Skip to content
ZygenTrust
Signals · checking
DPA

Data Processing Addendum

Last updated

Draft — pending legal review

This page is a structural placeholder. The clauses below are templates and have not been reviewed by qualified counsel. Do not rely on this document for legal compliance until the review marker is removed.

Parties and scope

This Data Processing Addendum ("DPA") forms part of the agreement between ZygenTrust ("Processor") and the customer ("Controller") for the use of the ZygenTrust API. It applies to the extent that ZygenTrust processes personal data on behalf of the Controller.

This DPA is entered into by accepting our Terms of Service on behalf of an organization that processes personal data subject to GDPR or equivalent regimes.

Definitions

  • "Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meanings set out in GDPR Article 4.
  • "Subprocessor" means any third party engaged by ZygenTrust to process personal data on behalf of the Controller.
  • "Standard Contractual Clauses" means the EU Commission-approved clauses for the international transfer of personal data.

Processing details

  • Subject matter: operation of the ZygenTrust API.
  • Duration: the term of the underlying service agreement.
  • Nature and purpose: domain trust analysis on submitted domains; account and quota management.
  • Categories of data subjects: Controller's authorized users; end-users of websites Controller analyzes are not directly identified.
  • Categories of personal data: account email, authentication metadata, API key prefixes, request metadata.

Processor obligations

ZygenTrust will:

  • Process personal data only on documented Controller instructions.
  • Ensure persons authorized to process personal data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (see Security).
  • Assist the Controller in responding to data subject rights requests.
  • Make available all information necessary to demonstrate compliance.
  • Allow for and contribute to audits with reasonable advance notice.

Subprocessors

The current list of subprocessors is published in the Trust Center. We will provide at least 30 days' notice before adding a new subprocessor; the Controller may object on reasonable grounds within that notice period.

Data subject rights

ZygenTrust will provide reasonable assistance to enable the Controller to respond to data subject rights requests (access, rectification, erasure, portability, restriction, objection) within applicable statutory deadlines.

Security measures

ZygenTrust implements the technical and organizational measures described in our Security architecture document, including:

  • Encryption in transit (TLS 1.3 where supported, HSTS enforced)
  • Encryption at rest for all customer data
  • Hashed API key storage (SHA-256, prefix-indexed)
  • SSO with hardware-key MFA for production access
  • Least-privilege database access with time-bounded grants
  • Audit logging for privileged operations
  • Tenant isolation via row-level security

Personal data breach

ZygenTrust will notify the Controller without undue delay (within 72 hours of confirmed awareness) of any personal data breach affecting Controller data, providing all information reasonably required to comply with the Controller's notification obligations.

International transfers

Where personal data is transferred outside the EEA, the United Kingdom, or Switzerland, ZygenTrust relies on the Standard Contractual Clauses or equivalent transfer mechanisms recognized under applicable law.

Term and termination

This DPA remains in effect for the duration of the underlying service agreement. Upon termination, ZygenTrust will delete or return all personal data within 30 days unless legally required to retain it.

To execute a counter-signed copy of this DPA, email legal@zygentrust.com with your organization details.