Data Processing Agreement

Last Updated: June 28, 2026

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions ("Agreement") between Zone OS CRM, LLC ("Processor", "Zone OS", "we") and the subscribing business entity ("Controller", "Customer", "you") that has accepted the Agreement.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Security Incident" means any confirmed unauthorized access to, or unauthorized acquisition, disclosure, or use of Personal Data.

2. Scope & Roles

The Controller determines the purposes and means of processing Personal Data. The Processor processes Personal Data solely on behalf of and pursuant to the documented instructions of the Controller, as defined by the functionality of the Service and this DPA. This DPA applies to all Personal Data processed by the Processor in the course of providing the Service, including:

Customer contact records, booking/rental data, and communications
Employee records, payroll data, time logs, and tax identifiers (SSN/EIN)
Digital signature attribution data and audit trail records
Financial transaction records processed via Stripe Treasury

3. Controller Obligations

The Controller warrants that:

It has obtained all necessary consents and legal bases for providing Personal Data to the Processor.
It will comply with all applicable data protection laws in its jurisdiction, including the NJDPA, CCPA/CPRA, GDPR, and any sovereign data protection acts.
Its instructions to the Processor will comply with applicable law. The Processor is not responsible for determining whether the Controller's instructions are lawful.
It will respond to Data Subject requests from its own customers and employees using the tools and data exports provided by the platform.

4. Processor Obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller, except where required by applicable law.
Ensure that persons authorized to process Personal Data are subject to contractual confidentiality obligations.
Implement and maintain appropriate technical and organizational security measures as described in Section 6.
Not engage a Sub-Processor without meeting the requirements of Section 5.
Assist the Controller in responding to Data Subject requests, to the extent technically feasible and as required by applicable law.
Assist the Controller in ensuring compliance with security, breach notification, impact assessment, and prior consultation obligations under applicable law.
At the Controller's election, delete or return all Personal Data upon termination of the Service, subject to mandatory legal retention holds (see Section 9).
Make available to the Controller all information necessary to demonstrate compliance with this DPA.

5. Sub-Processors

The Controller provides general authorization for the Processor to engage Sub-Processors. The current list of Sub-Processors is:

Sub-Processor	Purpose	Location
Stripe, Inc.	Payment processing, Treasury (payroll), identity verification	United States
Google Cloud Platform (Firebase)	Application hosting, Firestore database, authentication, Cloud Functions, file storage	United States (us-east1)
Google Cloud SQL	PostgreSQL accounting ledger	United States
Twilio	SMS messaging and communications	United States
PayPal	Alternative payment processing	United States
Google Workspace	Email integration and OAuth	United States

The Processor will notify the Controller of any intended changes to Sub-Processors at least 30 days prior to engagement. The Controller may object to a new Sub-Processor within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the affected Service without penalty.

The Processor ensures that each Sub-Processor is bound by data protection obligations no less protective than those in this DPA.

6. Security Measures

The Processor implements and maintains the following technical and organizational measures:

Encryption: All data encrypted in transit (TLS 1.2+) and at rest.
Access Controls: Multi-layered role-based access control (RBAC) with per-tenant data isolation, custom authentication claims, and field-level write restrictions enforced at the database rule level.
Tenant Isolation: Strict multi-tenant separation — each tenant's data is scoped to their unique tenant identifier. No cross-tenant data access is possible through application or database interfaces.
Webhook Integrity: All inbound payment and billing webhooks verified using HMAC-SHA256 signature validation.
Financial Data Tokenization: SSNs, EINs, and bank account details processed via Stripe Treasury are tokenized by Stripe at the point of entry and never stored in unredacted form on Zone OS infrastructure.
Audit Logging: All administrative, financial, and compliance-significant operations generate tamper-evident audit records sealed with SHA-256 cryptographic hashes and stored in append-only infrastructure.
Penetration Testing: Annual penetration testing of infrastructure and application layer.
Personnel: All personnel with access to Personal Data are subject to background verification and bound by confidentiality agreements.

7. Security Incident Notification

The Processor will notify the Controller of any confirmed Security Incident without undue delay and in any event within 72 hours of confirmed discovery. The notification will include:

A description of the nature of the incident, including the categories and approximate number of Data Subjects and records affected.
The name and contact details of the Processor's point of contact.
A description of the likely consequences of the incident.
A description of the measures taken or proposed to address the incident and mitigate its effects.

The Processor will cooperate with the Controller's investigation and provide timely updates as additional information becomes available.

8. Data Subject Rights

The Processor will assist the Controller in fulfilling Data Subject requests (access, rectification, erasure, portability, restriction, objection) by:

Providing data export tools within the platform dashboard.
Processing verified deletion requests within the timeframes required by applicable law (15 days for NJDPA opt-outs; 45 days for CCPA DSARs).
Redirecting any Data Subject requests received directly by the Processor to the appropriate Controller without undue delay.

9. Data Retention & Deletion

Upon termination of the Agreement or upon the Controller's written request, the Processor will delete or return all Personal Data within 90 days, except where retention is required by applicable law. The following exceptions apply:

Tax & Payroll Records: Legal names, EINs, tokenized SSN references, payroll ledger history, and disbursement records are subject to a mandatory 4-year legal retention hold as required by the IRS and FLSA. These records are stripped of active identity linkage, flagged with a legal hold, and moved to an isolated, encrypted archive inaccessible to tenant dashboards.
Audit Trail Records: Cryptographic audit trail records for signed documents are retained for a minimum of 5 years following the close of the transaction file, as required by the ESIGN Act and UETA.

Archived records are permanently destroyed via automated cryptographic shredding once the mandatory retention period expires.

10. International Data Transfers

Personal Data is primarily processed in the United States (Google Cloud us-east1 region). If the Controller operates in a jurisdiction that restricts cross-border data transfers (including the EU/EEA, UK, or Guyana), the parties agree to implement appropriate transfer mechanisms, which may include:

Standard Contractual Clauses (SCCs) as approved by the relevant regulatory authority.
Transfer Impact Assessments (TIAs) conducted prior to data transfer.
Data Protection Commission registration where required by local law.

11. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted:

By the Controller or an independent third-party auditor appointed by the Controller (subject to reasonable confidentiality obligations).
No more than once per calendar year, unless a Security Incident triggers an additional audit right.
With at least 30 days' written notice and during normal business hours.

The Processor may satisfy audit requests by providing relevant SOC 2 Type II reports, penetration test summaries, or other independent audit certifications.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Agreement's Limitation of Liability section. Nothing in this DPA limits either party's liability for breaches of its data protection obligations to the extent such limitation is prohibited by applicable law.

13. Term & Termination

This DPA commences on the effective date of the Agreement and continues for the duration of the Processor's processing of Personal Data on behalf of the Controller. Upon termination, the Processor's obligations under Sections 6, 7, 9, and 11 survive for the duration of any retained data.

14. Contact

For questions or requests related to this DPA:

Privacy & DPA Inquiries: privacy@zone-os.co
Data Protection Officer: dpo@zone-os.co