Last Updated March 5, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between the customer identified in the applicable order form, checkout flow, or statement of work (“Customer”) and Entri, LLC, a Virginia Limited Liability Company (“Provider”). This DPA applies to Customer Data and End-User PII processed by Provider in connection with the services, subject to the role allocations set out in Section 2.

1. Definitions

1.1 “Agreement” means the master services agreement, terms of service, order form, or other agreement governing Customer or End User’s use of the Services.
1.2 “Customer Data” means personal data submitted to the services by or on behalf of Customer, including personal data accessed via Customer-authorized integrations and billing and administration information.
1.3 “Data Protection Laws” means applicable privacy and data protection laws and regulations that apply to the processing of Customer Data including GDPR and UK GDPR where applicable.
1.4 “Subprocessor” means a third party engaged by Provider to process Customer or End-User PII on Provider’s behalf.
1.5 “End User” means an individual who uses or accesses Provider’s DNS configuration services or website and whose related data are processed by Provider in the course of delivering the services to Customer and the End User.
1.6 “End-User PII” means personal data relating to End Users that is collected or processed by Provider in connection with the services, including IP addresses, domain-name information, DNS records, DNS query logs, device identifiers, and related metadata.
1.7 “DNS Provider” means a third-party domain-name system infrastructure provider engaged by Customer, Provider, or the End User, and which may have access to the Dashboard as described in Section 2.5.
1.8 “DNS Configuration Data” means the DNS records, routing rules, configuration settings, and domain management instructions that End Users submit to or manage through the Services, including instructions provided directly by End Users via Customer’s or Provider’s interface or integration.
1.9 “Dashboard” means Provider’s web-based interface that displays domain-level activity summaries, DNS configuration status, and performance data relating to each Customer’s domains, and which may be accessible to Customers and, in certain instances, to DNS Providers.

2. Roles and Scope

2.1 Controller/Processor. With respect to DNS Configuration Data, End User is the Controller (as defined under relevant Data Privacy Laws) and determines the purposes and means of processing. Provider is a Processor of DNS Configuration Data and processes such data only on End Users’ instructions (as submitted through the services) and, to the extent applicable, on Customer’s instructions relating to the platform through which End Users interact with the Services. Customer acknowledges that its role with respect to DNS Configuration Data is to make the services available to End Users, and not to determine the purposes or means of processing End Users’ DNS configurations. Customer is the controller with respect to End User billing and administration.
2.2 Provider as independent Controller. Provider is an independent Controller of End-User PII for the following purposes: (a) security logging, fraud detection, and abuse prevention across the Provider’s network and services; (b) compliance with Provider’s legal and regulatory obligations; and (c) generalized product analytics, service benchmarking, and the development of cross-customer insights. Customer is an independent Controller for End User account registration, administration, and billing. Provider’s processing of End-User PII as an independent Controller is governed by Provider’s Privacy Policy and not by the Processor obligations in Section 3 of this DPA. Provider is also the Controller with respect to the Customer’s billing and administration.
2.3 Customer responsibility. Customer represents that it has the right to make the services available to End Users and to cause End-User PII to be processed in connection with the services. Customer is responsible for ensuring that End Users are provided with all notices required by applicable Data Protection Laws regarding Provider’s processing of DNS Configuration Data and End-User PII (including for Provider’s independent Controller purposes under Section 2.2). Customer acknowledges that End Users, as Controllers of their DNS Configuration Data, provide the operative instructions for that processing.

2.4 Dashboard Access and Disclosure. Provider makes the Dashboard available to Customers to view domain-level activity summaries, DNS configuration status, and performance metrics for their domains. DNS Providers may also have access to the Dashboard for domains hosted on their service. Provider shall implement appropriate access controls to ensure that each Customer and any authorized DNS Provider can access only data relating to domains associated with End Users who already signed up for Customer and DNS Provider’s services. Dashboard data constitutes a summary derived from DNS Configuration Data and End-User PII. Provider’s display of such summaries to Customers and DNS Providers is carried out on End Users’ behalf in Provider’s capacity as Processor (with End User as Controller), while Provider’s internal use of the underlying data for the purposes in Section 2.2 remains governed by Provider’s independent Controller basis.
2.5 Controller-to-Controller Obligations. Where Provider processes End-User PII as an independent Controller under Section 2.2, each party acknowledges that it is independently responsible for its own compliance with applicable Data Protection Laws in respect of such processing. Provider shall: (a) process End-User PII only for the purposes specified in Section 2.2 and not in a manner incompatible with those purposes; (b) implement appropriate technical and organizational security measures as set out in Schedule 2; (c) make available to End Users the information required by applicable Data Protection Laws regarding Provider’s independent Controller processing (including through Provider’s Privacy Policy); and (d) cooperate reasonably with Customer in responding to any data subject requests relating to End-User PII that Provider processes as an independent Controller.

3. Provider Obligations

Provider will:
3.1 Process on instructions. Process Customer Data only to provide, secure, and maintain the Services and to provide support.
3.2 Confidentiality. Ensure personnel authorized to process Customer Data are bound by confidentiality obligations.
3.3 Security. Implement appropriate technical and organizational measures to protect Customer Data (Schedule 2).
3.4 Assistance. Provide commercially reasonable assistance to Customer for responding to data subject requests relating to Customer Data, taking into account the nature of processing and the information available to Provider.
3.5 Breach notice. Notify Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Data and provide information reasonably necessary for Customer’s compliance obligations as it becomes available.

4. Subprocessors

4.1 General authorization. Customer provides general authorization for Provider to use Subprocessors. Provider will impose written obligations on Subprocessors that are no less protective than this DPA.
4.2 Updates and objection. Provider will maintain a list of Subprocessors (Schedule 1) and will provide notice of material changes (e.g., by email or in-product notice). If Customer reasonably objects on data protection grounds and the parties cannot resolve the objection, Customer may terminate the affected Services and receive a pro-rated refund of prepaid fees for the terminated portion (if any).

5. International Transfers

If Customer Data is transferred from the EEA/UK/Switzerland to a country without an adequacy decision, the parties will rely on an applicable transfer mechanism such as Standard Contractual Clauses and, where applicable, the UK Addendum. Provider will make the mechanism available upon request.

6. Deletion and Return

Upon termination of the Services, Provider will delete or return Customer or End User Data within a reasonable period, unless retention is required by law or for security and backup purposes. Residual copies may persist in backups for limited periods and will be protected and deleted in accordance with Provider’s backup cycles.

7. Audit

Customer may request information reasonably necessary to demonstrate compliance with this DPA. No more than once per year, Customer may perform an audit on reasonable notice, subject to confidentiality and minimal disruption. Provider may satisfy audit requests by providing standard security documentation and, if available, a current independent security report (e.g., SOC 2).

8. Liability and Precedence

This DPA does not expand any party’s liability beyond the limitations in the Agreement (except where prohibited by law). If there is a conflict between this DPA and the Agreement regarding Customer Data processing, this DPA controls.

Schedule 1 — Subprocessors

Provider may use the following categories of Subprocessors to deliver the Services (actual vendors may vary by region and configuration):

·                Cloud hosting and infrastructure providers

·                Integration providers (only as enabled by Customer)

·                Customer support tooling

·                Analytics and performance monitoring providers (configured to minimize personal data)

·                Payment processors (for Provider-controlled billing data)

·                The Provider’s current list of Subprocessors is detailed at https://trust.entri.com

Schedule 2 — Security Measures (Baseline)

·                Least privilege access controls and MFA for privileged access

·                Encryption in transit (TLS) and encryption at rest for production systems where feasible

·                Security logging and monitoring for critical systems

·                Vulnerability management and risk-based patching

·                Incident response process for investigation and remediation

·                Data minimization and tenant segregation controls appropriate to the Services

·                Maintain SOC 2 Type II compliance

Schedule 3 — Processing Details

·                Subject matter: provision of the Services.

·                Duration: term of the Agreement and limited post-termination retention as described in Section 6.

·                Nature and purpose: storing, managing, and applying DNS Configuration Data to enable DNS resolution for End Users’ domains; generating and displaying domain activity summaries in the Dashboard for Customer and authorized DNS Providers; transmitting configuration data to DNS Providers as directed by End Users.

·                Types of personal data: DNS Configuration Data: DNS records, routing rules, domain settings, and configuration metadata submitted by End Users (processed as Processor on End Users’ behalf). End-User PII (also processed as Processor on End Users’ behalf, with End User as Controller): IP addresses and device identifiers of End Users to the extent included in DNS query logs surfaced in the Dashboard; domain-level activity summaries. Note: Provider also processes End-User PII as an independent Controller for the purposes in Section 2.2; such processing falls outside this Schedule.

·                Categories of data subjects: Customer’s authorized users (administrators and technical personnel managing DNS configurations); End Users whose DNS requests generate data surfaced in the Dashboard.