Data Processing Agreement (DPA)

1. Introduction & Applicability

This Data Processing Agreement ("DPA") is entered into between Zyvarin Social Inc. ("Data Controller") and its customers ("Data Subject" or "Customer") and applies to the processing of personal data in connection with the provision of Zyvarin services.

This DPA applies to customers located in the European Union, United Kingdom, European Economic Area, or other jurisdictions with data protection laws similar to GDPR.

Important: This DPA is separate from and supplementary to our Terms of Service and Privacy Policy. This DPA governs how we process personal data on your behalf as a Data Processor.

2. Roles & Responsibilities

2.1 Data Controller

You (the Customer) are the Data Controller. You determine the purposes and means of processing personal data through your use of Zyvarin. This includes:

Determining what content to post on social media
Deciding which social media accounts to connect
Setting publishing schedules and frequency
Managing team member access

2.2 Data Processor

Zyvarin Social is the Data Processor. We process personal data on your behalf and only according to your instructions. We agree to:

Process personal data only as instructed by you
Implement technical and organizational security measures
Ensure your compliance with GDPR obligations
Maintain confidentiality of processed data

2.3 Sub-Processors

Zyvarin uses the following sub-processors (third parties who process data on our behalf):

Vercel (Hosting): Infrastructure and hosting services
PostgreSQL Database Provider: Database hosting and backup
Google Gemini API: AI-powered content suggestions
Razorpay (Payments): Payment processing
Nodemailer (Email): Transactional email delivery
Google Analytics: Usage analytics (anonymized)

You authorize us to use these sub-processors. We will notify you 30 days in advance of any changes to sub-processors.

3. Categories of Personal Data

Zyvarin processes the following categories of personal data:

Account Information: Email, name, profile data, preferences
Social Media Data: OAuth tokens, social media handles, post content
Payment Data: Billing address, last 4 digits of payment method (full details via Razorpay)
Usage Data: Login times, pages visited, features used, device information
Content Data: Posts, media, drafts, scheduling information
Communication Data: Support messages, feedback, notifications
Technical Data: IP addresses, cookies, device identifiers

4. Processing Operations & Purposes

4.1 Authorized Processing Purposes

You authorize Zyvarin to process personal data solely for:

Providing the Zyvarin social media scheduling service
Managing your subscription and billing
Publishing content to connected social media accounts
Generating analytics and engagement reports
Providing customer support
Sending service notifications and updates
Detecting and preventing fraud or abuse
Complying with legal obligations

4.2 Prohibited Processing

Zyvarin shall NOT process personal data for:

Marketing purposes (except service announcements)
Selling, renting, or sharing data with third parties
Profiling or automated decision-making
Training machine learning models (except aggregated, anonymized data)

5. Data Subject Rights

5.1 Your Responsibilities as Controller

As the Data Controller, YOU are responsible for:

Ensuring lawful basis for processing (consent, contract, legitimate interest, etc.)
Obtaining consent from data subjects (your social media followers) if required
Responding to data subject requests (access, deletion, portability)
Conducting Data Protection Impact Assessments (DPIA) if applicable
Notifying data subjects of any data breaches
Complying with all GDPR obligations

5.2 Zyvarin's Support of Your Rights

Zyvarin will assist you in fulfilling data subject rights:

Right of Access: You can download your data from your account dashboard
Right to Deletion: You can delete your account and associated data
Right to Correction: You can update your profile information
Right to Data Portability: Export your data in standard formats
Right to Restrict Processing: Request limitation of specific processing activities

5.3 Data Subject Requests

If a data subject requests access to their personal data, they should contact you (the Data Controller). You may forward requests to us, and we will respond within 30 days.

Contact: dpa@zyvarin.com

6. Data Security & Confidentiality

6.1 Technical Measures

Zyvarin implements the following security measures:

Encryption: AES-256 encryption at rest, TLS 1.3 in transit
Access Control: Role-based access control (RBAC), principle of least privilege
Authentication: OAuth 2.0, bcrypt password hashing, multi-factor authentication (optional)
Database Security: PostgreSQL with row-level security (RLS)
Network Security: HTTPS/TLS, firewall protection
Regular Audits: Monthly security assessments and vulnerability testing

6.2 Organizational Measures

Limited employee access to personal data on need-to-know basis
Confidentiality agreements with all employees and contractors
Data protection training for all staff members
Background checks for employees with data access
Incident response plan and breach notification procedures
Regular security awareness training

6.3 Certification & Compliance

SOC 2 Type II compliant
GDPR compliant processing practices
Cyber liability insurance coverage

7. International Data Transfers

7.1 Transfer Mechanisms

Personal data may be transferred from the EEA to the United States through:

Standard Contractual Clauses (SCCs): EU Commission-approved standard contractual clauses
Adequacy Decisions: Where applicable (e.g., UK, Switzerland)

7.2 Data Localization

Your personal data is stored primarily in the United States on Vercel servers. Backup copies may be stored in multiple geographic locations for disaster recovery.

7.3 Derogations

You may request specific data localization or transfer restrictions. Contact us at dpa@zyvarin.com

8. Data Retention & Deletion

8.1 Retention Periods

Active Account Data: Retained while account is active
Deleted Accounts: Deleted within 30 days of deletion request
Backup Data: Retained for 90 days for disaster recovery
Payment Records: Retained for 7 years (legal/tax compliance)
Server Logs: Deleted after 30 days

8.2 Deletion Request Process

You may request deletion of your data by:

Deleting your account from account settings
Emailing a deletion request to dpa@zyvarin.com

We will delete all personal data within 30 days, except where legal obligations require retention (e.g., tax records, fraud investigations).

9. Data Breach Notification

9.1 Breach Detection & Response

If we detect a personal data breach, we will:

Immediately begin investigation and containment
Notify you (the Data Controller) within 24 hours
Provide details of the breach and affected data
Recommend notifications to data subjects and authorities

9.2 Your Responsibilities

As the Data Controller, YOU must:

Notify affected data subjects if required by law
Report to the Data Protection Authority (DPA) if required
Maintain breach notification records

9.3 Contact for Breaches

Report suspected breaches to: security@zyvarin.com

10. Data Protection Impact Assessment (DPIA)

10.1 When DPIA is Required

If your processing is likely to result in high risk to data subjects, you may be required to conduct a DPIA. Zyvarin will assist by providing information about our processing practices.

10.2 Zyvarin's Support

We provide documentation to help you complete DPIA requirements:

Security documentation and certifications
Processing information and risk assessment
Technical and organizational measures implemented

Contact: dpa@zyvarin.com

11. Audit Rights

11.1 Audit Access

You may audit Zyvarin's compliance with this DPA by:

Requesting our SOC 2 Type II report (annual audit)
Requesting specific security certifications or documentation
Conducting a limited on-site audit (with 30 days' notice)

11.2 Audit Frequency

Audits may be conducted once per calendar year at no additional cost. Additional audits are subject to reasonable fees to cover our costs.

11.3 Confidentiality

Audit findings are confidential. Both parties agree to protect proprietary information disclosed during audits.

12. Amendments & Modifications

12.1 DPA Changes

Zyvarin may modify this DPA to comply with applicable laws. We will notify you 30 days in advance of material changes. Continued use of the Service constitutes acceptance.

12.2 Sub-Processor Changes

We will notify you 30 days before adding or replacing sub-processors. You may object to sub-processor changes by providing written notice within 15 days. If you object, we will work with you to find an alternative.

13. Termination & Data Return

13.1 Upon Account Deletion

When your account is deleted or subscription terminates:

You may request a data export within 30 days
After 30 days, all data will be permanently deleted
Backup copies retained for 90 days for disaster recovery

13.2 Compliance Upon Termination

Zyvarin will certify in writing that all data has been deleted or returned, except where legal obligations require retention.

14. Liability & Indemnification

14.1 Liability Limitation

As a Processor, Zyvarin is not liable for GDPR violations caused by your instructions as the Controller. However, we are liable for violations caused by our processing practices.

14.2 Indemnification

Zyvarin will indemnify and defend you against claims that our processing practices violate GDPR, provided you have complied with your controller obligations.

15. Contact Information

For DPA Questions:

Email: dpa@zyvarin.com

For Data Breaches:

Email: security@zyvarin.com

Data Protection Officer:

Email: dpo@zyvarin.com

1. Introduction & Applicability

This DPA applies to customers located in the European Union, United Kingdom, European Economic Area, or other jurisdictions with data protection laws similar to GDPR.

Important: This DPA is separate from and supplementary to our Terms of Service and Privacy Policy. This DPA governs how we process personal data on your behalf as a Data Processor.

2. Roles & Responsibilities

2.1 Data Controller

You (the Customer) are the Data Controller. You determine the purposes and means of processing personal data through your use of Zyvarin. This includes:

Determining what content to post on social media
Deciding which social media accounts to connect
Setting publishing schedules and frequency
Managing team member access

2.2 Data Processor

Zyvarin Social is the Data Processor. We process personal data on your behalf and only according to your instructions. We agree to:

Process personal data only as instructed by you
Implement technical and organizational security measures
Ensure your compliance with GDPR obligations
Maintain confidentiality of processed data

2.3 Sub-Processors

Zyvarin uses the following sub-processors (third parties who process data on our behalf):

Vercel (Hosting): Infrastructure and hosting services
PostgreSQL Database Provider: Database hosting and backup
Google Gemini API: AI-powered content suggestions
Razorpay (Payments): Payment processing
Nodemailer (Email): Transactional email delivery
Google Analytics: Usage analytics (anonymized)

You authorize us to use these sub-processors. We will notify you 30 days in advance of any changes to sub-processors.

3. Categories of Personal Data

Zyvarin processes the following categories of personal data:

Account Information: Email, name, profile data, preferences
Social Media Data: OAuth tokens, social media handles, post content
Payment Data: Billing address, last 4 digits of payment method (full details via Razorpay)
Usage Data: Login times, pages visited, features used, device information
Content Data: Posts, media, drafts, scheduling information
Communication Data: Support messages, feedback, notifications
Technical Data: IP addresses, cookies, device identifiers

4. Processing Operations & Purposes

4.1 Authorized Processing Purposes

You authorize Zyvarin to process personal data solely for:

Providing the Zyvarin social media scheduling service
Managing your subscription and billing
Publishing content to connected social media accounts
Generating analytics and engagement reports
Providing customer support
Sending service notifications and updates
Detecting and preventing fraud or abuse
Complying with legal obligations

4.2 Prohibited Processing

Zyvarin shall NOT process personal data for:

Marketing purposes (except service announcements)
Selling, renting, or sharing data with third parties
Profiling or automated decision-making
Training machine learning models (except aggregated, anonymized data)

5. Data Subject Rights

5.1 Your Responsibilities as Controller

As the Data Controller, YOU are responsible for:

Ensuring lawful basis for processing (consent, contract, legitimate interest, etc.)
Obtaining consent from data subjects (your social media followers) if required
Responding to data subject requests (access, deletion, portability)
Conducting Data Protection Impact Assessments (DPIA) if applicable
Notifying data subjects of any data breaches
Complying with all GDPR obligations

5.2 Zyvarin's Support of Your Rights

Zyvarin will assist you in fulfilling data subject rights:

Right of Access: You can download your data from your account dashboard
Right to Deletion: You can delete your account and associated data
Right to Correction: You can update your profile information
Right to Data Portability: Export your data in standard formats
Right to Restrict Processing: Request limitation of specific processing activities

5.3 Data Subject Requests

If a data subject requests access to their personal data, they should contact you (the Data Controller). You may forward requests to us, and we will respond within 30 days.

Contact: dpa@zyvarin.com

6. Data Security & Confidentiality

6.1 Technical Measures

Zyvarin implements the following security measures:

Encryption: AES-256 encryption at rest, TLS 1.3 in transit
Access Control: Role-based access control (RBAC), principle of least privilege
Authentication: OAuth 2.0, bcrypt password hashing, multi-factor authentication (optional)
Database Security: PostgreSQL with row-level security (RLS)
Network Security: HTTPS/TLS, firewall protection
Regular Audits: Monthly security assessments and vulnerability testing

6.2 Organizational Measures

Limited employee access to personal data on need-to-know basis
Confidentiality agreements with all employees and contractors
Data protection training for all staff members
Background checks for employees with data access
Incident response plan and breach notification procedures
Regular security awareness training

6.3 Certification & Compliance

SOC 2 Type II compliant
GDPR compliant processing practices
Cyber liability insurance coverage

7. International Data Transfers

7.1 Transfer Mechanisms

Personal data may be transferred from the EEA to the United States through:

Standard Contractual Clauses (SCCs): EU Commission-approved standard contractual clauses
Adequacy Decisions: Where applicable (e.g., UK, Switzerland)

7.2 Data Localization

Your personal data is stored primarily in the United States on Vercel servers. Backup copies may be stored in multiple geographic locations for disaster recovery.

7.3 Derogations

You may request specific data localization or transfer restrictions. Contact us at dpa@zyvarin.com

8. Data Retention & Deletion

8.1 Retention Periods

Active Account Data: Retained while account is active
Deleted Accounts: Deleted within 30 days of deletion request
Backup Data: Retained for 90 days for disaster recovery
Payment Records: Retained for 7 years (legal/tax compliance)
Server Logs: Deleted after 30 days

8.2 Deletion Request Process

You may request deletion of your data by:

Deleting your account from account settings
Emailing a deletion request to dpa@zyvarin.com

We will delete all personal data within 30 days, except where legal obligations require retention (e.g., tax records, fraud investigations).

9. Data Breach Notification

9.1 Breach Detection & Response

If we detect a personal data breach, we will:

Immediately begin investigation and containment
Notify you (the Data Controller) within 24 hours
Provide details of the breach and affected data
Recommend notifications to data subjects and authorities

9.2 Your Responsibilities

As the Data Controller, YOU must:

Notify affected data subjects if required by law
Report to the Data Protection Authority (DPA) if required
Maintain breach notification records

9.3 Contact for Breaches

Report suspected breaches to: security@zyvarin.com

10. Data Protection Impact Assessment (DPIA)

10.1 When DPIA is Required

If your processing is likely to result in high risk to data subjects, you may be required to conduct a DPIA. Zyvarin will assist by providing information about our processing practices.

10.2 Zyvarin's Support

We provide documentation to help you complete DPIA requirements:

Security documentation and certifications
Processing information and risk assessment
Technical and organizational measures implemented

Contact: dpa@zyvarin.com

11. Audit Rights

11.1 Audit Access

You may audit Zyvarin's compliance with this DPA by:

Requesting our SOC 2 Type II report (annual audit)
Requesting specific security certifications or documentation
Conducting a limited on-site audit (with 30 days' notice)

11.2 Audit Frequency

Audits may be conducted once per calendar year at no additional cost. Additional audits are subject to reasonable fees to cover our costs.

11.3 Confidentiality

Audit findings are confidential. Both parties agree to protect proprietary information disclosed during audits.

12. Amendments & Modifications

12.1 DPA Changes

Zyvarin may modify this DPA to comply with applicable laws. We will notify you 30 days in advance of material changes. Continued use of the Service constitutes acceptance.

12.2 Sub-Processor Changes

13. Termination & Data Return

13.1 Upon Account Deletion

When your account is deleted or subscription terminates:

You may request a data export within 30 days
After 30 days, all data will be permanently deleted
Backup copies retained for 90 days for disaster recovery

13.2 Compliance Upon Termination

Zyvarin will certify in writing that all data has been deleted or returned, except where legal obligations require retention.

14. Liability & Indemnification

14.1 Liability Limitation

As a Processor, Zyvarin is not liable for GDPR violations caused by your instructions as the Controller. However, we are liable for violations caused by our processing practices.

14.2 Indemnification

Zyvarin will indemnify and defend you against claims that our processing practices violate GDPR, provided you have complied with your controller obligations.

15. Contact Information

For DPA Questions:

Email: dpa@zyvarin.com

For Data Breaches:

Email: security@zyvarin.com

Data Protection Officer:

Email: dpo@zyvarin.com