Legal

Data Processing Agreement

GDPR-compliant terms governing how Zof AI processes personal data on your behalf as a data processor.

Version 2.0 | Effective January 1, 2025

Yes

GDPR aligned

Included

Standard DPA

30 days

Sub-processor notice

90 days

Post-termination deletion

This Data Processing Agreement ("DPA") forms part of the agreement between Zof AI, Inc. ("Processor," "we," or "us") and the customer ("Controller," "you") and applies whenever we process Personal Data on your behalf in connection with the Zof platform and related services.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, whether or not by automated means, such as collection, storage, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by Processor to process Personal Data on behalf of Controller.
  • "Services" means the Zof AI platform, APIs, integrations, and professional services provided under your agreement with us.

2. Scope and purpose

This Data Processing Agreement applies to all personal data processed by Zof AI on behalf of the customer.

  • Providing automated testing, validation, and reliability services
  • Analyzing software systems and workflows for quality assurance
  • Generating reports, dashboards, and operational insights
  • Delivering technical support, onboarding, and service improvements

Processor will process Personal Data only on documented instructions from Controller, including as set forth in the Services agreement, this DPA, and applicable order forms, unless required by law.

3. Roles and responsibilities

For Personal Data processed under this DPA:

Controller responsibilities

  • Ensure a lawful basis exists for Processing and for instructing Processor
  • Provide documented instructions that comply with applicable data protection law
  • Respond to Data Subject requests unless Processor is required to respond directly
  • Ensure Personal Data provided to Processor is accurate and limited to what is necessary

Processor responsibilities

  • Process Personal Data only on Controller's documented instructions
  • Maintain confidentiality of Personal Data and restrict access on a need-to-know basis
  • Implement appropriate technical and organizational measures
  • Assist Controller with security, breach, and compliance obligations as described below

4. Processor obligations

Zof AI undertakes the following obligations as a data processor.

  • Process Personal Data only on documented instructions from Controller, unless required by law (in which case we will inform Controller unless prohibited)
  • Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement and maintain appropriate technical and organizational security measures
  • Assist Controller in responding to Data Subject requests, DPIAs, and prior consultations where applicable
  • Notify Controller without undue delay after becoming aware of a Personal Data breach
  • Delete or return Personal Data upon termination of Services, subject to Section 11
  • Make available information reasonably necessary to demonstrate compliance with this DPA

5. Security measures

Zof AI implements comprehensive technical and organizational security measures to protect personal data.

Technical measures

  • Encryption at rest and in transit (AES-256, TLS 1.2+)
  • Multi-factor authentication for administrative access
  • Access logging, monitoring, and alerting
  • Regular vulnerability scanning and patch management

Organizational measures

  • Role-based access controls and least-privilege access
  • Security and privacy training for personnel
  • Documented incident response and breach notification procedures
  • Periodic risk assessments and third-party security audits

Additional detail is available in our Security documentation and, upon request, SOC 2 Type II reports. Security.

6. Sub-processors

Zof AI may engage sub-processors to assist in providing services, subject to the requirements outlined in this agreement.

  • Maintain an up-to-date list of Sub-processors used to deliver the Services
  • Provide at least 30 days' notice before adding or replacing a Sub-processor, where required by law or contract
  • Impose data protection obligations on Sub-processors that are substantially similar to this DPA
  • Remain responsible for Sub-processor performance of Processing obligations

See our Subprocessors list.

7. International transfers

When personal data is transferred outside the EEA, Zof AI ensures appropriate safeguards are in place.

  • EU-U.S. Data Privacy Framework certification, where applicable
  • Standard Contractual Clauses approved by the European Commission (Module 2 or Module 3, as applicable)
  • Supplementary technical and organizational measures where required by regulators or transfer impact assessments

Controller may request copies of applicable transfer mechanisms upon reasonable notice.

8. Data subject rights

Processor will assist Controller in fulfilling Data Subject rights under applicable law, including access, rectification, erasure, restriction, portability, and objection. Data Subjects should submit requests to Controller. Controller may forward requests to Processor at dpo@zof.ai, and Processor will respond within a reasonable timeframe and in accordance with Controller instructions.

9. Data breach notification

Processor will notify Controller without undue delay after confirming a Personal Data breach affecting Controller Personal Data. Notification will include, to the extent known: nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed. Processor will cooperate with Controller's investigation and remediation efforts.

10. Audit rights

Upon reasonable written notice and subject to confidentiality obligations, Controller may audit Processor's compliance with this DPA no more than once per year (unless required by a supervisory authority or following a confirmed breach). Processor may satisfy audit requests through SOC 2 Type II reports, security questionnaires, and documented evidence of controls. On-site audits require mutual scheduling and may be subject to reasonable fees for extensive requests.

11. Term and termination

This DPA remains in effect for the duration of the Services agreement. Upon termination or expiry, Processor will delete or return all Personal Data within 90 days, unless retention is required by law or Controller requests an earlier deletion timeline. Processor may retain copies in encrypted backups until rotation, provided such copies remain subject to this DPA.

Questions about this DPA?

Contact our Data Protection Officer at dpo@zof.ai.

Need a countersigned DPA?

Enterprise customers can request a countersigned Data Processing Agreement for procurement and compliance records.

Request signed DPA

Related documents

Privacy Policy

How we collect, use, and protect personal information.

Subprocessors

Third-party providers that process data on our behalf.

Security

Certifications, controls, and infrastructure protections.

Data Processing Agreement | Zof AI