Data Processing Agreement (DPA)
EspañolLast updated: May 6, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between SPEUX EIRL (Tax ID 20607072168, “Zentro”, Processor) and the Customer (Controller), and applies when Zentro's processing of personal data on behalf of the Customer is subject to GDPR (EU), UK GDPR, CCPA/CPRA (California), LGPD (Brazil), or equivalent regulations.
1. Definitions
- Personal Data: any information relating to an identified or identifiable natural person that the Customer entrusts to us through the Service.
- Processing: any operation performed on Personal Data.
- Controller: the Customer, who determines the purposes and means of Processing.
- Processor: Zentro, processing data on behalf of the Customer.
- Sub-processor: a third party engaged by Zentro to process Data.
2. Subject matter and duration
Zentro will process Personal Data only as necessary to provide the Service described in the Terms. This DPA applies for the duration of the commercial relationship and until data is deleted.
3. Nature and purpose of Processing
- Importing and managing the Customer's COD orders.
- Synchronization with couriers and authorized integrations.
- Generating operational reports for the Customer.
- Providing technical support when requested by the Customer.
4. Categories of Personal Data and data subjects
- Customer's users: name, email, role, access logs.
- Customer's end-customers: name, phone, national ID, address, order history.
We do not process special categories of data (health, biometric, ideological, etc.). If the Customer uploads such data, it does so under its own responsibility and must have the appropriate legal bases.
5. Zentro's obligations as Processor
- Process Data only on the Customer's documented instructions.
- Ensure that authorized personnel commit to confidentiality or are subject to a legal obligation of confidentiality.
- Implement appropriate technical and organizational measures: AES-256-GCM encryption, TLS 1.2+, role-based access control (RBAC), multi-tenant isolation, audit logging.
- Assist the Customer in fulfilling its obligations (responding to data-subject rights, impact assessments, breach notifications).
- Notify the Customer without undue delay (target: 72 hours) of any security breach affecting their Data.
- At the Customer's choice, delete or return Data at the end of the service, unless legally required to retain.
6. Sub-processors
The Customer authorizes Zentro to engage the following Sub-processors. Zentro maintains contracts imposing equivalent obligations to this DPA with each Sub-processor:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting and CDN | EE.UU. / Global edge |
| Neon (PostgreSQL) | Managed database | EE.UU. |
| Vercel Blob | Storage of payment proofs and images | EE.UU. |
| Sentry | Error and performance monitoring | EE.UU. |
| Browserbase | Secure browser automation (Zeus integration) | EE.UU. |
| Resend | Transactional email delivery | EE.UU. |
Zentro will notify the Customer at least 30 days in advance of any addition or replacement of Sub-processors. The Customer may object in writing to privacy@zentro.one.
7. International transfers
When Data is transferred outside the Customer's country, Zentro relies on valid transfer mechanisms: EU Standard Contractual Clauses (SCCs) for EU/UK customers, equivalents for LGPD, and providers with SOC 2 / ISO 27001 certifications.
8. Data subject rights
Zentro provides in-platform mechanisms enabling the Customer to handle data subject requests (access, rectification, deletion, portability). If a data subject contacts Zentro directly, we will redirect them to the Customer and provide reasonable assistance.
9. Audit
The Customer may request, once per year with 30 days' advance notice, evidence of compliance with security measures: SOC 2 reports of Sub-processors, control descriptions, synthesized pentest results. On-site audits require prior agreement and are at the Customer's expense.
10. Limitation of liability
Liability under this DPA is subject to the limitations of the Terms of Service. Aggregate liability shall not exceed the amount paid by the Customer in the 12 months prior to the triggering event.
11. Acceptance
To activate this DPA, the Customer may:
- Request a signed copy by writing to privacy@zentro.one with subject “DPA Request”.
- Accept it electronically from Settings → Compliance (coming soon).
12. Contact
Processor: SPEUX EIRL · Tax ID 20607072168 · privacy@zentro.one