New:System Graph 2.0Learn more

Legal

Data Processing Agreement

GDPR-compliant agreement governing the processing of personal data.

Version 2.0 | Effective: January 1, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Zof AI, Inc. ("Processor") and the customer ("Controller") for the processing of personal data under applicable data protection laws.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by Processor to process Personal Data.

2. Scope and Purpose

This DPA applies when Zof AI processes Personal Data on behalf of the Controller in connection with the Services. The purpose of processing includes:

  • Providing automated testing and reliability services
  • Analyzing software systems for quality assurance
  • Generating reports and insights
  • Technical support and service improvement

3. Processor Obligations

Zof AI agrees to:

  • Process Personal Data only on documented instructions from Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist Controller in responding to Data Subject requests
  • Notify Controller of any data breach without undue delay
  • Delete or return Personal Data upon termination
  • Make available information necessary to demonstrate compliance

4. Security Measures

We implement the following security measures:

Technical Measures

  • Encryption at rest and in transit (AES-256, TLS 1.3)
  • Multi-factor authentication
  • Access logging and monitoring
  • Regular vulnerability scanning

Organizational Measures

  • Role-based access controls
  • Employee security training
  • Incident response procedures
  • Regular security audits

5. Sub-processors

Controller authorizes Processor to engage Sub-processors. We will:

  • Maintain a list of current Sub-processors
  • Provide 30 days notice before engaging new Sub-processors
  • Ensure Sub-processors are bound by equivalent data protection obligations
  • Remain liable for Sub-processor compliance

See our Subprocessors list.

6. International Transfers

For transfers outside the EEA, we rely on:

  • EU-US Data Privacy Framework (for certified companies)
  • Standard Contractual Clauses (EU Commission approved)
  • Supplementary measures as required

7. Data Subject Rights

We will assist Controller in fulfilling Data Subject rights including access, rectification, erasure, restriction, portability, and objection. Requests should be directed to Controller, who may contact us for assistance.

8. Audit Rights

Controller may audit our compliance with this DPA upon reasonable notice. We will provide access to relevant documentation, systems, and personnel. SOC 2 Type II reports are available upon request.

9. Term and Termination

This DPA remains in effect for the duration of the Services agreement. Upon termination, we will delete or return all Personal Data within 90 days, unless retention is required by law.

Contact

For DPA inquiries, contact our Data Protection Officer at dpo@zof.ai.

Need a signed DPA?

Enterprise customers can request a countersigned DPA for their records.

Request Signed DPA

Related Documents

Privacy Policy

Data privacy practices

Subprocessors

Third-party processors

Security

Security practices