Version: May 1, 2026

Data Processing Agreement (DPA)

Between Zold Inc. ("Processor") and Zold Customer ("Controller")

⚠ This is a template document pending legal review. Contact our team for the executed version.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation or set of operations performed on Personal Data. "Controller" means the Zold customer that determines the purposes and means of processing Personal Data.

2. Scope and nature of processing

Zold processes Personal Data on behalf of the Controller solely for the purpose of providing the Platform services as specified in the Master Services Agreement. Zold shall not process Personal Data for any other purpose unless required by law.

3. Zold obligations (Processor)

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process the data are bound to confidentiality
  • Implement appropriate technical and organizational security measures
  • Respect the conditions for engaging sub-processors
  • Assist the Controller in responding to data subject requests
  • Delete or return all Personal Data upon termination of services
  • Make available to the Controller all information necessary to demonstrate compliance

4. Security measures

Zold implements the following technical and organizational measures: data encryption in transit (TLS 1.3) and at rest (AES-256); multi-tenant data isolation via PostgreSQL RLS; mandatory MFA for administrative roles; immutable audit logs for all operations; daily backups with PITR recovery.

5. Sub-processors

Zold uses the following sub-processors: Google Cloud Platform (compute and database infrastructure); Google Vertex AI (Gemini — natural language processing); Stripe (payment processing); SendGrid/Twilio (notification delivery); Sentry (error reporting). The Controller is notified 30 days before any change to the sub-processor list.

6. International data transfers

Egyptian tenant data is processed in us-central1 (Iowa, USA) with a me-central1 (Dammam, KSA) option for regional compliance. For UAE and KSA tenants, data residency in me-central1 is available from Q3 2026.

7. Data breach notification

Upon becoming aware of a Personal Data breach, Zold will notify the Controller within 72 hours of discovery. The notification will include: a description of the breach, categories of data affected, estimated individuals affected, and measures taken to mitigate.

8. Contact

For questions about this agreement or to request an executed copy, contact: privacy@zold.app