Data Processing Agreement (DPA)
Counter-signed by Zubby AI, Inc. Use the current version as a Controller-to-Processor instrument under GDPR Article 28, UK GDPR, and the Swiss FADP. EU SCCs Module 2 and the UK IDTA are incorporated by reference for cross-border transfers.
Published 2026-05-19
What a Data Processing Agreement does
A Data Processing Agreement is the contract that binds a Processor to the Controller's instructions for processing personal data. Under GDPR Article 28 it is mandatory whenever a Controller delegates processing to a third party. The Zubby DPA is the document that turns the technical claims on this Trust Center into legally enforceable commitments — it is not a marketing artefact; it is what your DPO and your security counsel rely on at procurement.
The Zubby DPA forms part of the underlying Subscription Agreement. It applies automatically whenever a Controller's use of the Service involves processing personal data subject to GDPR, UK GDPR, or the Swiss FADP. We deliver a counter-signed copy within 1 business day of receiving your entity name at legal@zubbyai.com.
Parties and scope
The DPA is entered into between Zubby AI, Inc. (the "Processor") and the merchant customer (the "Controller").
Personal data in scope includes:
- Shopper identifiers — email, IP address, device ID, shopper account ID, browser fingerprint hash.
- Conversation content — transcripts of shopper interactions with the AI agent, AI tool-call audit, attached images and uploaded files.
- Order metadata — redacted order summaries received from Shopify or WooCommerce. Payment card numbers are out of scope.
- Marketing channel data — opt-in flags, message delivery receipts, channel-specific identifiers for email, SMS, WhatsApp, Instagram, FB Messenger, and Telegram.
- Merchant account-holder credentials — usernames, hashed passwords, OAuth tokens, audit logs.
Processing purposes are limited to delivering the Service, abuse prevention, security monitoring, and compliance.
Processor obligations
Zubby acts strictly on the Controller's documented instructions. We commit to:
- Process personal data only as needed to provide the Service.
- Maintain administrative, technical, and physical safeguards described in our Security Overview. Specifically: AES-256-GCM encryption at rest with AAD-bound ciphertexts (
src/lib/secrets.ts), TLS 1.3 in transit, scrypt password hashing, HMAC-SHA256 webhook verification, constant-time secret comparison, SSRF protection on outbound calls, magic-byte upload sniffing, and per-tenantstore_idisolation across the data model. - Notify the Controller of personal-data breaches without undue delay, and within 72 hours of confirmed scope (Article 33).
- Assist with data-subject rights requests (access, rectification, erasure, portability, restriction, objection). The erasure endpoint at
/api/v1/merchant/gdpr/deletefulfils Article 17 in a single fanout transaction. - Return or delete personal data at the end of the contract on Controller request, with written certification of deletion.
- Subject sub-processors to equivalent written terms before sharing data.
- Maintain a record of processing activities and make it available to supervisory authorities on request (Article 30).
Cross-border transfers
Where Zubby transfers personal data outside the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (2021, Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum (IDTA). The relevant SCC modules are deemed incorporated by reference into the DPA — no separate signature is required.
Production data is hosted in EU regions for customers who opt in to EU-only processing. The default region is US-East with a documented Transfer Impact Assessment available on request. The TIA covers US public-sector access risk, supplementary measures (encryption with keys held outside the receiver jurisdiction; AAD-binding to prevent ciphertext re-purposing), and the current status of the EU-US Data Privacy Framework.
Data residency options
Workspace region is chosen at signup. Once set, all production data is pinned to that region and the corresponding sub-processor variants are selected. The data layer that respects the choice includes:
- Postgres + pgvector — primary tenant data, embeddings, audit logs.
- Redis (BullMQ queue) — job state for catalog sync, embeddings, recovery emails, GDPR jobs.
- Object storage — uploaded images and exported reports.
- AI provider routes — OpenAI EU, Anthropic EU, or US variants per workspace setting. Routes are resolved at request time via
runtime-provider.tsagainst the admin control plane. - Observability — Sentry is configured per region.
Available regions: US-East (default), Frankfurt, Dublin (on request), Paris (on request). We will add APAC regions when an Enterprise customer signs for a committed term in the region.
Sub-processors
The current sub-processor list. We notify Controllers in advance of any addition or change, and Controllers may object on reasonable privacy or security grounds.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services (AWS) | Compute, managed Postgres + pgvector, S3-compatible storage | US-East (default), Frankfurt (EU opt-in) |
| Cloudflare | Edge proxy, TLS termination, Turnstile bot protection | Global edge; data processing in customer-selected region |
| Upstash | Redis for BullMQ queue, rate limit counters | Matches workspace region |
| OpenAI | LLM and embedding provider (enterprise API, no training) | US-East; OpenAI EU available on opt-in |
| Anthropic | LLM provider (enterprise API, no training) | US-East; EU residency on opt-in |
| Google (Gemini, Vertex AI) | Optional LLM and embedding provider | Configurable per workspace |
| Microsoft Azure OpenAI | Optional LLM provider for Azure-aligned customers | Configurable per workspace |
| Resend | Transactional email delivery (recovery emails, magic links) | US |
| Twilio | SMS, WhatsApp, and voice channel delivery | Per-channel |
| Sentry | Error tracking and performance monitoring (PII scrubbed) | US (Sentry SaaS) or self-hosted |
| Stripe | Zubby billing only (merchants' own payments are out of scope) | US |
The canonical list lives at /trust/sub-processors.
Security and audits
We are currently undergoing SOC 2 Type I audit with an observation window targeting completion in 2026. SOC 2 Type II will follow the standard 6-month observation period. The control set covers security, availability, and confidentiality.
We also commit to:
- Annual third-party penetration testing of the public API and dashboard.
- Quarterly internal access reviews of production systems.
- A right for Controllers (or their independent auditors) to audit our compliance, subject to reasonable notice and confidentiality terms.
- Provision of our SOC 2 readiness letter and the most-recent penetration test summary on request under NDA.
Retention and deletion
- Active service: personal data retained for the durations configured in the DPA Annex (typically 12 months for conversations, 24 months for audit logs).
- End of contract: on Controller request, all personal data is returned (JSON + CSV export) or irreversibly deleted within 30 days, with written certification.
- Backups: 35 days rolling, encrypted, off-region. Erasure requests flag the subject for backup deletion at the next restore drill.
Need a counter-signed DPA?
Email legal@zubbyai.com with your legal entity name and we will deliver a counter-signed copy within 1 business day. EU SCCs, UK IDTA, and a Transfer Impact Assessment are bundled by default for cross-border deployments.