Data Processing Agreement
Last updated: July 2026
This Data Processing Agreement ("DPA") forms part of the ZettaSend Terms of Service and applies to Team plan customers who act as data controllers in respect of personal data processed through ZettaSend's audit logging and workspace management features.
1. Parties
This DPA is entered into between:
- Customer (Data Controller) — the Team plan subscriber who determines the purposes and means of processing personal data through the Services.
- Daniel Zemen, Sole Entrepreneur (Data Processor) — the provider of ZettaSend Services who processes personal data on behalf of the Customer in accordance with the Terms of Service.
2. Scope and Purpose
The Data Processor processes the following categories of personal data on behalf of the Customer:
- Account data — email addresses of workspace members and invited users.
- P2P session data — IP addresses of session creators and joiners and public cryptographic keys. IP addresses are only stored when at least one peer in the transfer has audit logging enabled. Without audit logging, IP addresses are only relayed between peers as part of the peer discovery protocol and are not persisted.
- Audit log data — transfer envelopes containing sender/receiver user IDs, workspace IDs, file counts, byte counts, transfer status, timestamps, and cryptographic signatures.
- File manifest data — CSV files containing file names, paths, and sizes, stored in Cloudflare R2.
The processing purposes are limited to providing the ZettaSend Services as described in the Terms of Service, including P2P file transfer coordination, audit logging, workspace management, and billing administration.
The duration of processing is determined by the Customer's subscription duration and the configured audit log retention period (90–3,650 days).
3. Processor Obligations
The Data Processor shall:
- Process personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country (GDPR Art. 28(3)(a)).
- Not process personal data for any purpose other than providing the Services.
- Ensure that persons authorized to process personal data are subject to confidentiality obligations.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and regular security assessments.
- Assist the Customer in responding to requests from data subjects exercising their rights under GDPR Articles 15–22.
- Assist the Customer in meeting its obligations under GDPR Articles 32–36 (security, breach notification, DPIA).
- Delete or return all personal data after the end of the provision of services, and delete existing copies, unless EU or Hungarian law requires storage.
- Make available to the Customer all information necessary to demonstrate compliance with GDPR Article 28.
4. Sub-Processors
The Data Processor engages the following sub-processors to provide the Services. All sub-processors are located within the EU/EEA:
- Stripe — payment processing (email address, billing details). Stripe's DPA is available at stripe.com/legal/dpa.
- Cloudflare — CDN, DNS, R2 object storage (IP addresses, file manifests, workspace logos). Cloudflare's DPA is available at cloudflare.com/gdpr.
- Amazon Web Services (SES) — email delivery (email addresses, email content). AWS's DPA is available at aws.amazon.com/compliance/gdpr.
The Data Processor has entered into written agreements with each sub-processor imposing data protection obligations equivalent to those set out in this DPA.
The Data Processor shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object thereto.
5. International Data Transfers
All personal data is processed and stored exclusively within the European Union. No personal data is transferred to any third country outside the EU/EEA. Accordingly, no Standard Contractual Clauses (SCCs) or other transfer safeguards are required.
Specifically:
- Web servers and PostgreSQL database — EU-hosted.
- Cloudflare R2 — EU data residency.
- AWS SES — EU (Frankfurt) region.
6. Data Subject Rights
The Data Processor shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer's obligations to respond to requests from data subjects exercising their rights under GDPR Articles 15–22.
If a Data Processor receives a request directly from a data subject, it shall promptly forward the request to the Customer and not respond to the data subject directly.
7. Personal Data Breach
In the event of a personal data breach, the Data Processor shall:
- Notify the Customer without undue delay and in any event within 48 hours of becoming aware of the breach.
- Provide the Customer with sufficient information to allow the Customer to meet its obligations under GDPR Article 33 (notification to the supervisory authority within 72 hours).
- Cooperate with the Customer in notifying the supervisory authority and affected data subjects where required.
- Take reasonable steps to mitigate and remediate the breach.
8. Data Deletion on Termination
Upon termination of the Services, the Data Processor shall:
- Delete all personal data processed on behalf of the Customer, including audit logs, file manifests, P2P session data, and workspace configuration.
- Complete deletion within 30 days of termination, unless EU or Hungarian law requires longer retention.
- Provide the Customer, upon request, with written confirmation of deletion.
9. Audit Rights
The Customer has the right to audit the Data Processor's compliance with this DPA, subject to:
- Providing at least 30 days' written notice.
- Conducting the audit during normal business hours.
- Not unreasonably disrupting the Data Processor's business operations.
- Alternatively, the Customer may request a written summary of the Data Processor's most recent security assessment or compliance certification.
10. Governing Law
This DPA shall be governed by and construed in accordance with the laws of Hungary. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the Hungarian courts.
11. Contact
Daniel Zemen
Sole Entrepreneur
Email: [email protected]