ZeroEntropy's Data Processing Addendum (DPA)

ZeroEntropy is compliant under SOC 2 Type II, HIPAA, GDPR. You can find most resources in our trust report.

Below is our current Data Processing Addendum as of November 4th, 2025.

DATA PROTECTION AGREEMENT

ZeroEntropy, Inc. a company incorporated under the laws of Delaware, having its

registered office and principal place of business in San Francisco at 156 2nd St San

Francisco 94110 California USA (hereinafter to be referred to as: the “Data

Processor”),

AND

________________, a company incorporated under the laws of ______________,

having its registered office in ________________ at ________________ and principal

place of business in _____________ at __________________ (hereinafter to be

referred to as: the “Data Controller”).

HEREBY AGREE AS FOLLOWS:

1. Subject matter of this Data Processing Agreement

1.1. This Data Processing Agreement applies to the processing of Personal Data

subject to EU Data Protection Law in connection with the Data Controller’s use of the

Data Processor’s services (the “Services”) under the Data Processor’s Terms of Service

or any other applicable online agreement governing such use.

1.2. The term EU Data Protection Law shall mean Regulation (EU) 2016/679 of

the European Parliament and of the Council of 27 April 2016 on the protection of

natural persons with regard to the processing of personal data and on the free

movement of such data, and repealing Directive 95/46/EC (General Data Protection

Regulation).

1.2A. “Data Protection Laws” means GDPR, UK GDPR, and applicable

US state privacy laws including CCPA CPRA, Colorado CPA, Connecticut CTDPA,

Utah UCPA, and Virginia VCDPA.

1.2B. This DPA also applies to Customer Affiliates that enter an order

under the Agreement. Processor acts as processor for such Affiliates to the extent they

use the Services.

1.3. Except as modified below, the Terms of Service shall remain in full force

and effect. Other terms used in this Data Processing Agreement that have meanings

ascribed to them in the EU Data Protection law, including but not limited to

“Processing”, “Personal Data”, “Data Controller” and “Processor,” shall carry the

meanings set forth under EU Data Protection Law.1.4. Insofar as the Data Processor processes Personal Data subject to EU Data

Protection Law on behalf of the Data Controller in connection with the Data

Controller’s use of the Services, the terms of this Data Processing Agreement shall

apply. In the event of any conflict between the Terms of Service (or other applicable

online agreement) and this Data Processing Agreement, the provisions of this Data

Processing Agreement shall prevail. An overview of the categories of Personal Data,

the categories of Data Subjects, and the nature and purposes of processing is provided

in Annex 2.

2. The Data Controller and the Data Processor

2.1. Subject to the provisions of the Terms of Service, to the extent that the Data

Processor’s data processing activities are not adequately described in the Terms of

Service, the Data Controller will determine the scope, purposes, and manner by which

the Personal Data may be accessed or processed by the Data Processor. The Data

Processor will process the Personal Data only as set forth in Data Controller’s written

instructions and no Personal Data will be processed unless explicitly instructed by the

Controller. Documented instructions include those provided via the Services, the

Dashboard, APIs, or the Terms of Service. Documented instructions include those

provided via the Services, dashboard, APIs, Agreement, or other written

communications.

2.2. The Data Processor will only process the Personal Data on documented

instructions of the Data Controller to the extent that this is required for the provision of

the Services. Should the Data Processor reasonably believe that a specific processing

activity beyond the scope of the Data Controller’s instructions is required to comply

with a legal obligation to which the Data Processor is subject, the Data Processor shall

inform the Data Controller of that legal obligation and seek explicit authorization from

the Data Controller before undertaking such processing. The Data Processor shall never

process the Personal Data in a manner inconsistent with the Data Controller’s

documented instructions. The Data Processor shall immediately notify the Data

Controller if, in its opinion, any instruction infringes this Regulation or other Union or

Member State data protection provisions. Such notification will not constitute a general

obligation on the part of the Data Processor to monitor or interpret the laws applicable

to the Data Controller, and such notification will not constitute legal advice to the Data

Controller.

2.3. The Parties have entered into this Data Processing Agreement in connection

with the Data Controller’s use of the Data Processor’s Services, in order to benefit from

the capabilities of the Data Processor in securely processing Personal Data for the

purposes set out in Annex 2. The Data Processor may determine the technical andorganizational means it considers necessary to achieve those purposes, provided that

such means comply with this Data Processing Agreement and the Data Controller’s

documented instructions.

2.4. The Data Controller warrants that it has all necessary rights to provide the

Personal Data to the Data Processor for the Processing to be performed in relation to

the Services, and that one or more lawful bases set forth in EU Data Protection Law

support the lawfulness of the Processing. To the extent required by EU Data Protection

Law, the Data Controller is responsible for ensuring that all necessary privacy notices

are provided to data subjects, and unless another legal basis set forth in EU Data

Protection Law supports the lawfulness of the processing, that any necessary data

subject consents to the Processing are obtained, and for ensuring that a record of such

consents is maintained. Should such a consent be revoked by a data subject, the Data

Controller is responsible for communicating the fact of such revocation to the Data

Processor, and the Data Processor remains responsible for implementing Data

Controller’s instruction with respect to the processing of that Personal Data.

2.5. Data Use and Storage Location

(a) No Training or Fine-Tuning. The Data Processor does not use any Personal

Data or Customer Content processed through the Services to train, or fine-tune its

machine learning models or those of any third party. Processing of Personal Data is

strictly limited to operating, maintaining, and securing the Services in accordance with

the Data Controller’s documented instructions.

(b) Encryption. The Data Processor protects Personal Data in transit and at rest

using industry-standard encryption technologies (such as TLS 1.2+ for data in transit

and AES-256 or equivalent for data at rest).

(c) Data Residency. The Data Processor offers regional hosting options,

including EU-based data centers. When the Data Controller selects an EU region, all

Personal Data submitted to and processed by the Services remains within the European

Economic Area, subject only to the Data Controller’s configuration and any explicitly

authorized subprocessors listed in Annex 4.

2.6. For California personal information, Processor acts as a service provider or

processor and will not sell or share personal information, will not retain, use, or

disclose it for any purpose other than the Services, will not combine it with personal

information from other customers except as permitted by law for security and

debugging, and certifies compliance with these restrictions.2.7. De-identified Data. If Customer instructs Processor to generate or handle

de-identified or aggregated data, Processor will take reasonable measures to prevent re-

identification, will not attempt to re-identify except to test its de-identification process,

and will bind any recipients to the same restrictions.

3. Confidentiality

3.1. Without prejudice to any existing contractual arrangements between the

Parties, the Data Processor shall treat all Personal Data as confidential and it shall

inform all its employees, agents and/ or approved sub-processors engaged in

processing the Personal Data of the confidential nature of the Personal Data. The Data

Processor shall ensure that all such persons or parties have signed an appropriate

confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under

an appropriate statutory obligation of confidentiality.

4. Security

4.1. Taking into account the state of the art, the costs of implementation and the

nature, scope, context and purposes of processing as well as the risk of varying

likelihood and severity for the rights and freedoms of natural persons, the Data

Controller and Data Processor shall implement appropriate technical and organizational

measures to ensure a level of security of the processing of Personal Data appropriate to

the risk. These measures shall include, at a minimum, the security measures agreed

upon by the Parties in Annex 3.

4.2. Both the Data Controller and the Data Processor shall maintain written

security policies that are fully implemented and applicable to the processing of

Personal Data. At a minimum, such policies should include assignment of internal

responsibility for information security management, devoting adequate personnel

resources to information security, carrying out verification checks on permanent staff

who will have access to the Personal Data, conducting appropriate background checks,

requiring employees, vendors and others with access to Personal Data to enter into

written confidentiality agreements, and conducting training to make employees and

others with access to the Personal Data aware of information security risks presented

by the Processing.

4.3. Upon reasonable written notice, Processor shall make available information

necessary to demonstrate compliance with this DPA, including current third-party

certifications or audit reports such as SOC 2 Type II. Where such documentation does

not reasonably address the Controller’s concerns, Controller (or an independent auditorit designates) may conduct audits, including remote document review and on-site

inspections, no more than once in any 12-month period, or following (i) a confirmed

Security Incident, (ii) material change to Processing, or (iii) a Supervisory Authority

request, during normal business hours and without unreasonably disrupting Processor’s

operations. All audit information is Confidential Information. Processor maintains the

records required by Article 30 GDPR and may satisfy audit requests by providing

current third party reports such as SOC 2 Type II, where they address the scope of

Processing.

4.4. The Data Processor’s adherence to either an approved code of conduct or to

an approved certification mechanism recognized under EU

Data Protection Law may be used as an element by which the Data Processor may

demonstrate compliance with the requirements set out in Article 4.1, provided that the

requirements contained in Annex 3 are also addressed by such code of conduct or

certification mechanism.

5. Improvements to Security

5.1. The Parties acknowledge that security requirements are constantly changing

and that effective security requires frequent evaluation and regular improvements of

outdated security measures. The Data Processor will therefore evaluate the measures as

implemented in accordance with Article 4 on an on-going basis in order to maintain

compliance with the requirements set out in Article 4.

6. Data Transfers

6.1. The Data Processor shall promptly notify the Data Controller of any

planned permanent or temporary transfers of Personal Data to a third country, including

a country outside of the European Economic Area without an adequate level of

protection, and shall only perform such a transfer after obtaining authorization from the

Data Controller, which may be refused at its own discretion. Annex 4 provides a list of

transfers for which the Data Controller grants its authorization upon the conclusion of

this Data Processing Agreement.

6.2. To the extent that the Data Controller or the Data Processor are relying on a

specific statutory mechanism to normalize international data transfers and that

mechanism is subsequently modified, revoked, or held in a court of competent

jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate

in good faith to promptly suspend the transfer or to pursue a suitable alternate

mechanism that can lawfully support the transfer.6.3. Standard Contractual Clauses and UK Addendum. To the extent any transfer

constitutes a Restricted Transfer, the parties incorporate the EU Commission SCCs

2021/914:

(a) Module Two (controller to processor) and Module Three (processor to

subprocessor) as applicable;

(b) Clause 9 Option 2 (general authorization) with the notice period in

Section 8.2 of this DPA;

(c) Clause 17 governing law: Ireland; Clause 18 courts: Ireland;

(d) Annex I and Annex III are completed by Annex 2 and Annex 4; Annex

II is completed by Annex 3.

For UK transfers, the UK Addendum to the EU SCCs is incorporated with Part 1

completed by Annexes 2, 3, and 4 and Table 4 selecting neither party. For Swiss

transfers, the SCCs apply with references adjusted to the Swiss FADP, Swiss law, and

Swiss courts.

6.4. Transfer Impact Assessments. Processor shall conduct and document

transfer-impact assessments for Restricted Transfers as required by the SCCs and make

a summary available to Controller upon request. If a transfer mechanism is invalidated

or superseded, the parties shall promptly cooperate to implement an alternative lawful

mechanism.

7. Information Obligations and Incident Management

7.1. Processor will notify Controller without undue delay and where feasible

within 72 hours after becoming aware of an incident that has a material impact on

Processing.

7.2. The term “incident” used in Article 7.1 shall be understood to mean in any

case:

(a) a complaint or a request with respect to the exercise of a data

subject’s rights under EU Data Protection Law;

(b) an investigation into or seizure of the Personal Data by government

officials, or a specific indication that such an investigation or seizure is

imminent;(c) any unauthorized or accidental access, processing, deletion, loss or

any form of unlawful processing of the Personal Data;

(d) any breach of the security and/or confidentiality as set out

in Articles 3 and 4 of this Data Processing Agreement leading

to the accidental or unlawful destruction, loss, alteration, unauthorized

disclosure of, or access to, the Personal Data, or any indication of such breach

having taken place or being about to take place;

(e) where, in the opinion of the Data Processor, implementing an

instruction received from the Data Controller would violate applicable laws to

which the Data Controller or the Data Processor are subject.

7.3. The Data Processor shall at all times have in place written procedures

which enable it to promptly respond to the Data Controller about an incident. Where

the incident is reasonably likely to require a data breach notification by the Data

Controller under EU Data Protection Law, the Data Processor shall implement its

written procedures in such a way that it is in a position to notify the Data Controller

without undue delay after the Data Processor becomes aware of such an incident.

7.4. Any notifications made to the Data Controller pursuant to this Article 7 shall

be addressed to the employee of the Data Controller whose contact details are provided

in Annex 1 of this Data Processing Agreement and, in order to assist the Data

Controller in fulfilling its obligations under EU Data Protection Law, should contain:

(a) a description of the nature of the incident, including where possible the

categories and approximate number of data subjects concerned and the categories and

approximate number of Personal Data records concerned;

(b) the name and contact details of the Data Processor’s data protection officer

or another contact point where more information can be obtained;

(c) a description of the likely consequences of the incident; and

(d) a description of the measures taken or proposed to be taken by the Data

Processor to address the incident including, where appropriate, measures to mitigate its

possible adverse effects.

7.5. If Processor receives a legally binding request from a public authority for

access to Controller Personal Data, Processor will (i) notify Controller prior to

disclosure unless legally prohibited, (ii) challenge unlawful or overbroad requests, and

(iii) disclose only the minimum data required.8. Contracting with Sub-Processors

8.1. The Data Processor shall not subcontract any of its Service-related

activities consisting (partly) of the processing of the Personal Data or requiring

Personal Data to be processed by any third party without the prior written authorization

of the Data Controller.

8.2. The Data Controller authorizes the Data Processor to engage the

subprocessors listed in Annex 4 for the service-related Data Processing activities

described in Annex 2. The Data Processor shall inform the Data Controller of any

addition or replacement of such subprocessors, giving the Data Controller an

opportunity to object to such changes. If the Data Controller timely submits a written

objection setting forth a reasonable basis, the Parties will make a good-faith effort to

resolve the objection. If no resolution is reached, the Data Processor will use

commercially reasonable efforts to provide the Data Controller with the same level of

service without using the relevant subprocessor. If this is not feasible, the Data

Controller may terminate the affected portion of the Services and receive a pro-rated

refund of any prepaid fees for that portion.

8.3. Notwithstanding any authorization by the Data Controller within the

meaning of the preceding paragraph, the Data Processor shall remain fully liable vis-à-

vis the Data Controller for the performance of any such sub-processor that fails to

fulfill its data protection obligations.

8.4. The Data Processor shall ensure that the sub-processor is bound by data

protection obligations compatible with those of the Data Processor under this Data

Processing Agreement, shall supervise compliance thereof, and must in particular

impose on its sub- processors the obligation to implement appropriate technical and

organizational measures in such a manner that the processing will meet the

requirements of EU Data Protection Law.

8.5. The Data Controller may request confirmation that an audit of a Third Party

Sub-processor has occurred and a summary of the results, or where available a current

third-party assurance report.

9. Returning or Destruction of Personal Data

9.1. Upon termination or on written request, Processor will delete or return all

Personal Data within 30 days, and delete remaining backups within 60 days, unless law

requires retention. Where retention is required, Processor will minimize the retained

data, protect it, and delete it once the basis ends.9.2. The Data Processor shall notify all authorized subprocessors supporting its

processing of the Personal Data of the termination of the Data Processing Agreement

and shall ensure that all such authorized sub processors shall either destroy the

Personal Data or return the Personal Data to the Data Controller, at the discretion of the

Data Controller.

9.3. Operational Retention. Processor may retain transient API request metadata

and security logs for up to 30 days for reliability, security, and abuse detection, after

which such data is deleted unless a different retention is agreed in writing or required

by law.

10. Assistance to Data Controller

10.1. The Data Processor shall assist the Data Controller by appropriate

technical and organizational measures, insofar as this is possible, for the fulfillment of

the Data Controller’s obligation to respond to requests for exercising the data subject’s

rights under the EU Data Protection Law.

10.2. Taking into account the nature of processing and the information available

to the Data Processor, the Data Processor shall assist the Data Controller in ensuring

compliance with obligations pursuant to Section 4 (Security), as well as other Data

Controller obligations under EU Data Protection Law that are relevant to the Data

Processing described in Annex 2, including notifications to a supervisory authority or

to Data Subjects, the process of undertaking a Data Protection Impact Assessment, and

with prior consultations with supervisory authorities.

10.3. The Data Processor shall make available to the Data Controller all

information necessary to demonstrate compliance with the Data Processor’s obligations

and allow for and contribute to audits, including inspections, conducted by the Data

Controller or another auditor mandated by the Data Controller.

11. Duration and Termination

11.1. This Data Processing Agreement shall come into effect as of the date the

Customer accepts this DPA (the Effective Date) whether electronically or by continued

use of the Services.

11.2. Termination or expiration of this Data Processing Agreement shall not

discharge the Data Processor from its confidentiality obligations pursuant to Article 3.

11.3. The Data Processor shall process Personal Data until the earlier of (i)

termination of the Customer’s account or (ii) termination of this DPA by either partywith written notice, unless instructed otherwise by the Data Controller, or until such

data is returned or destroyed on instruction of the Data Controller.

12. Miscellaneous

12.1. Governing Law and Jurisdiction. To the extent the Processing of Personal

Data is subject to EU, UK, or Swiss Data Protection Law or the EU Standard

Contractual Clauses, this DPA and any dispute arising from it shall be governed by and

construed in accordance with the laws of Ireland, and the courts of Ireland shall have

exclusive jurisdiction. For all other Processing not subject to those laws, this DPA shall

be governed by the laws of the State of California, USA, and the courts located in San

Francisco County, California shall have exclusive jurisdiction.

________________________________

Signed

for and on behalf of the Data Processor

Name:

Title:

Date:

________________________________

Signed

for and on behalf of the Data Controller

Name:

Title:

Date:Annex 1:

Contact information of the data protection officer of the Data Controller.

Name:

Title:

Email:

Contact information of the data protection officer of the Data Processor.

Email: security@zeroentropy.dev

Annex 2:

Types of Personal Data that will be processed in the scope of the Service Agreement:

Unstructured text data supplied through API requests or uploads. This may incidentally include

personal data if contained in the Customer’s own documents, such as names, email addresses, or

other identifiers embedded in text.

Categories of Data Subjects:

Individuals whose personal data may appear in the Customer’s submitted content (for example,

employees, clients, contractors, or other data subjects referenced in uploaded materials).

Nature and purpose of the Data Processing:

Operation of the Services, including retrieval, reranking, semantic similarity computation, and

other automated text-processing functions performed to deliver relevant search and retrieval

results as requested by the Customer. Processing is limited to executing API calls, improving

retrieval quality, and maintaining service reliability and security.

Annex 3: Security Measures

Data Processor shall:

1. ensure that the Personal Data can be accessed only by authorized personnel for

the purposes set forth in Annex 2 of this Data Processing Agreement;

2. take all reasonable measures to prevent unauthorized access to the Personal Data

through the use of appropriate physical and logical (passwords) entry controls,securing areas for data processing, and implementing procedures for monitoring

the use of data processing facilities;

3. build in system and audit trails;

4. use secure passwords, network intrusion detection technology, encryption and

authentication technology, secure logon procedures and virus protection;

5. account for all the risks that are presented by processing, for example from

accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful

storage, processing, access or disclosure of Personal Data;

6. ensure pseudonymisation and/or encryption of Personal Data, where

appropriate;

7. maintain the ability to ensure the ongoing confidentiality, integrity, availability

and resilience of processing systems and services;

8. maintain the ability to restore the availability and access to Personal Data in a

timely manner in the event of a physical or technical incident;

9. implement a process for regularly testing, assessing, and evaluating the

effectiveness of technical and organizational measures for ensuring the security

of the processing of Personal Data;

10. monitor compliance on an ongoing basis;

11. implement measures to identify vulnerabilities with regard to the processing of

Personal Data in systems used to provide services to the Data Controller;

12. provide employee and contractor training to ensure ongoing capabilities to carry

out the security measures established in policy.

Annex 4:

he Data Controller authorizes the subprocessors engaged by Data Processor to support

the provision of the Services.

A current list of subprocessors, including their locations and purposes of processing, is

maintained on our Trust Report.Data Processor will notify the Data Controller in advance of any intended changes to

this list in accordance with Article 8.2.