Back to Legal Documents

Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the agreement between ZENZAI ("Processor") and the Customer ("Controller") governing the use of the ZENZAI platform and related services (the "Services").

This DPA applies where ZENZAI processes Personal Data on behalf of the Customer in the course of providing the Services.

1. Definitions

For purposes of this DPA:

  • "Applicable Data Protection Law" means GDPR, UK GDPR, CCPA/CPRA, and any other applicable data protection laws.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" has the meaning set forth in Article 4 of the GDPR.
  • "Controller" means the entity that determines the purposes and means of Processing Personal Data.
  • "Processor" means the entity that Processes Personal Data on behalf of the Controller.
  • "Data Subject" means the individual to whom Personal Data relates.

2. Roles of the Parties

The parties acknowledge that:

  • The Customer acts as the Data Controller
  • ZENZAI acts as the Data Processor
  • ZENZAI processes Personal Data solely on documented instructions from the Customer

3. Scope and Purpose of Processing

ZENZAI processes Personal Data only for the purpose of providing the Services, including:

  • AI-powered sales, support, and operations automation
  • Message processing, routing, and analytics
  • Hosting, storage, and infrastructure services
  • Customer support and technical troubleshooting

4. Categories of Data Subjects and Personal Data

4.1 Data Subjects

  • Customer's end users
  • Website visitors and leads
  • Employees, contractors, or agents of the Customer

4.2 Categories of Personal Data

  • Identifiers (name, email address, phone number)
  • Message content and conversation data
  • Metadata (timestamps, IP address, device information)
  • Business-related data submitted by Customer

5. Processor Obligations

ZENZAI shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures to protect Personal Data
  • Assist the Controller in fulfilling Data Subject rights requests
  • Notify the Controller without undue delay after becoming aware of a Personal Data breach
  • Delete or return Personal Data upon termination of the Services, unless retention is required by law

6. Subprocessors

The Controller authorizes ZENZAI to engage subprocessors to support delivery of the Services.

ZENZAI shall:

  • Maintain a list of subprocessors upon request
  • Ensure subprocessors are bound by data protection obligations equivalent to this DPA
  • Remain responsible for the acts and omissions of subprocessors

7. International Data Transfers

Where Personal Data is transferred outside the EU/EEA or UK, ZENZAI shall ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs)
  • Other lawful transfer mechanisms recognized under Applicable Data Protection Law

8. Security Measures

ZENZAI implements reasonable technical and organizational measures, including:

  • Access controls and authentication
  • Encryption in transit and at rest where applicable
  • Logging and monitoring
  • Incident response and breach management procedures

9. Audit and Compliance

Upon reasonable request, ZENZAI shall make available information necessary to demonstrate compliance with this DPA.

Audits may be conducted subject to reasonable notice, scope limitations, and confidentiality obligations.

10. Assistance with Compliance

ZENZAI shall reasonably assist the Controller with:

  • Data Protection Impact Assessments (DPIAs)
  • Regulatory inquiries
  • Data Subject requests
  • Security and breach notifications

11. Term and Termination

This DPA remains in effect for the duration of the Services.

Upon termination, ZENZAI shall delete or return Personal Data at the Controller's choice, unless retention is legally required.

12. CCPA / CPRA Compliance

ZENZAI acts as a "Service Provider" and "Processor" under CCPA/CPRA and shall:

  • Not sell or share Personal Data
  • Process Personal Data solely for business purposes specified by the Customer
  • Not retain, use, or disclose Personal Data outside the scope of the Services

13. Order of Precedence

In the event of conflict, this DPA shall prevail over the Terms of Service with respect to data protection matters.

14. Governing Law

This DPA shall be governed by the law specified in the main agreement between the parties.