encryption in transit: TLS 1.2+ for all API and dashboard connections.
- API key security: bcrypt-hashed key secrets; only prefix stored in plaintext.
- Access controls: Role-based access control (RBAC); API keys scoped to organisations; platform admin access separately gated.
- MFA support: Multi-factor authentication available and enforced for admin functions.
- Data minimisation: Only technically necessary data is retained from API requests; no end-customer names or full addresses logged.
- Audit and security logging: Structured security logs with controlled access; rate limiting on authentication and API endpoints.
- Restricted admin access: Internal access to customer data limited by role and documented policy.
- Retention and deletion controls: Automated retention limits applied to API logs; account deletion triggers data removal within 90 days.
- Vulnerability management: Internal security review processes; responsible disclosure channel at security@deliveryzone.fi.
15. Annex C — Subprocessors and International Transfers
Current subprocessors are listed at /legal/subprocessors.
Delivery Zone will provide at least 30 days' prior notice before adding or replacing a subprocessor that processes Customer Personal Data, and will give the Customer the opportunity to object.
International transfers of Customer Personal Data occur only under appropriate safeguards as described in Section 10.
16. Contact for DPA Matters
For DPA enquiries, data subject request assistance, or to request a countersigned copy of this DPA, contact: privacy@deliveryzone.fi
17. Governing Law
This DPA is governed by the laws of Finland. Disputes arising under this DPA are subject to the jurisdiction of Finnish courts, consistent with the main Terms of Service.