Data Processing Addendum
Last updated: 2026-06-01
This addendum forms part of the Statement of Work between ZyroLab (the “Processor”) and the client (the “Controller”) when ZyroLab processes personal data on behalf of the client during an engagement. It reflects Article 28 GDPR-style obligations and applies to clients in the EU, UK, and equivalent regimes.
Scope and roles
When ZyroLab builds, hosts, or operates systems that handle the client’s personal data, the client is the Controller and ZyroLab is the Processor. Processing is limited to what is necessary to deliver the services agreed in the Statement of Work and to comply with applicable law.
Processing details
Subject matter: design, engineering, AI integration, and operational support. Duration: the term of the underlying engagement. Nature and purpose: building and operating software on the Controller’s behalf. Categories of data: typically end-user account data, contact data, and usage data, as described in the Statement of Work. Categories of data subjects: the Controller’s end users, customers, and employees as applicable.
Processor obligations
ZyroLab processes personal data only on documented instructions from the Controller, ensures persons authorised to process the data are bound by confidentiality, and assists the Controller in meeting its own obligations regarding security, breach notification, data protection impact assessments, and data subject requests.
Subprocessors
We use Vercel (hosting and CDN), Resend (transactional email), Cal.com (scheduling), Upstash (rate limiting), and Cloudflare (Turnstile bot detection) as standard subprocessors. We will notify the Controller before adding or replacing subprocessors and the Controller may object on reasonable data-protection grounds.
Security measures
TLS in transit, encryption at rest where supported by the underlying provider, role-based access controls with least-privilege defaults, multi-factor authentication on all administrative accounts, code review on production changes, and isolated production credentials managed via Vercel’s environment variables.
Data subject rights
ZyroLab assists the Controller, taking into account the nature of the processing, in responding to requests from data subjects to exercise their rights under applicable law (access, rectification, erasure, restriction, portability, objection).
Breach notification
ZyroLab notifies the Controller without undue delay — and where feasible within 72 hours of becoming aware — of any personal data breach affecting the Controller’s data, providing the information needed for the Controller to meet its own notification obligations.
International transfers
Where personal data is transferred outside the originating jurisdiction, ZyroLab relies on the appropriate safeguards offered by its subprocessors, including the EU Standard Contractual Clauses and equivalent UK and Swiss addenda where applicable.
Return or deletion
On termination of the engagement, and at the Controller’s choice, ZyroLab returns or deletes all personal data processed on the Controller’s behalf, except where retention is required by applicable law.
Audit
ZyroLab makes available to the Controller the information needed to demonstrate compliance with this addendum, and contributes to audits — including inspections — conducted by the Controller or another auditor mandated by the Controller, on reasonable prior notice.
Contact
Data protection enquiries: hello@zyrolab.com.