Understand Zenovay's data sharing practices, sub-processors, and your control over third-party access.
Our Data Sharing Principles
What We Don't Do
Zenovay commits to:
| Practice | Our Policy |
|---|---|
| Sell personal data | Never |
| Share for advertising | Never |
| Cross-site tracking | Never |
| Data broker transfers | Never |
| Unauthorized access | Never |
What We Do
We share data only for:
- Service delivery (hosting, processing)
- Customer support (your request)
- Legal compliance (when required)
Sub-Processors
Current Sub-Processors
| Provider | Purpose | Data Center |
|---|---|---|
| Cloudflare | CDN, DDoS protection | Global |
| AWS | Data storage | EU/US |
| Hetzner | EU data residency | Germany |
| Postmark | Email notifications | US |
| Stripe | Payment processing | US |
Sub-Processor Details
Cloudflare
- Purpose: Script delivery, edge caching
- Data: HTTP requests, IP addresses (transient)
- DPA: Yes
- Privacy: cloudflare.com/privacy
Amazon Web Services (AWS)
- Purpose: Database hosting, file storage
- Data: All analytics data
- DPA: Yes
- Region: eu-west-1 (Ireland) or us-east-1
- Privacy: aws.amazon.com/privacy
Hetzner
- Purpose: EU-only data residency option
- Data: Analytics data (Enterprise EU)
- DPA: Yes
- Region: Germany only
- Privacy: hetzner.com/privacy
Sub-Processor Updates
We notify customers of changes:
- 30 days before new sub-processor
- Email notification to account owners
- Option to object (Enterprise)
Subscribe to updates:
- Go to Settings → Notifications
- Enable Sub-processor Updates
Data Access Control
Who Can Access Your Data
| Role | Access Level |
|---|---|
| Your team | Full (per permissions) |
| Zenovay support | On request only |
| Sub-processors | Technical only |
| Third parties | Never |
Support Access
Zenovay support can only access your data when:
- You explicitly request help
- You grant temporary access
- Investigation of security incident
Enable/disable support access:
- Go to Settings → Security
- Toggle Allow Support Access
- Set expiry if enabled
Audit Logs
View all data access:
- Go to Settings → Audit Log
- Filter by access type
- See who accessed what, when
Data Processing Agreement
DPA Contents
Our DPA covers:
- Subject matter and duration
- Nature and purpose of processing
- Types of personal data
- Data subject categories
- Your rights as controller
- Our obligations as processor
- Sub-processor requirements
- Security measures
- Data breach procedures
- Audit rights
- Data return/deletion
Signing the DPA
- Go to Settings → Legal
- Click Data Processing Agreement
- Review terms
- Sign electronically
- Download signed copy
Standard Contractual Clauses
For international transfers, we use:
- EU Standard Contractual Clauses (2021)
- UK International Data Transfer Agreement
- Swiss Standard Contractual Clauses
Included in our DPA.
No Data Selling
CCPA Compliance
Under CCPA "sale" definition:
- We do not sell personal information
- We do not share for cross-context advertising
- We act as a service provider
Advertising Networks
We never share data with:
- Google Ads
- Facebook Ads
- Any advertising network
- Retargeting services
- Data brokers
Customer Data Isolation
Multi-Tenant Architecture
Your data is isolated:
Zenovay Infrastructure
├── Customer A Data (encrypted, isolated)
├── Customer B Data (encrypted, isolated)
└── Customer C Data (encrypted, isolated)
Each customer's data:
- Encrypted at rest
- Encrypted in transit
- Logically separated
- Access controlled
No Cross-Customer Access
- Customers cannot see each other's data
- Analytics are not combined
- No shared identifiers
Integration Data Sharing
When You Connect Integrations
If you connect third-party services:
| Integration | Data Shared | Purpose |
|---|---|---|
| Slack | Alert messages | Notifications |
| Zapier | Event data | Automation |
| Webhooks | Event payloads | Custom |
You control what's shared:
- Go to Settings → Integrations
- Select integration
- Configure data fields
- Enable/disable sharing
API Access
When you use our API:
- You control data flow
- Your responsibility after export
- We log API access
Compliance Reports
SOC 2 Report
Available to Enterprise customers:
- Type II certification
- Annual renewal
- Security controls verified
Request via Settings → Security → Compliance.
GDPR Compliance
We maintain:
- Records of processing
- DPAs with sub-processors
- Data breach procedures
- Regular security audits
Transparency Report
Annual report includes:
- Government requests received
- Data disclosed (if any)
- Sub-processor changes
- Security incidents
Your Rights
Restrict Sharing
You can:
- Disable support access
- Use EU-only data residency
- Disable integrations
- Export and delete data
Data Portability
Export your data anytime:
- JSON or CSV format
- Full data export
- Machine-readable
See Data Export.
Account Deletion
Delete all data:
- Go to Settings → Account
- Click Delete Account
- All data permanently removed
- No backups retained
Privacy Policy Requirements
Your Disclosure
Include in your privacy policy:
## Third-Party Analytics
We use Zenovay for website analytics. Zenovay:
- Processes visitor data on our behalf
- Does not sell personal data
- Does not share with advertisers
- Uses sub-processors for hosting and delivery
For more information, see Zenovay's privacy policy
at [zenovay.com/privacy](https://zenovay.com/privacy).
Link to Our Policy
Direct users to:
Questions and Contact
Privacy Questions
Contact our DPO:
- Email: support@zenovay.com
- Subject: "Privacy Inquiry"
Data Subject Requests
For visitor requests:
- You handle as the controller
- We assist as the processor
- API available for erasure/export
Security Concerns
Report to:
- Email: support@zenovay.com
- PGP key available
Best Practices
Regular Review
- Check sub-processor list quarterly
- Review integration permissions
- Audit team access
- Update privacy policy
Documentation
Maintain records of:
- DPA signing date
- Sub-processor acknowledgments
- Integration configurations
- Access control settings
Communication
- Inform users of analytics use
- Respond to inquiries promptly
- Update policies when changes occur