Under GDPR Article 28, any business that uses a processor (like Zenovay) to handle EU personal data must have a Data Processing Agreement (DPA) in place with that processor. We publish a standard DPA that's pre-executed by Zenovay — you read, accept, and we both have a binding contract.
Where the DPA lives
The current DPA is published at zenovay.com/legal/dpa in all six locales (en, de, fr, es, pt-BR, ja). You can read it without signing in.
How to execute it
There are two equivalent ways. Pick whichever your legal team prefers.
Option A — Click-through acceptance
- Sign in to app.zenovay.com.
- Go to Settings → Legal → Data Processing Agreement.
- Read the DPA in your locale.
- Click Accept on behalf of [your organisation].
- The acceptance is logged with timestamp, IP-hash, your account email, and the DPA version. You can download a PDF of the executed version at any time from the same page.
This is sufficient for most regulators and is the fastest path.
Option B — Countersigned PDF
If your legal team requires a wet/digital signature on a PDF:
- Email privacy@zenovay.com with subject "DPA countersigning request".
- Include your organisation's legal name, billing address, and the email address of the signatory.
- We'll send a pre-signed PDF via DocuSign within 2 working days. Sign and return.
There's no charge for either option.
What's covered
The DPA covers:
- Subject matter and duration of processing.
- Nature, purpose, and types of personal data processed.
- Obligations of Zenovay as processor (security, confidentiality, breach notification).
- Sub-processor list and your right to object.
- International transfer mechanisms (Standard Contractual Clauses + EU-US Data Privacy Framework).
- Audit rights, deletion / return of data on termination.
- Liability and indemnity terms.
Subprocessors list
Annex III of the DPA lists every subprocessor Zenovay uses. The current list is also on the public /legal/subprocessors page and includes:
- Cloudflare (hosting, edge compute, R2 object storage)
- Supabase (Postgres database, auth)
- Stripe (payment processing)
- Resend (transactional email)
- OpenAI (AI insights, via Cloudflare AI Gateway BYOK)
We notify you 30 days before adding a new subprocessor. If you object, you may terminate the contract per the DPA.
EU data residency
As of 2026-04-24, the primary database is in Frankfurt (eu-central-1). The DPA reflects this in the international-transfers clause — for US-based subprocessors (Stripe, Resend, OpenAI), we rely on Standard Contractual Clauses backed by the EU-US Data Privacy Framework certifications.
See Data residency for the full residency map.
Updating the DPA
Material changes to the DPA are versioned. We notify you by email at least 30 days before a new version becomes binding. You can object to changes — the legal options follow standard contract law.
Plan applicability
The standard DPA is available on every plan, including Free. For organisations needing custom DPA addenda (specific industry clauses, BAA-equivalent for healthcare, etc.), Enterprise customers can negotiate additional terms with their account team.