Data Processing Agreement

A Data Processing Agreement, often called a DPA or Data Processing Addendum, is the contract that defines how a service provider processes personal data on behalf of its customer.

For a platform like Zybots, a DPA is usually needed whenever a customer uses the service to collect, store, analyze, route, or otherwise process personal data through AI assistants, lead forms, chat conversations, support flows, or API-based operations.

A DPA is generally appropriate when the customer decides why personal data is being processed and Zybots provides the infrastructure or product layer that processes that data on the customer's behalf.

In most enterprise deployments, the customer acts as the controller and Zybots acts as the processor. If the customer is itself a processor for another party, Zybots may instead operate as a sub-processor.

The DPA should describe the subject matter, nature, purpose, and duration of the processing, together with the categories of personal data and categories of data subjects that may be involved.

For Zybots, this may include account-level information, workspace contact details, end-user chat messages, technical logs, lead submissions, and customer-provided content used to operate the configured service.

A DPA should make clear that Zybots processes personal data only on documented instructions from the customer, except where applicable law requires otherwise.

The customer remains responsible for the legality of the data it provides, the lawful basis for the processing, the accuracy of the instructions it gives, and the notices or consents it must provide to end users.

Enterprise customers usually expect the DPA to explain that Zybots may use vetted sub-processors for hosting, storage, communications, monitoring, payments, or model execution where required to provide the service.

The DPA should also explain that sub-processors must be bound by comparable confidentiality and data protection obligations, and that customers should receive a way to review or be informed about material sub-processor changes.

A DPA normally includes commitments around confidentiality, technical and organizational security measures, access controls, and how security incidents or personal data breaches will be handled.

Customers may also expect support for reasonable audit requests, security questionnaires, or evidence of controls where proportionate and consistent with the security model of the platform.

If Zybots or its approved providers process personal data outside the EEA, UK, or Switzerland, the DPA should define the transfer mechanism used for those cross-border transfers.

This commonly includes the EU Standard Contractual Clauses, the UK Addendum, Swiss transfer language where relevant, and any supplementary safeguards that may be appropriate for the transfer model.

A DPA typically explains how Zybots assists customers with data subject requests, such as access, deletion, correction, restriction, portability, or objection, to the extent applicable and technically feasible.

It should also define what happens to customer-controlled personal data at the end of the service, including return, deletion, blocking, or retention where continued storage is required by law.

Yes, Zybots should have a DPA if it wants to sell professionally to businesses, especially to EU customers, enterprise teams, or procurement-driven organizations.

Even where the actual enforceable DPA is completed through sales or account acceptance, a public DPA page helps security reviewers, legal teams, and prospective customers understand the baseline processing commitments before contracting.

If your organization needs a signed DPA, contact [email protected] with the legal entity name, contracting details, and any procurement requirements.

If a customer requests additional transfer language, exhibit detail, or security annexes, those should be reviewed against the current Zybots processing model before signature.