Skip to main content
Zenovay
Free4 minutesBeginner

Where can I find Zenovay's DPA?

The Data Processing Agreement (DPA) is the contract that governs how Zenovay processes EU personal data on your behalf. Here's where to find it and how it becomes binding.

dpagdprlegalcontractsubprocessors
Last updated:

Under GDPR Article 28, any business that uses a processor (like Zenovay) to handle EU personal data must have a Data Processing Agreement (DPA) in place with that processor. We publish a standard DPA that's pre-signed by Zenovay — you don't have to negotiate or chase a signature.

Where the DPA lives

The current DPA is published at zenovay.com/legal/dpa in all six locales (en, de, fr, es, pt-BR, ja). You can read it in full without signing in.

How it becomes binding

You don't need to click a separate "accept" button or send anything back. The published DPA automatically becomes a binding part of your contract when you enter into the Zenovay agreement — that is, when you accept our Terms of Service on sign-up. From that point, the DPA governs Zenovay's processing of personal data on your behalf.

If your legal team needs a countersigned copy (a wet or digital signature on the document) or a custom addendum, email [email protected] with your organisation's legal name and the signatory's contact details, and we'll arrange it. There's no charge.

What's covered

The DPA covers:

  • Subject matter and duration of processing.
  • Nature, purpose, and types of personal data processed.
  • Obligations of Zenovay as processor (security, confidentiality, breach notification).
  • Sub-processor list and your right to object.
  • International transfer mechanisms (Standard Contractual Clauses + EU-US Data Privacy Framework).
  • Audit rights, deletion / return of data on termination.
  • Liability terms.

Subprocessors list

The DPA lists every subprocessor Zenovay uses. The current list is also on the public /legal/subprocessors page and includes:

  • Cloudflare (hosting, edge compute, R2 object storage)
  • Supabase (Postgres database, auth)
  • Stripe (payment processing)
  • Resend (transactional email)
  • Mapbox (geolocation, 3D globe)
  • OpenAI (AI insights, via Cloudflare AI Gateway)

The /legal/subprocessors page is the authoritative, up-to-date list. We give at least 30 days' written notice before adding a new subprocessor. If you object, you may terminate the contract per the DPA.

EU data residency

As of 2026-04-24, the primary database is in Frankfurt (eu-central-1). The DPA reflects this in the international-transfers clause — for US-based subprocessors, we rely on Standard Contractual Clauses backed by the EU-US Data Privacy Framework certifications.

See Data residency for the full residency map.

Updating the DPA

Material changes to the DPA are versioned. We notify you by email at least 30 days before a new version becomes binding. You can object to changes — the legal options follow standard contract law.

Plan applicability

The standard DPA applies on every plan, including Free. For organisations needing custom DPA addenda (specific industry clauses, BAA-equivalent for healthcare, etc.), Enterprise customers can negotiate additional terms with their account team.

Related articles

  1. Where is my data stored? (Data residency)

    Zenovay's primary data is stored in the EU (Frankfurt, eu-central-1) on Cloudflare and Supabase infrastructure. Here's the full picture, including international transfers.

  2. Consent & privacy metrics: see how your cookie banner performs

    View your own cookie-banner accept/reject/dismiss rate over time, an identified-vs-anonymized split, and a data-provenance audit — fed by one line of code from your banner. Zenovay stays cookieless.

  3. Data Export for Users

    Export personal data and analytics data for GDPR data portability requests and compliance. Learn about the two export paths in this privacy compliance guide.

Was this article helpful?