Data Processing Agreement

Table of Contents

1. Definitions
2. Scope & Application
3. Controller Obligations
4. Processor Obligations
5. Sub-processors
6. Data Subject Rights
7. Security Measures
8. Data Transfers
9. Data Retention & Deletion
10. Audit Rights
11. Liability
12. How to Execute This DPA
13. Contact

• "Controller" means the entity that determines the purposes and means of the processing of Personal Data and that accesses ZeroSuite services via API or dashboard.
• "Processor" means ZeroSuite, INC., which processes Personal Data on behalf of the Controller.
• "Data Subject" means the identified or identifiable natural person whose Personal Data is processed.
• "Personal Data" has the meaning given in GDPR Article 4(1): any information relating to an identified or identifiable natural person.
• "Processing" has the meaning given in GDPR Article 4(2): any operation performed on Personal Data, whether by automated means or not.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

This DPA applies when the Controller uses any of the following ZeroSuite services that involve processing of Personal Data on the Controller's behalf:

• 0fee.dev: Processes merchant customer payment data, including transaction amounts, payment method references, and billing metadata.
• otpx.dev: Processes end-user phone numbers and email addresses for the purpose of delivering one-time passwords and authentication codes.
• 0seat.dev: Processes end-user support communications, including ticket content, chat messages, and customer metadata.
• 0sql.dev: May process end-user data contained within database queries submitted through the service.

The Controller shall:

• Ensure that a lawful basis exists under GDPR Article 6 for the processing of Personal Data instructed to ZeroSuite.
• Provide appropriate privacy notices to Data Subjects, informing them of the processing and the involvement of ZeroSuite as a Processor.
• Handle Data Subject access requests, rectification requests, and other rights requests, with assistance from ZeroSuite as described in this DPA.
• Not instruct ZeroSuite to process Personal Data in a manner that would violate GDPR or any other applicable data protection legislation.
• Maintain records of processing activities as required by GDPR Article 30.

ZeroSuite, as Processor, shall:

• Documented Instructions: Process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law. In such a case, ZeroSuite will inform the Controller of that legal requirement before processing, unless prohibited by law.
• Confidentiality: Ensure that all personnel authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32 (see Section 7).
• Data Subject Rights: Assist the Controller in fulfilling its obligation to respond to requests for exercising Data Subject rights under GDPR Articles 15 through 22.
• Data Protection Impact Assessments: Assist the Controller with data protection impact assessments (DPIAs) and prior consultation with supervisory authorities, where required.
• Deletion or Return: At the choice of the Controller, delete or return all Personal Data upon termination of the service agreement, and delete existing copies unless EU or Member State law requires storage.
• Audit: Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

ZeroSuite currently engages the following sub-processors:

Controller consent is required for new sub-processors. ZeroSuite will provide 30 days' written notice before engaging a new sub-processor, giving the Controller the opportunity to object.

If the Controller objects to a new sub-processor on reasonable data protection grounds, ZeroSuite will make commercially reasonable efforts to provide an alternative or allow the Controller to terminate the affected service without penalty.

ZeroSuite will assist the Controller in fulfilling Data Subject requests under GDPR Articles 15 through 22, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Rights related to automated decision-making (Article 22)

Response timeline: ZeroSuite will acknowledge Data Subject requests forwarded by the Controller within 72 hours and provide full resolution within 30 days.

ZeroSuite implements the following technical and organizational measures in accordance with GDPR Article 32:

• Encryption in Transit: TLS 1.3 enforced on all API endpoints and web interfaces.
• Encryption at Rest: AES-256 encryption for all sensitive data stored on disk.
• Password Hashing: bcrypt with per-user salts for all authentication credentials.
• Access Controls: Role-based access control (RBAC) with principle of least privilege for all internal systems.
• Infrastructure: EU-based data centers (Hetzner, Germany and Finland) with physical security, redundant power, and environmental controls.
• Incident Response: Data breach notification to the Controller within 72 hours of becoming aware of a breach, including the nature of the breach, categories of data affected, and remedial measures taken.

ZeroSuite's primary infrastructure is located in the European Union (Hetzner, Germany and Finland). When Personal Data is transferred outside the EEA, ZeroSuite ensures appropriate safeguards are in place:

• United States: Transfers are governed by EU Standard Contractual Clauses (SCCs) incorporated into sub-processor agreements.
• Sub-processor Contracts: All sub-processor agreements include appropriate data transfer mechanisms, including SCCs where required.
• Supplementary Measures: Where required by the guidance of the European Data Protection Board (EDPB), additional technical measures (encryption, pseudonymization) are implemented.

• Upon termination of the service agreement, all Personal Data processed on behalf of the Controller will be deleted within 30 days, unless EU or Member State law requires continued storage.
• The Controller may request early deletion at any time during the term of the agreement.
• Deletion certificates are available upon request to confirm that data has been permanently removed.

Backup data will be deleted within 90 days of the primary data deletion, in accordance with our backup rotation schedule.

• The Controller may conduct one audit per calendar year, subject to 30 days' written notice to ZeroSuite.
• Audits may be conducted by the Controller directly or by an independent third-party auditor appointed by the Controller, provided such auditor is bound by confidentiality obligations.
• As an alternative to on-site audits, ZeroSuite may provide SOC 2 Type II reports or equivalent certifications when available.
• Audit scope is limited to ZeroSuite's processing activities under this DPA and shall not unreasonably interfere with ZeroSuite's business operations.
• The Controller bears the cost of any audit, unless the audit reveals a material breach of this DPA by ZeroSuite.

ZeroSuite shall be liable for damages caused by processing that infringes GDPR or this DPA, in accordance with GDPR Article 82. Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, except that neither party's liability for data protection breaches shall be limited in any way that would prevent a Data Subject from recovering compensation under GDPR Article 82.

To receive a signed, executable copy of this Data Processing Agreement:

• Send an email to [email protected] with the subject line: DPA Request — [Your Company Name]
• Include your company name, registered address, and the name of the authorized signatory.
• ZeroSuite will respond with a countersigned DPA within 10 business days.

The DPA becomes effective upon execution by both parties and remains in effect for the duration of the service agreement.

• Legal Inquiries: [email protected]
• Data Protection Officer: [email protected]
• Security Reports: [email protected]