Data Processing Agreement
Effective date: January 1, 2025 — Zmanym, Inc.
1. Definitions
In this Data Processing Agreement (“DPA”), the following terms have the meanings set out below:
- Controller means the customer entity that determines the purposes and means of processing Personal Data.
- Processor means Zmanym, Inc., which processes Personal Data on behalf of the Controller.
- Personal Data means any information relating to an identified or identifiable natural person, as defined by applicable data-protection law.
- Processing means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- Sub-processor means any third party engaged by the Processor to carry out Processing activities on behalf of the Controller.
- Data Subject means the natural person to whom Personal Data relates.
- Applicable Law means any data-protection or privacy legislation applicable to a party, including (where applicable) the GDPR, UK GDPR, CCPA, and any implementing regulations.
- Security Incident means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
Capitalised terms not defined here have the meanings given in the Terms of Service or the Privacy Policy.
2. Scope and Purpose of Processing
This DPA governs the Processing of Personal Data by Zmanym, Inc.(“Processor”) on behalf of customers (“Controllers”) in connection with the Zmanym service accessible at https://app.zmanym.com.
The Processor processes Personal Data only:
- To deliver the Zmanym service as described in the Terms of Service.
- As documented in written instructions from the Controller.
- As required by Applicable Law, in which case the Processor will notify the Controller unless prohibited by law.
Categories of Personal Data processed: names, email addresses, account credentials, payment-related identifiers, usage logs, and any other data the Controller uploads to the service. Controllers should not upload special-category or sensitive data (e.g., health, financial records) without prior written agreement.
Categories of Data Subjects: employees, contractors, or end-users of the Controller.
Duration: Processing continues for the term of the service agreement, plus any retention period required by Applicable Law or agreed in writing.
3. Processor Obligations
The Processor agrees to:
- Process Personal Data only on documented instructions from the Controller, unless required otherwise by Applicable Law.
- Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement technical and organisational security measures as described in Section 5.
- Assist the Controller in fulfilling its obligations to respond to Data Subject requests (Section 6).
- Notify the Controller without undue delay upon becoming aware of a Security Incident (Section 7).
- On termination, delete or return all Personal Data to the Controller as directed, unless retention is required by Applicable Law.
- Make available all information reasonably necessary to demonstrate compliance with this DPA, and cooperate with audits conducted by or on behalf of the Controller with reasonable notice.
4. Controller Obligations
The Controller represents and warrants that:
- It has a valid legal basis for collecting and sharing Personal Data with the Processor.
- It has provided all required notices to and obtained all necessary consents from Data Subjects where required by Applicable Law.
- Its instructions to the Processor comply with Applicable Law.
- It will not instruct the Processor to process Personal Data in a manner that would violate Applicable Law.
5. Security Measures
The Processor maintains commercially reasonable technical and organisational security measures appropriate to the risk presented by the Processing, including (as applicable):
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
- Access controls limiting Personal Data access to authorised personnel on a need-to-know basis.
- Multi-factor authentication for administrative access to production systems.
- Regular security testing, including vulnerability scanning and penetration testing.
- Logging and monitoring of access to production systems containing Personal Data.
- Documented incident-response procedures (see Section 7).
- Regular security training for personnel who handle Personal Data.
Specific security controls are described in the Zmanym Security Overview (where available). The Processor may update security measures over time; material reductions in protection will be communicated to affected Controllers.
6. Sub-processors
The Controller provides general authorisation for the Processor to engage Sub-processors to assist in delivering the Zmanym service. The Processor will:
- Maintain an up-to-date list of Sub-processors and make it available upon request.
- Provide at least 30 days’ advance notice of the addition or replacement of any Sub-processor by updating this page or notifying Controllers via email.
- Impose data-protection obligations on each Sub-processor no less protective than those in this DPA.
- Remain liable to the Controller for the acts and omissions of its Sub-processors.
Current key Sub-processors include (non-exhaustive; update for your deployment):
- Neon, Inc. — managed PostgreSQL database hosting.
- Vercel, Inc. — application hosting and edge network.
- Stripe, Inc. — payment processing (payment data only).
- Resend, Inc. — transactional email delivery.
- Upstash, Inc. — Redis caching and message queuing.
If the Controller objects to a new Sub-processor, it may notify Zmanym, Inc. in writing within 30 days of notice. The parties will work in good faith to resolve the objection; if unresolved, the Controller may terminate the service agreement with a pro-rated refund.
7. Data Subject Rights
The Processor will assist the Controller in fulfilling Data Subject rights requests under Applicable Law (e.g., access, rectification, erasure, portability, restriction of processing) by:
- Providing self-service tools in the Zmanym dashboard to export, correct, or delete account data where technically feasible.
- Forwarding any Data Subject requests received directly by the Processor to the Controller without undue delay.
- Providing reasonable technical assistance to help the Controller respond to requests within applicable statutory deadlines.
The Controller is responsible for determining whether a request is valid and for communicating decisions to Data Subjects. The Processor may charge a reasonable fee for assistance beyond standard self-service tooling.
8. Security Incident Notification
In the event of a Security Incident affecting Personal Data processed under this DPA, the Processor will:
- Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the incident.
- Provide, to the extent known at the time of notification: a description of the nature of the incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the incident.
- Keep the Controller informed as additional information becomes available, and cooperate with the Controller’s incident-response process.
Notification by the Processor does not constitute an acknowledgment of fault or liability. The Controller remains responsible for its own regulatory notification obligations (e.g., notifying the supervisory authority within 72 hours under GDPR Article 33).
9. International Data Transfers
Personal Data may be transferred to and processed in countries outside the Controller’s home jurisdiction, including the United States. Where such transfers involve Personal Data of EU/EEA or UK Data Subjects, the Processor will ensure an appropriate transfer mechanism is in place, such as:
- EU Standard Contractual Clauses (SCCs) as adopted by the European Commission.
- UK International Data Transfer Agreements (IDTAs) where applicable.
- Any adequacy decision covering the destination country.
The Controller may request a copy of the applicable transfer mechanism by contacting support@zmanym.com.
10. Data Retention and Deletion
Upon termination or expiry of the service agreement, the Processor will, at the Controller’s election:
- Provide the Controller with a machine-readable export of its Personal Data within 30 days of the termination date.
- Securely delete or destroy all Personal Data within 90 days of termination.
The Processor may retain Personal Data beyond these periods only to the extent required by Applicable Law, and will protect such data in accordance with this DPA for as long as it is retained. Anonymised or aggregated data that cannot be attributed to any individual is not Personal Data and may be retained.
11. Audits and Compliance
The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Upon the Controller’s written request (with at least 30 days’ notice), the Processor will allow and contribute to audits conducted by the Controller or its authorised auditor, provided that:
- Audits are conducted during normal business hours with minimum disruption to operations.
- The auditor is bound by appropriate confidentiality obligations.
- The Controller bears all costs of the audit unless the audit reveals a material non-compliance, in which case the Processor bears its own reasonable costs.
The Processor may satisfy audit requirements by providing up-to-date third-party security certifications (e.g., SOC 2 Type II, ISO 27001) in lieu of on-site audits, where applicable.
12. Liability
Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service. Where Applicable Law (e.g., GDPR Article 82) imposes joint and several liability on Controller and Processor, the parties agree to apportion liability between themselves in proportion to their respective responsibility for the damage.
13. Governing Law
This DPA is governed by the laws of Delaware, USA, without regard to conflict-of-law principles, and forms part of the service agreement between Zmanym, Inc. and the Controller. In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to data-processing matters.
14. Contact and Amendments
For questions about this DPA, data-protection matters, or to exercise rights under Section 7, contact Zmanym, Inc. at support@zmanym.com.
Zmanym, Inc. may update this DPA from time to time. Material changes will be communicated via email or an in-app notice at least 30 days before taking effect. Continued use of the Zmanym service after the effective date constitutes acceptance of the updated DPA.