Data Processing Agreement.

This DPA is entered into between the Controller (the business customer using zlabz.io to process data relating to their own users, employees, or contractors) and zlabz.io, operated by the owner of the zlabz.io domain, acting as the Processor. For consumer end-users who sign up directly on zlabz.io, we act as Controller — this DPA does not apply to that relationship; our Privacy Policy does.

The subject of the processing is the personal data that the Controller uploads, creates, or otherwise submits through the zlabz.io service (e.g. paragraph text, project metadata, end-user identifiers). Processing is limited to what is necessary to deliver, secure, and support the service.

• Duration: for as long as the Controller has an active subscription or trial, plus a reasonable post-termination period for deletion and legal retention.
• Nature: storage, hosting, transmission, rendering, and retrieval of Controller data within the zlabz.io application.
• Categories of data subjects: the Controller's end-users, employees, or contractors who interact with the service on the Controller's behalf.
• Categories of personal data: account identifiers (email, name), content submitted to the editor, usage metadata — as documented in our Privacy Policy and subprocessor list.

• Process personal data only on documented instructions from the Controller (normal use of the service constitutes such instructions).
• Ensure persons authorised to process personal data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (see next section).
• Assist the Controller in responding to data-subject requests and, where applicable, DPIAs and prior consultation with supervisory authorities.
• Make available information necessary to demonstrate compliance and allow for reasonable audits (typically via written questionnaires or vendor reports, given the shared-infrastructure nature of the service).

• Encryption in transit (HTTPS / TLS) on all endpoints.
• Encryption at rest via Convex database defaults.
• Authentication handled by Clerk — passwords are never stored by zlabz.io.
• Principle of least privilege on server-side code, per-user Convex scoping, and no cross-tenant data access paths.
• Payment data kept strictly out of scope — card handling is delegated to Dodo Payments (PCI DSS Level 1).

The Controller gives general authorisation for the use of the subprocessors listed at zlabz.io/subprocessors. We will give at least 14 days' notice of any addition or change of subprocessor, during which the Controller may object. If the Controller reasonably objects, the parties will discuss a remedy; if none is found, the Controller may terminate the affected service.

We provide self-service endpoints in /settings so end-users can export their data (GDPR Article 20) and delete their accounts (Article 17). For Controller-initiated requests, we will assist within the technical capabilities of the service, and forward any request received directly by us to the Controller without undue delay.

In the event of a personal-data breach affecting Controller data, we will notify the Controller without undue delay and in any case within 72 hours of becoming aware, with the nature of the breach, affected categories, likely consequences, and remedial measures taken.

Where personal data is transferred outside the EEA / UK, we rely on the Standard Contractual Clauses (SCCs) included by default in each vendor's DPA (see /subprocessors) and apply supplementary measures where required. We will not transfer data to a jurisdiction lacking adequate protection without a valid transfer mechanism.

On termination of the main service agreement or on written request, we will delete or return all Controller personal data within 30 days, except where retention is required by law (e.g. billing records for tax compliance). The Controller can trigger an export at any time before termination via /api/user/export or our support team for larger datasets.

Liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, except where such limitation is not permitted by applicable data-protection law. Nothing here excludes liability that cannot lawfully be excluded.

Notices, data-subject requests, breach reports, and DPA signature requests can be sent via our support channel. We respond within two business days.