ZappService
Home Tools Articles Pricing
Login Start Free

Data Processing Agreement (DPA)

Last updated: January 20, 2025

Annex 1 to ZappService Terms of Service

Version: 1.0 Effective Date: January 20, 2025

INTRODUCTION

This Data Processing Agreement (hereinafter "DPA" or "Annex 1") applies to the processing of personal data by NevergetOld, Lda. (hereinafter "ZappService" or "Processor") on behalf of the Customer when using ZappService services.

When the Agreement between ZappService and Customer involves processing of personal data by ZappService on behalf of and for the purposes of Customer, ZappService acts as a "Processor" and Customer acts as a "Controller" as defined in the EU General Data Protection Regulation (GDPR) 2016/679 and Portuguese Law no. 58/2019 (Portuguese GDPR implementation).

This DPA is an integral part of the service agreement and supersedes any conflicting provisions in previous agreements or communications.

1. DEFINITIONS

The following definitions apply to this DPA:

Controller (Customer): The legal entity that determines the purposes and means of processing personal data. The Customer is the Controller of personal data entered into or generated through use of the Service.

Processor (ZappService): NevergetOld, Lda. (Tax ID: 510372945), which processes personal data on behalf of and according to the instructions of the Controller.

Data Subject: A natural person to whom personal data relates.

Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).

Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Personal Data Breach: A confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Sub-processor: Any entity engaged by the Processor to process personal data on behalf of the Controller, including subcontractors and service providers.

Data Transfer: Transfer of personal data outside the European Union/European Economic Area.

2. SCOPE AND APPLICATION

2.1 Applicability

This DPA applies to:

  • All processing of personal data by ZappService as a Processor on behalf of Customer
  • The provision of ZappService software and services to Customer
  • All End Users accessing the platform through Customer's account
  • Data entered by Customer, generated through use of the Service, or collected on Customer's behalf

2.2 GDPR Compliance

This DPA is issued pursuant to GDPR Articles 28-32 and Portuguese Law no. 58/2019 and incorporates the standard contractual clauses required for lawful data processing.

2.3 Relationship to Main Agreement

This DPA shall be read in conjunction with:

  • The main Service Agreement
  • ZappService Terms of Service
  • ZappService Privacy Policy
  • ZappService Fair Use Policy

In the event of conflict, the most protective provisions for personal data shall apply.

3. CATEGORIES OF PERSONAL DATA AND DATA SUBJECTS

3.1 Categories of Personal Data

ZappService processes the following categories of personal data on behalf of Customer:

A. Identification and Contact Information

  • Names (first, last, display names)
  • Email addresses
  • Physical addresses
  • Telephone numbers
  • User IDs and usernames
  • Login credentials (stored securely with hashing)

B. Professional Information

  • Job titles and positions
  • Company/organization information
  • Department and team affiliations

C. Technical Information

  • IP addresses
  • Device information (type, operating system, browser)
  • Session identifiers and cookies
  • User activity logs
  • Keyboard language and regional settings

D. Activity and Behavioral Data

  • Login and logout timestamps
  • Features accessed and navigation patterns
  • Time spent on activities
  • Search queries and filters applied

E. Communication Data

  • Content of support tickets
  • Chat messages and support communications
  • Feedback and suggestions
  • Comments and notes entered in system

F. Transactional Data

  • Subscription and billing information
  • Invoice records (processed through payment processors)

G. Location Data (When Permitted)

  • Geographic location coordinates during active timers (if enabled by user)
  • Approximate location based on IP address

H. Camera and Media Data (Mobile App)

  • Photos taken through mobile app
  • Metadata associated with photos (date, time, location if permitted)

3.2 Categories of Data Subjects

Personal data processed relates to the following categories of individuals:

  • End Users: Employees, contractors, or agents of Customer authorized to use the Service
  • Customer Contacts: Employees, managers, or authorized representatives of Customer
  • Customer Clients: Individual customers or contacts of Customer included in the system
  • Suppliers: Third parties with whom Customer does business

3.3 Special Categories of Data

Important: Customer warrants that it shall not enter Special Categories of Personal Data (sensitive data such as health data, racial origin, religious beliefs, etc.) into the Service without explicit prior written consent from ZappService and the Data Subject.

If Special Categories are processed, Customer confirms that:

  • All necessary consents have been obtained from Data Subjects
  • Legal basis for processing exists under GDPR Article 9
  • Additional safeguards per this DPA shall apply

ZappService shall not be liable for any violations relating to Special Categories of data entered by Customer.

4. PURPOSE OF PROCESSING

4.1 Scope of Processing

ZappService processes personal data exclusively to:

  1. Deliver the Service - Providing software functionality and features according to the Agreement
  2. Service Administration - Managing Customer's account, subscriptions, and access
  3. Technical Support - Providing customer support and resolving technical issues
  4. Security and Fraud Prevention - Detecting and preventing unauthorized access, fraud, and security threats
  5. Service Improvement - Analyzing usage patterns (using anonymized data)
  6. Legal Compliance - Complying with legal obligations and responding to lawful authority requests
  7. Billing and Payment - Processing subscriptions, invoices, and payments

4.2 Limitations on Processing

ZappService shall NOT process personal data for:

  • Marketing or advertising purposes (without separate explicit consent)
  • Profiling or automated decision-making affecting Data Subjects (unless instructed by Customer)
  • Sale or commercial exchange with third parties
  • Secondary purposes not agreed upon in writing

4.3 Processing on Customer Instructions

Fundamental Principle: ZappService processes personal data only on documented, written instructions from Customer.

Customer's written instructions include:

  • Creation and configuration of Customer's account
  • Setup of End User accounts and permissions
  • Functional use of the Service features
  • Configuration of data retention policies
  • Deletion of personal data upon request
  • Export of personal data

Any processing beyond these standard instructions requires written amendment to this DPA.

5. PROCESSOR OBLIGATIONS

5.1 Confidentiality Obligations

A. Confidentiality Requirements

Persons with access to Customer's personal data (founder and occasional contractors) are subject to:

  • Written confidentiality agreements or clauses in employment/service contracts
  • Legally binding confidentiality obligations extending beyond termination
  • Training on data protection and confidentiality requirements

B. Authorized Personnel

Only ZappService personnel with legitimate need to access personal data shall have access:

  • Service delivery and support team (founder)
  • Occasional contractors (with confidentiality agreements)
  • System administrators (with restricted access controls)
  • Authorized third parties (Sub-processors with data processing agreements)

5.2 Security Measures

ZappService shall implement and maintain appropriate technical and organizational security measures, taking into account:

  • The state of the art in information security
  • The costs of implementation
  • The nature of the personal data
  • The risks presented by processing
  • The likelihood and severity of potential harm

A. Technical Security Measures

Encryption:

  • TLS 1.3 encryption for data in transit (HTTPS)
  • MySQL database encryption for sensitive data at rest
  • Encrypted database connections
  • Secure key management with restricted access

Authentication and Access Control:

  • Two-factor authentication (2FA) available for all users
  • Role-based access control (RBAC) with principle of least privilege
  • Strong password requirements
  • Session management with automatic timeout (default 30 minutes)
  • Logging of all administrative access

Network Security:

  • OVH firewall and intrusion protection
  • DDoS protection through OVH and Cloudflare
  • Regular vulnerability scans
  • Security updates and patch management

Data Security:

  • Automated backups with tested restore procedures
  • Encrypted backups stored separately from production
  • Secure data disposal per security standards

Application Security:

  • Secure development practices
  • Input validation and output encoding (prevents injection attacks)
  • Security headers (CSP, X-Frame-Options, etc.)
  • Regular security updates and patch management
  • API authentication and rate limiting

B. Organizational Security Measures

Personnel Security:

  • Confidentiality agreements for all with data access
  • Data protection and security training
  • Least privilege access principle

Incident Management:

  • Security incident response procedures
  • Breach notification within 72 hours
  • Incident investigation and documentation

Vendor Management:

  • Data processing agreements with sub-processors
  • Vendor security assessments
  • Breach notification requirements

C. Infrastructure and Location

Hosting:

  • VPS server hosted by OVH in France (European Union)
  • EU-certified data center infrastructure
  • All data remains within the European Union
  • No transfers to third countries without adequate safeguards

CDN and Storage:

  • Cloudflare CDN for content delivery (with EU data centers)
  • Cloudflare R2 for file storage (EU region)
  • End-to-end encryption for stored files

5.3 Assistance with Data Subject Rights

A. Data Subject Rights

ZappService shall assist Customer in responding to Data Subject requests for:

  • Right of Access (Article 15): Provide copies of personal data
  • Right to Rectification (Article 16): Correct inaccurate data
  • Right to Erasure (Article 17): Delete personal data in certain circumstances
  • Right to Restrict Processing (Article 18): Limit processing activities
  • Right to Data Portability (Article 20): Provide data in machine-readable format
  • Right to Object (Article 21): Cease processing for specific purposes
  • Right to Withdraw Consent (Article 7): Discontinue processing
  • Rights related to Automated Decision-Making (Article 22): Obtain human review

B. Assistance Procedures

When Customer receives a Data Subject request:

  1. Customer Forwards: Customer sends request to hello@zappservice.com
  2. ZappService Responds: Within 5 business days with relevant data or export tools
  3. Customer Executes: Customer uses self-service tools or provided data to respond to Data Subject
  4. Timeline: Assistance provided within legal 30-day deadline

Self-Service Tools Available:

  • Data export in JSON/CSV format
  • Data deletion through admin panel
  • Data rectification through edit interfaces
  • Consent management through account settings

5.4 Personal Data Breach Notification

A. Notification Obligation

In case of a Personal Data Breach, ZappService will:

Immediate Notification:

  • Notify Customer without undue delay
  • Maximum deadline: 72 hours after becoming aware of the breach
  • Method: Email to Customer's primary contact + dashboard notification

B. Information Provided

The notification shall include:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of data records affected
  • Name and contact details of the contact point for more information
  • Description of the likely consequences of the breach
  • Description of measures taken or proposed to address the breach
  • Measures to mitigate possible adverse effects

C. Investigation and Remediation

ZappService will:

  • Investigate the root cause of the breach
  • Take immediate action to contain the breach
  • Document the incident and corrective actions
  • Cooperate with regulatory authorities if required
  • Implement measures to prevent future breaches

5.5 Sub-processors

A. Sub-processor Authorization

Customer grants ZappService authorization to engage sub-processors for:

  • Cloud infrastructure and hosting (OVH France)
  • Payment processing (Stripe)
  • Email and communication services (AWS SES, Postmark)
  • AI and voice processing services (Mistral AI, OpenRouter)
  • Analytics and monitoring (Umami, Sentry)
  • CDN and file storage (Cloudflare)

B. Current Sub-processors

See the Subprocessor Registry page (/subprocessors) for current list of sub-processors with:

  • Sub-processor name and location
  • Description of processing activities
  • Data categories involved
  • International transfer mechanisms (if applicable)

C. Sub-processor Changes

Notification Procedure:

For any change to sub-processors (addition or replacement):

  1. 30-Day Notice: ZappService shall provide written notice at least 30 days before any change takes effect
  2. Notice Method: Email to primary contact and/or in-dashboard notification
  3. Notice Content: Sub-processor details, processing description, and data categories
  4. Customer Objection Rights: See section 5.5(D) below

D. Customer Objection Rights

Objection Process:

If Customer objects to a new sub-processor:

  1. Submit written objection within 30 days of notification
  2. Provide reasonable grounds for objection related to data protection
  3. ZappService and Customer shall review documentation and seek alternative

Resolution:

  • If objection is sustained: ZappService shall not engage sub-processor or find alternative
  • If objection cannot be sustained: Customer may terminate the affected Service
  • Termination does not constitute breach
  • No penalties for objection-based termination

5.6 Cooperation with Authorities

A. Authority Requests

If ZappService receives requests from government authorities, law enforcement, or regulatory bodies for Customer's personal data:

B. Handling Procedures

ZappService shall:

  • Verify legitimacy: Confirm request is lawful (court order, warrant, etc.)
  • Assess legality: Determine if request complies with applicable law
  • Notify Customer: Inform Customer of request unless legally prohibited
  • Request delay: Request delay from authority if legally permissible to allow Customer to seek judicial review
  • Provide transparency: Inform Customer of information disclosed
  • Minimize disclosure: Disclose only data legally required

C. Prohibited Disclosures

ZappService shall NOT disclose personal data to authorities unless:

  • Required by law (e.g., court order, subpoena, warrant)
  • Emergency circumstances threatening human safety
  • Instructed by Customer to disclose

6. CONTROLLER OBLIGATIONS (CUSTOMER)

6.1 Lawful Instructions

Customer warrants that:

  • All instructions to ZappService are lawful
  • Customer has legal basis for all data processing
  • Customer has obtained all necessary consents from Data Subjects
  • Processing complies with GDPR and national data protection laws

6.2 Special Categories of Data

Customer shall NOT input Special Categories of Personal Data without:

  • Prior written consent from ZappService
  • Documentation of legal basis for processing
  • Implementation of additional safeguards

6.3 Data Subject Rights

Customer is responsible for:

  • Responding to Data Subject requests within legal timelines
  • Providing privacy information to Data Subjects
  • Managing consents and Data Subject preferences
  • Notifying Data Subjects in case of breach (when required by law)

7. DATA LOCATION AND INTERNATIONAL TRANSFERS

7.1 Data Location

Processing within the EU:

  • All data is processed and stored within the European Union
  • Primary server: OVH France (Paris or Gravelines)
  • Backups: OVH EU locations
  • Database: MySQL hosted on same VPS server in France
  • CDN: Cloudflare with EU data centers
  • File Storage: Cloudflare R2 EU region

No Transfers to Third Countries:

  • No personal data is transferred outside the EU/EEA
  • All sub-processors process data within the EU or with adequate safeguards
  • Stripe and other payment processors use EU operations

7.2 Transfer Exceptions

If future transfers outside the EU/EEA become necessary:

  • 60-day notice to Customer
  • Implementation of EU Standard Contractual Clauses (SCCs)
  • Transfer Impact Assessment per Schrems II decision
  • Customer's right to object or terminate

8. TERM AND TERMINATION

8.1 Duration

This DPA remains in effect for as long as ZappService processes Customer's personal data.

8.2 Data Deletion or Return

Upon termination of the Service Agreement:

Export Period (30 days):

  • Customer has 30 days to export all data
  • Self-service export through admin dashboard
  • Assistance available upon request

Automatic Deletion (after 90 days):

  • All Customer personal data is permanently deleted after 90 days from termination
  • Secure deletion using data overwriting
  • Deletion certificate available upon request

Exceptions:

Data may be retained beyond 90 days only if:

  • Required by law (e.g., tax obligations - 10 years)
  • Necessary to establish, exercise or defend legal rights
  • Customer requested extended retention in writing

Confirmation:

  • ZappService will provide written confirmation of deletion
  • Including deletion date and method used
  • Within 7 days after deletion completion

9. AUDITS AND INSPECTIONS

9.1 Customer Audit Rights

Customer has the right to audit ZappService's compliance with this DPA:

Frequency:

  • Once per year at ZappService's cost
  • Additional audits at Customer's cost (with reasonable cause)

Advance Notice:

  • 4 weeks prior notice
  • Mutually agreed date and time
  • Third-party auditor (mutually agreed) or Customer's team

Scope:

  • Review of security measures
  • Review of sub-processor agreements
  • Review of data processing records
  • Interviews with personnel (founder/contractors)

9.2 Existing Certifications

Current Certifications:

  • No formal certifications (ISO 27001, SOC 2) at this time
  • Industry-standard security practices implemented
  • Security audits available upon request

Planned Certifications:

  • ISO 27001 within 24-36 months (as company grows)

9.3 Audit Cost Allocation

ZappService Bears Costs:

  • Routine compliance audits (once annually)
  • Pre-planned audits with 4-week notice
  • Audits using existing certifications/reports

Customer Bears Costs:

  • Additional audits beyond standard frequency
  • Expedited audits with <4 week notice
  • Specialized or forensic audits
  • Estimated cost: upon quote + travel expenses

9.4 ZappService Assistance

During audits, ZappService will provide:

  • Access to relevant documentation
  • Access to facilities (remote VPS server)
  • Reasonable cooperation and assistance
  • Answers to questions within reasonable timelines

10. LIABILITY AND INDEMNIFICATION

10.1 Limitation of Liability

Each party shall be liable to the other for damages resulting from breach of this DPA as set forth in the main Service Agreement.

ZappService's liability is limited as defined in the Terms of Service.

10.2 Indemnification

A. ZappService Indemnification

ZappService shall indemnify Customer for damages resulting from:

  • Breach of ZappService obligations under this DPA
  • Unauthorized processing of personal data
  • Security breach caused by ZappService negligence
  • Non-compliance with documented Customer instructions

B. Customer Indemnification

Customer shall indemnify ZappService for damages resulting from:

  • Unlawful instructions provided by Customer
  • Input of Special Categories of data without authorization
  • Breach of Data Subject rights by Customer
  • Non-compliance with Customer obligations under this DPA

10.3 Cooperation

Both parties shall cooperate in good faith to:

  • Mitigate damages in case of breach
  • Respond to regulatory authority requests
  • Defend against third-party claims
  • Resolve disputes amicably

11. GENERAL PROVISIONS

11.1 Governing Law

This DPA is governed by Portuguese law and GDPR.

Any disputes shall be resolved according to Portuguese jurisdiction.

11.2 Supervisory Authority

The competent supervisory authority is the Portuguese Data Protection Authority (CNPD).

  • Website: https://www.cnpd.pt
  • Email: geral@cnpd.pt
  • Citizen Support Line: +351 213 928 400

11.3 Changes to This DPA

ZappService may update this DPA to:

  • Reflect changes in law
  • Reflect changes in business practices
  • Improve clarity and transparency

Change Notification:

  • 30-day notice via email and dashboard
  • Significant changes require Customer acceptance
  • Customer may terminate if disagreeing with significant changes

11.4 Order of Precedence

In case of conflict between documents:

  1. This DPA
  2. Main Service Agreement
  3. Terms of Service
  4. Privacy Policy

11.5 Severability

If any provision of this DPA is found invalid, the remaining provisions remain in full force.

11.6 Language

This DPA is available in Portuguese and English. In case of conflict, the Portuguese version prevails for customers subject to Portuguese law.

12. CONTACT

For questions related to this DPA or data protection:

ZappService (NevergetOld, Lda.)

  • Data Protection Email: hello@zappservice.com
  • Address: Torres Vedras, Portugal
  • Tax ID: 510372945

Data Protection Officer (DPO):

  • Currently not required by law (company with fewer than 250 employees)
  • Contact: hello@zappservice.com

Supervisory Authority:

  • Portuguese Data Protection Authority (CNPD)
  • Website: https://www.cnpd.pt
  • Support Line: +351 213 928 400

Document Version: 1.0 Effective Date: January 20, 2025 Next Review: July 20, 2025

This document constitutes a binding annex to the ZappService Terms of Service and is an integral part of the agreement between ZappService and the Customer.