BYOD DPA Addendum — Art. 28 Schedule for DKIM Key Custodianship

Version 2026-05-04-v4Effective: On counsel sign-offLast updated: 4 May 2026
Terminology note. "BYOD" in this addendum means Bring Your Own Domain — the merchant supplies their own domain identity for SES sending. Vantemo uses Amazon SES Easy DKIM, in which AWS generates and holds the DKIM private key and the merchant publishes three CNAME records pointing at AWS-hosted public keys. This is not AWS "BYODKIM" (a separate SES mode in which the customer generates the key locally and uploads the private key to SES). All references to "BYOD" below refer to the domain identity only, never to DKIM key generation.

Purpose

This addendum supplements the Vantemo Data Processing Agreement for merchants who use the Bring Your Own Domain (BYOD) email feature. Under BYOD, the merchant supplies their own domain (e.g. mail.myshop.com) for use as the SES sending identity, rather than receiving a platform-managed subdomain (<slug>.send.vantemo.com).

BYOD changes the DPA relationship in one specific dimension: DKIM private key custodianship. This addendum documents that relationship and its associated obligations.

Background — what BYOD changes

Under the standard (non-BYOD) setup, Vantemo publishes CNAME records in send.vantemo.com (which Vantemo owns) and sets p=reject DMARC on that subdomain. Under BYOD, the merchant publishes those CNAMEs in their own DNS zone, the merchant's existing apex DMARC policy applies, and Vantemo does not set DMARC on BYOD domains.

Key point: Under BYOD, the merchant is responsible for publishing and maintaining the DKIM CNAME records in their own DNS. If they fail to do so (e.g. delete the records), DKIM verification drops and their sending is blocked.

Art. 28 Schedule — BYOD DKIM Key Custodianship

Schedule A — Scope of Processing

  • Subject matter: DKIM key registration and sending via merchant's own domain.
  • Duration: For the lifetime of the BYOD domain registration on the Vantemo platform.
  • Nature of processing: Email sending via AWS SES using DKIM tokens associated with the merchant's domain.
  • Purpose: Transactional and/or marketing email delivery on behalf of the merchant to their customers.
  • Type of personal data: Email addresses of end-customers; email content (body, subject).
  • Categories of data subjects: Merchant's end-customers.

Schedule B — Controller Obligations (Merchant)

The merchant, as data controller, must:

  1. Maintain DNS records. Publish and maintain the three DKIM CNAME records provided by the Vantemo platform in their domain's DNS zone. Failure to maintain these records will cause DKIM verification failure and suspend outbound email for that domain.
  2. Maintain DMARC policy. Vantemo does NOT configure DMARC for BYOD domains. The merchant is responsible for maintaining an appropriate DMARC policy on their domain. Vantemo strongly recommends p=quarantine or p=reject. A p=none policy means unauthorized senders can abuse the merchant's domain without rejection.
  3. Consent management. For any marketing emails sent via BYOD, the merchant must ensure they have obtained valid Art. 6(1)(a) consent from each recipient. Vantemo requires attestation per the main DPA.
  4. Notification on domain change. If the merchant transfers ownership of the BYOD domain to a third party, they must notify Vantemo immediately at [email protected]. The BYOD registration must be removed before the domain changes hands, as the new owner's DNS could intercept future sends. Failure to notify before domain transfer constitutes a breach of the Controller's obligations under DPA Article 3 and may constitute a personal data breach under Article 33 GDPR for which the Controller is solely responsible (e.g. inbound bounce/reply traffic carrying end-customer email addresses being delivered to the new domain owner).
  5. CAN-SPAM Act compliance (US recipients). For commercial electronic mail messages sent via the Services to recipients in the United States, the Controller is the "sender" as defined in 15 U.S.C. § 7702(16) and is solely responsible for compliance with the CAN-SPAM Act, including: (a) accurate header information and a "From" line consistent with the BYOD domain identity (15 U.S.C. § 7704(a)(1)); (b) non-deceptive subject lines (15 U.S.C. § 7704(a)(2)); (c) clear and conspicuous identification of the message as an advertisement, where applicable (15 U.S.C. § 7704(a)(5)(A)(ii)); (d) inclusion of a valid physical postal address of the Controller in every message (15 U.S.C. § 7704(a)(5)(A)(iii)); (e) a clear and conspicuous opt-out mechanism that remains operational for at least 30 days after sending (15 U.S.C. § 7704(a)(3)–(4)); and (f) honoring opt-out requests within 10 business days (15 U.S.C. § 7704(a)(4)(A)). The Processor's role under this Schedule constitutes "initiation" within the meaning of 15 U.S.C. § 7702(9) but does not make the Processor the "sender" of any message. The Controller indemnifies the Processor for CAN-SPAM claims arising from the Controller's failure to meet (a)–(f), subject to the indemnification framework in DPA Article 11.

Schedule C — Processor Obligations (Vantemo)

Vantemo, as data processor, will:

  1. Provide DKIM tokens. On BYOD domain registration, Vantemo will provide the three DKIM CNAME records (via the Vantemo admin dashboard) that the merchant must publish in their DNS zone.
  2. Monitor DKIM status (best-effort, sampled). The platform runs a daily identity-health cron that checks a random sample of up to 20 identities per day across all provisioned shops. On detected degradation, an internal alert is raised for Vantemo's operations team. Vantemo will investigate within 2 business days and notify the merchant if merchant action is required (e.g. DNS record republication). The Controller acknowledges that, depending on the number of active identities on the platform, a given identity may not be sampled every day and should not rely on Vantemo's sampling as a substitute for monitoring their own SES sending metrics. Primary responsibility for monitoring DKIM CNAME publication remains with the Controller per Schedule B(1) above.
  3. Isolation. Per-shop SES Configuration Set and SES Tenant ensure that BYOD domain reputation is isolated from other merchants on the platform.
  4. No DMARC modification. Vantemo will not modify, add, or delete DMARC records in the merchant's DNS zone under any circumstances.
  5. Security of the email sub-processor's signing key. The DKIM private key is held by the email sub-processor identified in DPA Annex B under that sub-processor's own security controls (e.g. SOC 2 Type II / ISO 27001). Vantemo has no access to private keys and cannot export them. If the email sub-processor identified in DPA Annex B changes, Vantemo will notify the Controller in accordance with DPA Article 5.3 before the change takes effect.

Acceptance and incorporation

This addendum is incorporated into the Vantemo DPA by base DPA Article 13.1 (entire-agreement clause), which expressly includes "any supplemental addendums or schedules presented and accepted by the Controller during feature onboarding". Acceptance of the base DPA at signup, combined with the Controller's act of enabling BYOD via the admin dashboard (which surfaces this addendum), constitutes the electronic-form acceptance contemplated by Article 28(9) GDPR:

"The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form."

Survival

The survival provisions of DPA Article 12.3 apply to this Schedule mutatis mutandis — in particular, Schedule C(4) (no DMARC modification) and Schedule C(5) (no DKIM private-key access or export) survive termination of the BYOD relationship for as long as the merchant's domain remains in operation, since post-termination misuse of the merchant's DNS zone by Vantemo would be unlawful processing under Article 6(1) GDPR.