Legal · Data Processing
Data Processing Agreement
1. Definitions
In this DPA, the following terms have the meanings given in the GDPR (Regulation (EU) 2016/679):
- "Controller" means the customer using the Zentric Protocol API, who determines the purposes and means of processing personal data submitted through the API.
- "Processor" means Zentric Protocol, acting as a data processor on behalf of the Controller for the duration of each API call.
- "Processing" means any operation performed on personal data submitted to the /v1/analyze endpoint.
- "Personal Data" means any information relating to an identified or identifiable natural person contained in the text inputs submitted to the API.
- "Sub-processor" means any third party engaged by Zentric Protocol to assist in processing personal data.
2. Subject Matter and Duration
This DPA applies to the processing of personal data carried out by Zentric Protocol when the Controller submits text inputs to the API for prompt injection detection and PII analysis. Processing occurs for the duration of each individual API call. Input content is not retained beyond the time required to return a result (typically under 1 second).
This DPA remains in effect for the duration of the Controller's subscription and terminates automatically upon subscription cancellation or account closure.
3. Nature and Purpose of Processing
| Attribute | Details |
|---|---|
| Subject matter | Analysis of text inputs for prompt injection patterns and PII entities |
| Duration | Per-request (input content not stored after response is returned) |
| Nature | Automated analysis: pattern matching, entity recognition, report generation |
| Purpose | Returning a security verdict and GDPR Art.30 audit record to the Controller |
| Types of personal data | Any PII present in submitted text: email addresses, phone numbers, national ID numbers (SSN, NIF, CPF, CURP), financial identifiers (IBAN, SWIFT), passport numbers, and other personal identifiers |
| Categories of data subjects | End users of the Controller's application whose data may be contained in submitted prompts |
4. Obligations of the Processor
Zentric Protocol, as Processor, commits to:
- Process personal data only on documented instructions from the Controller (i.e., the API call itself), unless required to do so by applicable law
- Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations
- Implement appropriate technical and organisational security measures as described in Section 7
- Not engage sub-processors without prior general or specific written authorisation from the Controller, and ensure sub-processors are bound by equivalent data protection obligations
- Assist the Controller in responding to requests from data subjects exercising their rights under the GDPR, where technically feasible
- Assist the Controller in ensuring compliance with GDPR obligations regarding security, breach notification, data protection impact assessments, and prior consultation
- Delete or return all personal data upon termination of the service, and delete existing copies unless retention is required by applicable law
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an authorised auditor
5. Obligations of the Controller
The Controller warrants that:
- It has a valid legal basis under the GDPR for submitting personal data to the API
- It has provided appropriate notices to its data subjects regarding the use of third-party processors
- The instructions it provides to Zentric Protocol comply with applicable data protection law
- It is responsible for the overall security architecture of its application and does not rely solely on Zentric Protocol for data protection
6. Sub-processors
The Controller grants general authorisation for Zentric Protocol to engage the following sub-processors. Zentric Protocol will notify the Controller of any intended changes to sub-processors with reasonable notice, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database infrastructure: API key storage, usage metadata, audit logs | EU (eu-west-1) |
| Vercel | API gateway and edge infrastructure hosting | EU edge / global CDN |
| Stripe | Payment processing (paying customers only; no prompt content transmitted) | US / EU |
7. Security Measures
Zentric Protocol implements the following technical and organisational measures:
- Encryption in transit: All API communication is encrypted via TLS 1.2 or higher
- No persistent storage of prompt content: Input text is processed in memory and not written to any persistent store
- Hashed API keys: API keys are stored as SHA-256 hashes only; raw keys are never persisted
- Access controls: Database access is restricted to service-role credentials with row-level security policies
- EU-region primary infrastructure: Supabase database operates in eu-west-1
- Signed audit reports: Each response includes a SHA-256 signed report hash for tamper detection
8. Data Breach Notification
In the event of a personal data breach affecting data processed under this DPA, Zentric Protocol will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, to the extent that this is feasible. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
Breach notifications must be sent to: core@zentricprotocol.com. The Controller is responsible for notifying its supervisory authority and affected data subjects as required by applicable law.
9. International Data Transfers
Primary processing occurs within the EU. Where data may be transferred to sub-processors outside the EU/EEA (including Vercel's global CDN and Stripe's US infrastructure), Zentric Protocol ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as adopted by the European Commission.
10. Audit Rights
The Controller may request, no more than once per calendar year, documentation demonstrating Zentric Protocol's compliance with this DPA. Requests for on-site audits or inspections must be made with at least 30 days written notice and will be conducted at the Controller's expense. Zentric Protocol may satisfy audit requests by providing relevant third-party certifications or audit reports where available.
11. Termination and Data Deletion
Upon termination of the Controller's subscription, Zentric Protocol will delete all personal data processed under this DPA within 30 days, except usage metadata retained for legitimate business purposes (maximum 90 days as described in the Privacy Policy) and any data whose retention is required by applicable law.
The Controller may request confirmation of deletion by emailing privacy@zentricprotocol.com.
12. Governing Law
This DPA is governed by Spanish law and European Union data protection law, in particular the GDPR. Disputes arising from this DPA shall be subject to the jurisdiction of the competent courts of Spain.
13. Contact
For DPA-related inquiries or to request a countersigned PDF copy:
core@zentricprotocol.com
For privacy inquiries:
privacy@zentricprotocol.com