Data Processing Agreement

1. Roles of the parties

For personal data contained in the business records the customer enters into Zenvora (customers, suppliers, employees, payroll, transactions), the customer is the Controller and Zenvora is the Processor, acting only on the customer's documented instructions.

For account and usage data Zenvora collects directly (user name, email, login and audit metadata), Zenvora acts as an independent Controller, as described in the Privacy Policy.

2. Subject matter, duration, nature & purpose

Subject matter: processing necessary to provide the Zenvora service. Duration: for the term of the customer's subscription plus any retention period required by law. Nature and purpose: hosting, storing, organising, computing on, transmitting and backing up the customer's business records so the customer can run their accounting and operations.

3. Types of personal data & categories of data subjects

Types of data: identification and contact details, financial and transactional records, and—where the customer uses HR/Payroll—employee identifiers including tax/social-security numbers (stored encrypted).

Categories of data subjects: the customer's own customers, suppliers, employees, and authorised users of the customer's account.

4. Processor obligations

Zenvora will: (a) process personal data only on the customer's documented instructions, including for transfers, unless required by law (in which case it will notify the customer where permitted); (b) ensure persons authorised to process the data are bound by confidentiality; (c) implement the technical and organisational measures in Section 7; (d) assist the customer, taking into account the nature of processing, with data-subject requests and with the customer's own security, breach-notification and impact-assessment obligations.

5. Sub-processors

The customer provides general authorisation for Zenvora to engage the sub-processors listed in the Privacy Policy (currently Supabase for database and authentication, Vercel for hosting, Resend for transactional email, and the subscription payment processor; Anthropic is engaged only if the optional AI Copilot is enabled).

Zenvora will impose data-protection obligations on each sub-processor no less protective than those in this DPA, remains liable for their performance, and will give the customer prior notice of any intended addition or replacement so the customer may object on reasonable data-protection grounds.

6. International transfers

Where providing the service involves transferring personal data across borders, Zenvora will ensure an appropriate transfer mechanism recognised under applicable law is in place. [Hosting region and specific mechanism to be confirmed during legal review.]

7. Security measures

Zenvora maintains, at minimum: database-level tenant isolation via PostgreSQL row-level security; encryption of data in transit (TLS) and at rest; role-based access control and optional two-factor authentication; an immutable audit log of sensitive actions; and regular encrypted backups. A fuller description is published at /security.

8. Personal data breach

Zenvora will notify the customer without undue delay after becoming aware of a personal-data breach affecting the customer's data, and will provide information reasonably available to help the customer meet its own notification obligations.

9. Audit & assistance

Zenvora will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the customer or an auditor it mandates, subject to reasonable confidentiality and security conditions.

10. Return & deletion

On termination, Zenvora will, at the customer's choice, make the customer's data available for export for a reasonable period and then delete it, except to the extent retention is required by law (for example, statutory accounting-record retention).

11. Order of precedence & contact

In the event of conflict between this DPA and the Terms of Service on data-protection matters, this DPA prevails. To request execution of this DPA or raise a data-protection matter, contact privacy@zenvora.com.