Data Processing Agreement (DPA)

LAST UPDATED: January 21, 2026

This Data Processing Agreement (“Agreement”) forms part of the agreement between Zerodrift (“Processor”) and the customer or client (“Controller”) and governs the processing of personal data in connection with the provision of Zerodrift’s services.

This Agreement applies to the extent that Zerodrift processes personal data on behalf of the Controller under applicable data protection laws, including the UK GDPR and EU GDPR (together, “Data Protection Laws”).

1. Definitions

Capitalised terms not defined in this Agreement shall have the meanings given to them in Data Protection Laws.

  • Personal Data means any information relating to an identified or identifiable natural person.
  • Processing means any operation performed on Personal Data.
  • Controller means the entity that determines the purposes and means of the processing of Personal Data.
  • Processor means Zerodrift, processing Personal Data on behalf of the Controller.
  • Sub-processor means any third party engaged by Zerodrift to process Personal Data.

2. Scope and Purpose of Processing

Zerodrift shall process Personal Data only:

  • On documented instructions from the Controller
  • For the purpose of providing the services under the applicable agreement
  • In accordance with this Agreement and Data Protection Laws

The nature, purpose, and duration of processing, as well as the categories of Personal Data and data subjects, are described in Schedule 1.

3. Processor Obligations

Zerodrift shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure persons authorised to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organisational measures to protect Personal Data
  • Not engage a Sub-processor without complying with Section 6 of this Agreement
  • Assist the Controller in responding to data subject requests where applicable
  • Assist the Controller in meeting obligations relating to security, breach notifications, and data protection impact assessments

4. Security Measures

Zerodrift shall implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including:

  • Access controls and authentication measures
  • Encryption or pseudonymisation where appropriate
  • Regular testing and evaluation of security practices
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of systems

Details of security measures are outlined in Schedule 2.

5. Personal Data Breach Notification

Zerodrift shall notify the Controller without undue delay after becoming aware of a Personal Data Breach and shall provide reasonable cooperation to assist the Controller in complying with breach notification obligations under Data Protection Laws.

6. Sub-processing

The Controller authorises Zerodrift to engage Sub-processors subject to the following conditions:

  • Zerodrift shall impose data protection obligations on Sub-processors that are no less protective than those in this Agreement
  • Zerodrift remains fully responsible for the performance of Sub-processors
  • Zerodrift shall maintain a list of authorised Sub-processors and provide notice of material changes

7. International Data Transfers

Zerodrift shall not transfer Personal Data outside the UK or EEA unless it ensures appropriate safeguards are in place, such as:

  • Standard Contractual Clauses
  • International Data Transfer Agreements
  • Other lawful transfer mechanisms recognised under Data Protection Laws

8. Audits and Compliance

Zerodrift shall make available information reasonably necessary to demonstrate compliance with this Agreement and allow for audits conducted by the Controller or its appointed auditor, subject to reasonable notice and confidentiality obligations.

9. Return or Deletion of Personal Data

Upon termination or expiry of the services, Zerodrift shall, at the Controller’s choice, return or delete all Personal Data, unless retention is required by law.

10. Liability

Liability arising under this Agreement shall be subject to the limitations of liability set out in the main services agreement between the parties, except where prohibited by Data Protection Laws.

11. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the United States.

12. Order of Precedence

In the event of a conflict between this Agreement and the main services agreement, this Agreement shall prevail with respect to data protection matters.

Schedule 1

Processing Details

  • Subject matter: Provision of Zerodrift’s services
  • Duration: For the term of the services agreement
  • Nature and purpose: Processing necessary to provide and support the services
  • Categories of data subjects: End users, customers, employees, contractors
  • Categories of Personal Data: Names, contact details, identifiers, usage data, and any other data submitted by the Controller

Schedule 2

Technical and Organisational Measures

  • Logical access controls
  • Data encryption in transit
  • Secure hosting environments
  • Regular vulnerability assessments
  • Incident response procedures
See It On Your Content

Bring an investor letter, email flow, or social post from your firm. We'll show you what gets flagged and fixed before send.

Book a 30 Minute Demo
30 MIN · NO PREP · YOUR DATA NEVER STORED